Minor changes recommended by coderabbitai.

CHANGELOG.md

@@ -5,9 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
 ### Added
 
-- passthrough-auth option to pass through auth info in MCP request headers to the API, as specified by the openapi spec.
+- CLI option `--passthrough-auth` to forward authentication headers from MCP requests to the downstream API, per the OpenAPI security scheme. Supports http (bearer/basic), apiKey (header/query/cookie), and OpenID Connect bearer tokens. Works for SSE and StreamableHTTP transports. Requires `@modelcontextprotocol/sdk` ^1.17.4.
+
 
 ## [3.2.0] - 2025-08-24
 

README.md

@@ -59,7 +59,7 @@ openapi-mcp-generator --input path/to/openapi.json --output path/to/output/dir -
 | `--port`             | `-p`  | Port for web-based transports                                                                                                                  | `3000`                            |
 | `--default-include`  |       | Default behavior for x-mcp filtering. Accepts `true` or `false` (case-insensitive). `true` = include by default, `false` = exclude by default. | `true`                            |
 | `--force`            |       | Overwrite existing files in the output directory without confirmation                                                                          | `false`                           |
-| `--passthrough-auth` |       | pass through auth info in MCP request headers to the API, as specified by the openapi spec.                                                    | `false`                           |
+| `--passthrough-auth` |       | Forward auth headers in MCP requests to the downstream API, as specified by the OpenAPI spec.                                                    | `false`                           |
 
 ## 📦 Programmatic API
 

src/types/index.ts

@@ -35,7 +35,7 @@ export interface CliOptions {
    * false = exclude by default unless x-mcp explicitly enables.
    */
   defaultInclude?: boolean;
-  /** Whether to pass through authentication headers to the API */
+  /** Whether to pass through authentication headers to the API. Defaults to false. */
   passthroughAuth?: boolean;
 }
 

src/utils/security.ts

@@ -274,7 +274,7 @@ export function generateExecuteApiToolFunction(
             
             // API Key security
             if (scheme?.type === 'apiKey') {
-                const apiKey = (process.env[\`API_KEY_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] || getHeaderValue(sessionHeaders,scheme.name.toLowerCase()));
+                const apiKey = process.env[\`API_KEY_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] ?? getHeaderValue(sessionHeaders,scheme.name.toLowerCase());
                 if (apiKey) {
                     if (scheme.in === 'header') {
                         headers[scheme.name.toLowerCase()] = apiKey;