From d3059af8d8acf807092dd053af34494d523cbb7c Mon Sep 17 00:00:00 2001
From: iwyrkore <iwyrkore@gmail.com>
Date: Tue, 26 Aug 2025 17:26:06 -0400
Subject: [PATCH] Minor changes recommended by coderabbitai.

---
 CHANGELOG.md          | 5 ++++-
 README.md             | 2 +-
 src/types/index.ts    | 2 +-
 src/utils/security.ts | 2 +-
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9408801..4368f0f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,9 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
 ### Added
 
-- passthrough-auth option to pass through auth info in MCP request headers to the API, as specified by the openapi spec.
+- CLI option `--passthrough-auth` to forward authentication headers from MCP requests to the downstream API, per the OpenAPI security scheme. Supports http (bearer/basic), apiKey (header/query/cookie), and OpenID Connect bearer tokens. Works for SSE and StreamableHTTP transports. Requires `@modelcontextprotocol/sdk` ^1.17.4.
+
 
 ## [3.2.0] - 2025-08-24
 
diff --git a/README.md b/README.md
index b8e32f6..27da799 100644
--- a/README.md
+++ b/README.md
@@ -59,7 +59,7 @@ openapi-mcp-generator --input path/to/openapi.json --output path/to/output/dir -
 | `--port`             | `-p`  | Port for web-based transports                                                                                                                  | `3000`                            |
 | `--default-include`  |       | Default behavior for x-mcp filtering. Accepts `true` or `false` (case-insensitive). `true` = include by default, `false` = exclude by default. | `true`                            |
 | `--force`            |       | Overwrite existing files in the output directory without confirmation                                                                          | `false`                           |
-| `--passthrough-auth` |       | pass through auth info in MCP request headers to the API, as specified by the openapi spec.                                                    | `false`                           |
+| `--passthrough-auth` |       | Forward auth headers in MCP requests to the downstream API, as specified by the OpenAPI spec.                                                    | `false`                           |
 
 ## 📦 Programmatic API
 
diff --git a/src/types/index.ts b/src/types/index.ts
index 8a4826e..c4c8246 100644
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -35,7 +35,7 @@ export interface CliOptions {
    * false = exclude by default unless x-mcp explicitly enables.
    */
   defaultInclude?: boolean;
-  /** Whether to pass through authentication headers to the API */
+  /** Whether to pass through authentication headers to the API. Defaults to false. */
   passthroughAuth?: boolean;
 }
 
diff --git a/src/utils/security.ts b/src/utils/security.ts
index 1964158..17003b1 100644
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -274,7 +274,7 @@ export function generateExecuteApiToolFunction(
             
             // API Key security
             if (scheme?.type === 'apiKey') {
-                const apiKey = (process.env[\`API_KEY_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] || getHeaderValue(sessionHeaders,scheme.name.toLowerCase()));
+                const apiKey = process.env[\`API_KEY_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] ?? getHeaderValue(sessionHeaders,scheme.name.toLowerCase());
                 if (apiKey) {
                     if (scheme.in === 'header') {
                         headers[scheme.name.toLowerCase()] = apiKey;