inspector icon indicating copy to clipboard operation
inspector copied to clipboard
verified publisher icon modelcontextprotocol

MCP Inspector Cannot Pass Custom Authentication Headers

Open lgacnik opened this issue 2 months ago • 0 comments

Inspector Version: 0.17.1

Describe the bug

MCP Inspector (CLI and Web UI) cannot pass custom authentication headers to MCP servers. Servers expecting credentials in custom headers (e.g., X-API-Credentials) never receive them, causing authentication failures.

To Reproduce

CLI Method

  1. Start MCP server expecting X-API-Credentials header:
python gmail_auth_test_server.py --transport streamable-http --port 8766 --host 0.0.0.0
  1. Server expects:
X-API-Credentials: {"auth_type":"oauth2","access_token":"<token>","token_type":"Bearer"}
  1. Run Inspector with --header flag:
npx @modelcontextprotocol/inspector@latest \
  --cli http://localhost:8766/mcp \
  --transport streamable-http \
  --header "Authorization: Bearer <valid-token>" \
  --method tools/call \
  --tool-name gmail_users_messages_list \
  --tool-arg userId=me
  1. Server logs show:
ERROR - Authentication failed: Missing or invalid X-API-Credentials header

Web UI Method

  1. Open Inspector: npx @modelcontextprotocol/inspector
  2. Configure:
    • Transport: Streamable HTTP
    • URL: http://localhost:8766/mcp
    • Add custom header: X-API-Credentials with JSON value
  3. Connect and call tool
  4. Same authentication failure

Expected behavior

Custom headers configured in Inspector should be forwarded to the MCP server. The --header flag should pass headers to the server, not just authenticate to the Inspector proxy.

Actual behavior

  • Server receives no X-API-Credentials header
  • Authentication fails
  • Both CLI and Web UI fail to pass custom headers

Environment

  • OS: Linux (Ubuntu/Debian)
  • Browser: Chrome/Firefox
  • Inspector Version: 0.17.1
  • Transport: Streamable HTTP
  • Server Framework: FastMCP 2.12.4 with Python

Additional context

Investigation findings

  1. Token is valid (verified with direct curl to Gmail API)
  2. Server works correctly with direct HTTP clients
  3. The --header flag appears to authenticate TO the Inspector proxy, not pass headers THROUGH to the server
  4. May be an architectural gap in MCP protocol for HTTP header authentication

Workarounds

  • Direct Python MCP client with full header control (works)
  • Hardcoding credentials in server (works but insecure)
  • Inspector CLI --header flag (fails)
  • Inspector Web UI custom headers (fails)

Question

Is there a supported way to pass custom authentication headers from Inspector to MCP servers over HTTP/SSE transports? If not, this is a significant testing limitation for authenticated MCP servers.

lgacnik avatar Oct 17 '25 22:10 lgacnik