Skip to content

feat: Allow setting Authorization header from tool arguments #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

stepolan
Copy link

Closes #143

Description:

This PR enhances the _execute_api_tool method in fastapi_mcp/server.py to provide more flexibility for authenticating internal tool calls.

Problem:
Currently, _execute_api_tool primarily looks for an Authorization header in http_request_info.headers. This works well for external clients. However, for internal MCP clients (e.g., a backend service calling a tool via MCPClientSession), it's often more convenient to pass authentication tokens through the arguments of the call_tool request rather than reconstructing HTTP headers. If the token is passed only in the arguments, the tool execution would fail if the tool endpoint is protected.

Solution:
This change modifies _execute_api_tool to check the arguments dictionary for a user_access_token key if an Authorization header is not already present in http_request_info.headers or already set.

If user_access_token is found in the arguments:

  1. Its value is used to construct a Bearer token.
  2. This Bearer token is set as the Authorization header for the httpx.AsyncClient request made to the tool's endpoint.
  3. The user_access_token is removed from the arguments dictionary to prevent it from being unintentionally passed in the request body.

This approach maintains the priority of an explicitly passed Authorization header if one exists. It makes fastapi-mcp more adaptable for internal tool usage patterns where passing authentication details via arguments is preferred.

Changes:

  • Modified fastapi_mcp/server.py to include logic for extracting user_access_token from tool arguments and setting the Authorization header.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature Request: Allow _execute_api_tool to source Authorization header from tool arguments for internal clients
1 participant