[Bug]: Fix Authorization header not being sent to configured MCP servers (#14422)

* test: test_mcp_server_config_auth_value_header_used

* fix: authentication_token

* docs: fix instructions on using responses api with MCPs

* mcp fixes

Author: ishaan-jaff

docs/my-website/docs/mcp.md

@@ -195,70 +195,155 @@ litellm_settings:
 
 ## Using your MCP
 
-<Tabs>
-<TabItem value="openai" label="OpenAI API">
+### Use on LiteLLM UI 
 
-#### Connect via OpenAI Responses API
+### Use with Responses API
 
-Use the OpenAI Responses API to connect to your LiteLLM MCP server:
+Replace `http://localhost:4000` with your LiteLLM Proxy base URL.
+
+<Tabs>
+<TabItem value="curl" label="cURL">
 
 ```bash title="cURL Example" showLineNumbers
-curl --location 'https://api.openai.com/v1/responses' \
+curl --location 'http://localhost:4000/v1/responses' \
 --header 'Content-Type: application/json' \
---header "Authorization: Bearer $OPENAI_API_KEY" \
+--header "Authorization: Bearer sk-1234" \
 --data '{
-    "model": "gpt-4o",
+    "model": "gpt-5",
+    "input": [
+    {
+      "role": "user",
+      "content": "give me TLDR of what BerriAI/litellm repo is about",
+      "type": "message"
+    }
+  ],
     "tools": [
         {
             "type": "mcp",
             "server_label": "litellm",
             "server_url": "litellm_proxy",
-            "require_approval": "never",
-            "headers": {
-                "x-litellm-api-key": "Bearer YOUR_LITELLM_API_KEY"
-            }
+            "require_approval": "never"
         }
     ],
-    "input": "Run available tools",
+    "stream": true,
     "tool_choice": "required"
 }'
 ```
 
 </TabItem>
+<TabItem value="python" label="Python SDK">
 
-<TabItem value="litellm" label="LiteLLM Proxy">
+```python title="Python SDK Example" showLineNumbers
+import openai
 
-#### Connect via LiteLLM Proxy Responses API
+client = openai.OpenAI(
+    api_key="sk-1234",
+    base_url="http://localhost:4000"
+)
 
-Use this when calling LiteLLM Proxy for LLM API requests to `/v1/responses` endpoint.
+response = client.responses.create(
+    model="gpt-5",
+    input=[
+        {
+            "role": "user",
+            "content": "give me TLDR of what BerriAI/litellm repo is about",
+            "type": "message"
+        }
+    ],
+    tools=[
+        {
+            "type": "mcp",
+            "server_label": "litellm",
+            "server_url": "litellm_proxy",
+            "require_approval": "never"
+        }
+    ],
+    stream=True,
+    tool_choice="required"
+)
 
-```bash title="cURL Example" showLineNumbers
-curl --location '<your-litellm-proxy-base-url>/v1/responses' \
+print(response)
+```
+
+</TabItem>
+</Tabs>
+
+#### Specifying MCP Tools
+
+You can specify which MCP tools are available by using the `allowed_tools` parameter. This allows you to restrict access to specific tools within an MCP server.
+
+To get the list of allowed tools when using LiteLLM MCP Gateway, you can naigate to the LiteLLM UI on MCP Servers > MCP Tools > Click the Tool > Copy Tool Name.
+
+<Tabs>
+<TabItem value="curl" label="cURL">
+
+```bash title="cURL Example with allowed_tools" showLineNumbers
+curl --location 'http://localhost:4000/v1/responses' \
 --header 'Content-Type: application/json' \
---header "Authorization: Bearer $LITELLM_API_KEY" \
+--header "Authorization: Bearer sk-1234" \
 --data '{
-    "model": "gpt-4o",
+    "model": "gpt-5",
+    "input": [
+    {
+      "role": "user",
+      "content": "give me TLDR of what BerriAI/litellm repo is about",
+      "type": "message"
+    }
+  ],
     "tools": [
         {
             "type": "mcp",
             "server_label": "litellm",
-            "server_url": "litellm_proxy",
+            "server_url": "litellm_proxy/mcp",
             "require_approval": "never",
-            "headers": {
-                "x-litellm-api-key": "Bearer YOUR_LITELLM_API_KEY"
-            }
+            "allowed_tools": ["GitMCP-fetch_litellm_documentation"]
         }
     ],
-    "input": "Run available tools",
+    "stream": true,
     "tool_choice": "required"
 }'
 ```
 
 </TabItem>
+<TabItem value="python" label="Python SDK">
 
-<TabItem value="cursor" label="Cursor IDE">
+```python title="Python SDK Example with allowed_tools" showLineNumbers
+import openai
+
+client = openai.OpenAI(
+    api_key="sk-1234",
+    base_url="http://localhost:4000"
+)
+
+response = client.responses.create(
+    model="gpt-5",
+    input=[
+        {
+            "role": "user",
+            "content": "give me TLDR of what BerriAI/litellm repo is about",
+            "type": "message"
+        }
+    ],
+    tools=[
+        {
+            "type": "mcp",
+            "server_label": "litellm",
+            "server_url": "litellm_proxy/mcp",
+            "require_approval": "never",
+            "allowed_tools": ["GitMCP-fetch_litellm_documentation"]
+        }
+    ],
+    stream=True,
+    tool_choice="required"
+)
+
+print(response)
+```
 
-#### Connect via Cursor IDE
+</TabItem>
+</Tabs>
+
+### Use with Cursor IDE
 
 Use tools directly from Cursor IDE with LiteLLM MCP:
 
@@ -281,9 +366,6 @@ Use tools directly from Cursor IDE with LiteLLM MCP:
 }
 ```
 
-</TabItem>
-</Tabs>
-
 #### How it works when server_url="litellm_proxy"
 
 When server_url="litellm_proxy", LiteLLM bridges non-MCP providers to your MCP tools.

docs/my-website/img/mcp_tools.png

@@ -241,6 +241,9 @@ def load_servers_from_config(
                 transport=server_config.get("transport", MCPTransport.http),
                 spec_version=server_config.get("spec_version", MCPSpecVersion.jun_2025),
                 auth_type=server_config.get("auth_type", None),
+                authentication_token=server_config.get(
+                    "authentication_token", server_config.get("auth_value", None)
+                ),
                 mcp_info=mcp_info,
                 access_groups=server_config.get("access_groups", None),
             )
@@ -716,8 +719,8 @@ async def call_tool(
             tasks = []
             if proxy_logging_obj:
                 # Create synthetic LLM data for during hook processing
-                from litellm.types.mcp import MCPDuringCallRequestObject
                 from litellm.types.llms.base import HiddenParams
+                from litellm.types.mcp import MCPDuringCallRequestObject
 
                 request_obj = MCPDuringCallRequestObject(
                     tool_name=name,

litellm/proxy/_experimental/mcp_server/mcp_server_manager.py

@@ -42,3 +42,26 @@ def test_mcp_server_works_without_config_auth_value():
     # Verify header token is used
     assert client._mcp_auth_value == "Bearer token_from_header_only"
     assert client.auth_type == MCPAuth.authorization
+
+
+@pytest.mark.parametrize("token_key", ["authentication_token", "auth_value"])
+def test_mcp_server_config_auth_value_header_used(token_key):
+    """Ensure auth header is sent when auth token configured in config"""
+    config = {
+        "test_server": {
+            "url": "https://api.example.com/mcp",
+            "transport": "http",
+            "auth_type": "bearer_token",
+            token_key: "example_token",
+        }
+    }
+
+    manager = MCPServerManager()
+    manager.load_servers_from_config(config)
+
+    server = next(iter(manager.config_mcp_servers.values()))
+    client = manager._create_mcp_client(server)
+    headers = client._get_auth_headers()
+
+    assert headers["Authorization"] == "Bearer example_token"
+    assert client.auth_type == MCPAuth.bearer_token