MCP server header bearer token usage clarification

[roman-doubrava]

Dear librechat team,

I know there is already work in progress to integrate oauth for mcp in: #5676

However in the documentation https://www.librechat.ai/docs/configuration/librechat_yaml/object_structure/mcp_servers you mention that we can configure
Authorization: "Bearer ${SOME_AUTH_TOKEN}" for mcp endpoints config.

headers:
X-User-ID: "{{LIBRECHAT_USER_ID}}"
X-User-Email: "{{LIBRECHAT_USER_EMAIL}}"
X-User-Role: "{{LIBRECHAT_USER_ROLE}}"
X-API-Key: "${SOME_API_KEY}"
Authorization: "Bearer ${SOME_AUTH_TOKEN}"

Can you explain in more detail where the token should be generated before or if it is possible to be populated automatically for each mcp call after librechat openid login was performed?

If it can be forwarded after openid login what should be the environment variable name?

Are obtained authorization headers always forwarded to mcp server calls? If not could we make a mcp config variable to allow authization headers forwarding? This would cover the case where librechat and mcp server trust the same idp provider.

Also do you think it is possible to use a oauth mcp proxy which takes care about the oauth flow: https://github.com/wso2/open-mcp-auth-proxy then delegating tokens down to the sub mcp process?

It would be great to have a documted example with one possible way.

Sorry for so many questions and thank you very much in advance!

[danny-avila]

${SOME_AUTH_TOKEN} is just an example of an environment variable reference, meaning it will point to whatever value is defined in the environment or .env file.

The other examples {{LIBRECHAT_USER_*}} are generated dynamically per user.

Yes you can use a proxy server to take care of OAuth for now, but we will also support that soon, similar to how we support it for actions.

More info: #7240 (comment)