Added passthroughAuth option, --passthrough-auth on the commandline.

CHANGELOG.md

@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+### Added
+
+- passthrough-auth option to pass through auth info in MCP request headers to the API, as specified by the openapi spec.
+
 ## [3.2.0] - 2025-08-24
 
 ### Added

README.md

@@ -48,17 +48,18 @@ openapi-mcp-generator --input path/to/openapi.json --output path/to/output/dir -
 
 ### CLI Options
 
-| Option              | Alias | Description                                                                                                                                    | Default                           |
-| ------------------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
-| `--input`           | `-i`  | Path or URL to OpenAPI specification (YAML or JSON)                                                                                            | **Required**                      |
-| `--output`          | `-o`  | Directory to output the generated MCP project                                                                                                  | **Required**                      |
-| `--server-name`     | `-n`  | Name of the MCP server (`package.json:name`)                                                                                                   | OpenAPI title or `mcp-api-server` |
-| `--server-version`  | `-v`  | Version of the MCP server (`package.json:version`)                                                                                             | OpenAPI version or `1.0.0`        |
-| `--base-url`        | `-b`  | Base URL for API requests. Required if OpenAPI `servers` missing or ambiguous.                                                                 | Auto-detected if possible         |
-| `--transport`       | `-t`  | Transport mode: `"stdio"` (default), `"web"`, or `"streamable-http"`                                                                           | `"stdio"`                         |
-| `--port`            | `-p`  | Port for web-based transports                                                                                                                  | `3000`                            |
-| `--default-include` |       | Default behavior for x-mcp filtering. Accepts `true` or `false` (case-insensitive). `true` = include by default, `false` = exclude by default. | `true`                            |
-| `--force`           |       | Overwrite existing files in the output directory without confirmation                                                                          | `false`                           |
+| Option               | Alias | Description                                                                                                                                    | Default                           |
+| -------------------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
+| `--input`            | `-i`  | Path or URL to OpenAPI specification (YAML or JSON)                                                                                            | **Required**                      |
+| `--output`           | `-o`  | Directory to output the generated MCP project                                                                                                  | **Required**                      |
+| `--server-name`      | `-n`  | Name of the MCP server (`package.json:name`)                                                                                                   | OpenAPI title or `mcp-api-server` |
+| `--server-version`   | `-v`  | Version of the MCP server (`package.json:version`)                                                                                             | OpenAPI version or `1.0.0`        |
+| `--base-url`         | `-b`  | Base URL for API requests. Required if OpenAPI `servers` missing or ambiguous.                                                                 | Auto-detected if possible         |
+| `--transport`        | `-t`  | Transport mode: `"stdio"` (default), `"web"`, or `"streamable-http"`                                                                           | `"stdio"`                         |
+| `--port`             | `-p`  | Port for web-based transports                                                                                                                  | `3000`                            |
+| `--default-include`  |       | Default behavior for x-mcp filtering. Accepts `true` or `false` (case-insensitive). `true` = include by default, `false` = exclude by default. | `true`                            |
+| `--force`            |       | Overwrite existing files in the output directory without confirmation                                                                          | `false`                           |
+| `--passthrough-auth` |       | pass through auth info in MCP request headers to the API, as specified by the openapi spec.                                                    | `false`                           |
 
 ## 📦 Programmatic API
 

package.json

@@ -62,7 +62,7 @@
     "typescript": "^5.9.2"
   },
   "peerDependencies": {
-    "@modelcontextprotocol/sdk": "^1.10.2",
+    "@modelcontextprotocol/sdk": "^1.17.4",
     "json-schema-to-zod": "^2.6.1",
     "zod": "^3.24.3"
   }

src/generator/package-json.ts

@@ -31,7 +31,7 @@ export function generatePackageJson(
       node: '>=20.0.0',
     },
     dependencies: {
-      '@modelcontextprotocol/sdk': '^1.10.0',
+      '@modelcontextprotocol/sdk': '^1.17.4',
       axios: '^1.9.0',
       dotenv: '^16.4.5',
       zod: '^3.24.3',

src/generator/server-code.ts

@@ -39,7 +39,7 @@ export function generateMcpServerCode(
   );
 
   // Generate code for request handlers
-  const callToolHandlerCode = generateCallToolHandler();
+  const callToolHandlerCode = generateCallToolHandler(options.passthroughAuth);
   const listToolsHandlerCode = generateListToolsHandler();
 
   // Determine which transport to include
@@ -99,8 +99,12 @@ import {
   ListToolsRequestSchema,
   type Tool,
   type CallToolResult,
-  type CallToolRequest
+  type CallToolRequest,
+  ServerRequest,
+  ServerNotification,
+  IsomorphicHeaders
 } from "@modelcontextprotocol/sdk/types.js";${transportImport}
+import { RequestHandlerExtra } from '@modelcontextprotocol/sdk/shared/protocol.js';
 
 import { z, ZodError } from 'zod';
 import { jsonSchemaToZod } from 'json-schema-to-zod';

src/generator/web-server.ts

@@ -19,7 +19,7 @@ import { serve } from '@hono/node-server';
 import { streamSSE } from 'hono/streaming';
 import { v4 as uuid } from 'uuid';
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
-import { JSONRPCMessage, JSONRPCMessageSchema } from "@modelcontextprotocol/sdk/types.js";
+import { JSONRPCMessage, JSONRPCMessageSchema, MessageExtraInfo } from "@modelcontextprotocol/sdk/types.js";
 import type { Context } from 'hono';
 import type { SSEStreamingApi } from 'hono/streaming';
 import type { Transport } from "@modelcontextprotocol/sdk/shared/transport.js";
@@ -37,7 +37,7 @@ private messageUrl: string;
 
 onclose?: () => void;
 onerror?: (error: Error) => void;
-onmessage?: (message: JSONRPCMessage) => void;
+onmessage?: (message: JSONRPCMessage, extra?: MessageExtraInfo) => void;
 
 constructor(messageUrl: string, stream: SSEStreamingApi) {
   this._sessionId = uuid();
@@ -105,7 +105,7 @@ async handlePostMessage(c: Context): Promise<Response> {
 
       // Forward to the message handler
       if (this.onmessage) {
-        this.onmessage(parsedMessage);
+        this.onmessage(parsedMessage, {requestInfo: {headers: c.req.header()}});
         return c.text('Accepted', 202);
       } else {
         return c.text('No message handler defined', 500);

src/index.ts

@@ -86,6 +86,7 @@ program
     },
     true
   )
+  .option('--passthrough-auth', 'Pass through authentication headers to the API')
   .option('--force', 'Overwrite existing files without prompting')
   .version(pkg.version) // Match package.json version
   .action((options) => {

src/types/index.ts

@@ -35,6 +35,8 @@ export interface CliOptions {
    * false = exclude by default unless x-mcp explicitly enables.
    */
   defaultInclude?: boolean;
+  /** Whether to pass through authentication headers to the API */
+  passthroughAuth?: boolean;
 }
 
 /**

src/utils/code-gen.ts

@@ -87,16 +87,17 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
  *
  * @returns Generated code for the call tool handler
  */
-export function generateCallToolHandler(): string {
+export function generateCallToolHandler(passthroughAuth: boolean | undefined): string {
   return `
-server.setRequestHandler(CallToolRequestSchema, async (request: CallToolRequest): Promise<CallToolResult> => {
+server.setRequestHandler(CallToolRequestSchema, async (request: CallToolRequest, extra: RequestHandlerExtra<ServerRequest, ServerNotification>): Promise<CallToolResult> => {
   const { name: toolName, arguments: toolArgs } = request.params;
   const toolDefinition = toolDefinitionMap.get(toolName);
   if (!toolDefinition) {
     console.error(\`Error: Unknown tool requested: \${toolName}\`);
     return { content: [{ type: "text", text: \`Error: Unknown tool requested: \${toolName}\` }] };
   }
-  return await executeApiTool(toolName, toolDefinition, toolArgs ?? {}, securitySchemes);
+  let sessionHeaders = ${passthroughAuth ? 'extra.requestInfo?.headers' : 'undefined'};
+  return await executeApiTool(toolName, toolDefinition, toolArgs ?? {}, securitySchemes, sessionHeaders);
 });
 `;
 }

src/utils/security.ts

@@ -208,6 +208,11 @@ export function generateExecuteApiToolFunction(
 
   // Generate security handling code for checking, applying security
   const securityCode = `
+    function getHeaderValue(headers: IsomorphicHeaders | undefined, key: string): string | undefined {
+        const value = headers?.[key];
+        return Array.isArray(value) ? value[0] : value;
+    }
+
     // Apply security requirements if available
     // Security requirements use OR between array items and AND within each object
     const appliedSecurity = definition.securityRequirements?.find(req => {
@@ -218,17 +223,18 @@ export function generateExecuteApiToolFunction(
 
             // API Key security (header, query, cookie)
             if (scheme.type === 'apiKey') {
-                return !!process.env[\`API_KEY_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
+                return !!(process.env[\`API_KEY_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] || getHeaderValue(sessionHeaders,scheme.name.toLowerCase()));
             }
 
             // HTTP security (basic, bearer)
             if (scheme.type === 'http') {
                 if (scheme.scheme?.toLowerCase() === 'bearer') {
-                    return !!process.env[\`BEARER_TOKEN_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
+                    return !!(process.env[\`BEARER_TOKEN_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] || getHeaderValue(sessionHeaders,'authorization')?.startsWith('Bearer '));
                 }
                 else if (scheme.scheme?.toLowerCase() === 'basic') {
-                    return !!process.env[\`BASIC_USERNAME_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] && 
-                           !!process.env[\`BASIC_PASSWORD_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
+                    return (!!(process.env[\`BASIC_USERNAME_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] &&
+                           !!process.env[\`BASIC_PASSWORD_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`])  ||
+                           getHeaderValue(sessionHeaders,'authorization')?.startsWith('Basic '));
                 }
             }
 
@@ -253,7 +259,7 @@ export function generateExecuteApiToolFunction(
 
             // OpenID Connect
             if (scheme.type === 'openIdConnect') {
-                return !!process.env[\`OPENID_TOKEN_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
+                return !!(process.env[\`OPENID_TOKEN_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] || getHeaderValue(sessionHeaders,'authorization')?.startsWith('Bearer '));
             }
 
             return false;
@@ -268,7 +274,7 @@ export function generateExecuteApiToolFunction(
 
             // API Key security
             if (scheme?.type === 'apiKey') {
-                const apiKey = process.env[\`API_KEY_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`];
+                const apiKey = (process.env[\`API_KEY_\${schemeName.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase()}\`] || getHeaderValue(sessionHeaders,scheme.name.toLowerCase()));
                 if (apiKey) {
                     if (scheme.in === 'header') {
                         headers[scheme.name.toLowerCase()] = apiKey;
@@ -292,6 +298,9 @@ export function generateExecuteApiToolFunction(
                     if (token) {
                         headers['authorization'] = \`Bearer \${token}\`;
                         console.error(\`Applied Bearer token for '\${schemeName}'\`);
+                    } else if (getHeaderValue(sessionHeaders,'authorization')?.startsWith('Bearer ')) {
+                        headers['authorization'] = getHeaderValue(sessionHeaders,'authorization')!;
+                        console.error(\`Applied Bearer token for '\${schemeName}' from session headers\`);
                     }
                 } 
                 else if (scheme.scheme?.toLowerCase() === 'basic') {
@@ -300,6 +309,9 @@ export function generateExecuteApiToolFunction(
                     if (username && password) {
                         headers['authorization'] = \`Basic \${Buffer.from(\`\${username}:\${password}\`).toString('base64')}\`;
                         console.error(\`Applied Basic authentication for '\${schemeName}'\`);
+                    } else if (getHeaderValue(sessionHeaders,'authorization')?.startsWith('Basic ')) {
+                        headers['authorization'] = getHeaderValue(sessionHeaders,'authorization')!;
+                        console.error(\`Applied Basic authentication for '\${schemeName}' from session headers\`);
                     }
                 }
             }
@@ -338,6 +350,9 @@ export function generateExecuteApiToolFunction(
                     if (scopes && scopes.length > 0) {
                         console.error(\`Requested scopes: \${scopes.join(', ')}\`);
                     }
+                } else if (getHeaderValue(sessionHeaders,'authorization')?.startsWith('Bearer ')) {
+                    headers['authorization'] = getHeaderValue(sessionHeaders,'authorization')!;
+                    console.error(\`Applied OpenID Connect token for '\${schemeName}' from session headers\`);
                 }
             }
         }
@@ -379,7 +394,8 @@ async function executeApiTool(
     toolName: string,
     definition: McpToolDefinition,
     toolArgs: JsonObject,
-    allSecuritySchemes: Record<string, any>
+    allSecuritySchemes: Record<string, any>,
+    sessionHeaders: IsomorphicHeaders | undefined
 ): Promise<CallToolResult> {
   try {
     // Validate arguments against the input schema