fix: Cookie header forwarding for MCP server authentication (#1394)

* fix: cookie header forwarding for MCP server authentication

- Add cookie header validation to auth middleware (x-forwarded-cookie and cookie)
- Forward user session headers through A2A task metadata
- Transform browser cookie header to x-forwarded-cookie for downstream forwarding
- Include forwarded headers in MCP client cache key to prevent stale connections
- Add header redaction for cookie and x-forwarded-cookie in loggers
- Add security comment about not using debugLogger with sensitive headers

* fix: add missing header method to mock context in A2A handler tests

Author: amikofalvy

.changeset/vertical-green-boa.md

@@ -0,0 +1,12 @@
+---
+"@inkeep/agents-cli": patch
+"@inkeep/agents-core": patch
+"@inkeep/agents-manage-api": patch
+"@inkeep/agents-manage-ui": patch
+"@inkeep/agents-run-api": patch
+"@inkeep/agents-sdk": patch
+"@inkeep/create-agents": patch
+"@inkeep/ai-sdk-provider": patch
+---
+
+Fix cookie header forwarding for MCP server authentication

agents-manage-api/src/middleware/auth.ts

@@ -49,14 +49,28 @@ export const apiKeyAuth = () =>
       return;
     }
 
-    // 2. Try to validate as a better-auth session token (from device authorization flow)
+    // 2. Try to validate as a better-auth session token (from device authorization flow or cookie)
     const auth = c.get('auth');
     if (auth) {
       try {
         // Create headers with the Authorization header for bearer token validation
         const headers = new Headers();
         headers.set('Authorization', authHeader);
 
+        // Also include cookie for session validation - check x-forwarded-cookie first (from MCP/SDK calls)
+        const forwardedCookie = c.req.header('x-forwarded-cookie');
+        const cookie = c.req.header('cookie');
+        if (forwardedCookie) {
+          headers.set('cookie', forwardedCookie);
+          logger.debug(
+            { source: 'x-forwarded-cookie' },
+            'Using x-forwarded-cookie for session validation'
+          );
+        } else if (cookie) {
+          headers.set('cookie', cookie);
+          logger.debug({ source: 'cookie' }, 'Using cookie for session validation');
+        }
+
         const session = await auth.api.getSession({ headers });
 
         if (session?.user) {

agents-manage-api/src/routes/mcp.ts

@@ -46,6 +46,7 @@ app.all('/', async (c) => {
 
     // Create SDK with custom hooks
     // Note: hooks is passed as an extended option (not in SDKOptions type but accepted by ClientSDK)
+    // SECURITY: Do not pass debugLogger - it would log all headers including sensitive auth cookies
     return new InkeepAgentsCore({
       serverURL: env.INKEEP_AGENTS_MANAGE_API_URL,
       hooks,

agents-manage-ui/src/lib/logger.ts

@@ -10,7 +10,12 @@ const logger = pino({
   serializers: {
     obj: (value) => ({ ...value }),
   },
-  redact: ['req.headers.authorization', 'req.headers["x-inkeep-admin-authentication"]'],
+  redact: [
+    'req.headers.authorization',
+    'req.headers["x-inkeep-admin-authentication"]',
+    'req.headers.cookie',
+    'req.headers["x-forwarded-cookie"]',
+  ],
   // Only use pretty transport in development
   ...(NODE_ENV === 'development' && {
     transport: {

agents-run-api/src/__tests__/a2a/handlers.test.ts

@@ -66,6 +66,7 @@ describe('A2A Handlers', () => {
       req: {
         json: vi.fn(),
         param: vi.fn().mockReturnValue('test-agent'),
+        header: vi.fn().mockReturnValue(undefined),
       },
       json: vi.fn().mockImplementation((data) => new Response(JSON.stringify(data))),
       text: vi.fn().mockImplementation((text) => new Response(text)),

agents-run-api/src/a2a/handlers.ts

@@ -90,6 +90,21 @@ async function handleMessageSend(
     const executionContext = getRequestExecutionContext(c);
     const { agentId } = executionContext;
 
+    // Extract forwarded headers from the request (passed from ExecutionHandler via A2AClient)
+    // Transform cookie -> x-forwarded-cookie for downstream forwarding
+    const forwardedHeaders: Record<string, string> = {};
+    const xForwardedCookie = c.req.header('x-forwarded-cookie');
+    const authorization = c.req.header('authorization');
+    const cookie = c.req.header('cookie');
+
+    // Priority: x-forwarded-cookie (explicit) > cookie (browser-sent)
+    if (xForwardedCookie) {
+      forwardedHeaders['x-forwarded-cookie'] = xForwardedCookie;
+    } else if (cookie) {
+      forwardedHeaders['x-forwarded-cookie'] = cookie;
+    }
+    if (authorization) forwardedHeaders.authorization = authorization;
+
     const task: A2ATask = {
       id: generateId(),
       input: {
@@ -105,6 +120,8 @@ async function handleMessageSend(
           blocking: params.configuration?.blocking ?? false,
           custom: { agent_id: agentId || '' },
           ...params.message.metadata,
+          // Pass forwarded headers to taskHandler for MCP server authentication
+          forwardedHeaders: Object.keys(forwardedHeaders).length > 0 ? forwardedHeaders : undefined,
         },
       },
     };
@@ -421,6 +438,21 @@ async function handleMessageStream(
       } satisfies JsonRpcResponse);
     }
 
+    // Extract forwarded headers from the request (passed from ExecutionHandler via A2AClient)
+    // Transform cookie -> x-forwarded-cookie for downstream forwarding
+    const forwardedHeaders: Record<string, string> = {};
+    const xForwardedCookie = c.req.header('x-forwarded-cookie');
+    const authorization = c.req.header('authorization');
+    const cookie = c.req.header('cookie');
+
+    // Priority: x-forwarded-cookie (explicit) > cookie (browser-sent)
+    if (xForwardedCookie) {
+      forwardedHeaders['x-forwarded-cookie'] = xForwardedCookie;
+    } else if (cookie) {
+      forwardedHeaders['x-forwarded-cookie'] = cookie;
+    }
+    if (authorization) forwardedHeaders.authorization = authorization;
+
     const task: A2ATask = {
       id: generateId(),
       input: {
@@ -435,6 +467,8 @@ async function handleMessageStream(
         metadata: {
           blocking: false, // Streaming is always non-blocking
           custom: { agent_id: agentId || '' },
+          // Pass forwarded headers to taskHandler for MCP server authentication
+          forwardedHeaders: Object.keys(forwardedHeaders).length > 0 ? forwardedHeaders : undefined,
         },
       },
     };

agents-run-api/src/agents/Agent.ts

@@ -145,6 +145,8 @@ export type AgentConfig = {
   sandboxConfig?: SandboxConfig;
   /** User ID for user-scoped credential lookup (from temp JWT) */
   userId?: string;
+  /** Headers to forward to MCP servers (e.g., x-forwarded-cookie for user session auth) */
+  forwardedHeaders?: Record<string, string>;
 };
 
 export type ExternalAgentRelationConfig = {
@@ -954,7 +956,12 @@ export class Agent {
   }
 
   async getMcpTool(tool: McpTool) {
-    const cacheKey = `${this.config.tenantId}-${this.config.projectId}-${tool.id}-${tool.credentialReferenceId || 'no-cred'}`;
+    // Include forwarded headers hash in cache key to ensure user session-specific connections
+    // This prevents reusing a connection created without cookies for requests that have them
+    const forwardedHeadersHash = this.config.forwardedHeaders
+      ? Object.keys(this.config.forwardedHeaders).sort().join(',')
+      : 'no-fwd';
+    const cacheKey = `${this.config.tenantId}-${this.config.projectId}-${tool.id}-${tool.credentialReferenceId || 'no-cred'}-${forwardedHeadersHash}`;
 
     const credentialReferenceId = tool.credentialReferenceId;
 
@@ -1098,12 +1105,21 @@ export class Agent {
       serverConfig.url = urlObj.toString();
     }
 
+    // Merge forwarded headers (user session auth) into server config
+    if (this.config.forwardedHeaders && Object.keys(this.config.forwardedHeaders).length > 0) {
+      serverConfig.headers = {
+        ...serverConfig.headers,
+        ...this.config.forwardedHeaders,
+      };
+    }
+
     logger.info(
       {
         toolName: tool.name,
         credentialReferenceId,
         transportType: serverConfig.type,
         headers: tool.headers,
+        hasForwardedHeaders: !!this.config.forwardedHeaders,
       },
       'Built MCP server config with credentials'
     );

agents-run-api/src/agents/generateTaskHandler.ts

@@ -72,6 +72,11 @@ export const createTaskHandler = (
         };
       }
 
+      // Extract forwarded headers from task metadata (passed from A2A handlers)
+      const forwardedHeaders = task.context?.metadata?.forwardedHeaders as
+        | Record<string, string>
+        | undefined;
+
       const [
         internalRelations,
         externalRelations,
@@ -494,6 +499,7 @@ export const createTaskHandler = (
           contextConfigId: config.contextConfigId || undefined,
           conversationHistoryConfig: config.conversationHistoryConfig,
           sandboxConfig: config.sandboxConfig,
+          forwardedHeaders,
         },
         credentialStoreRegistry
       );

agents-run-api/src/handlers/executionHandler.ts

@@ -37,6 +37,8 @@ interface ExecutionHandlerParams {
   requestId: string;
   sseHelper: StreamHelper;
   emitOperations?: boolean;
+  /** Headers to forward to MCP servers (e.g., x-forwarded-cookie for auth) */
+  forwardedHeaders?: Record<string, string>;
 }
 
 interface ExecutionResult {
@@ -72,6 +74,7 @@ export class ExecutionHandler {
       requestId,
       sseHelper,
       emitOperations,
+      forwardedHeaders,
     } = params;
 
     const { tenantId, projectId, agentId, apiKey, baseUrl } = executionContext;
@@ -262,6 +265,8 @@ export class ExecutionHandler {
             'x-inkeep-project-id': projectId,
             'x-inkeep-agent-id': agentId,
             'x-inkeep-sub-agent-id': currentAgentId,
+            // Forward user session headers for MCP tool authentication
+            ...(forwardedHeaders || {}),
           },
         });
 

agents-run-api/src/routes/chat.ts

@@ -364,6 +364,22 @@ app.openapi(chatCompletionsRoute, async (c) => {
           const emitOperationsHeader = c.req.header('x-emit-operations');
           const emitOperations = emitOperationsHeader === 'true';
 
+          // Extract headers to forward to MCP servers (for user session auth)
+          // Transform cookie -> x-forwarded-cookie since downstream services expect it
+          const forwardedHeaders: Record<string, string> = {};
+          const xForwardedCookie = c.req.header('x-forwarded-cookie');
+          const authorization = c.req.header('authorization');
+          const cookie = c.req.header('cookie');
+
+          // Priority: x-forwarded-cookie (explicit) > cookie (browser-sent)
+          // Transform cookie to x-forwarded-cookie for downstream forwarding
+          if (xForwardedCookie) {
+            forwardedHeaders['x-forwarded-cookie'] = xForwardedCookie;
+          } else if (cookie) {
+            forwardedHeaders['x-forwarded-cookie'] = cookie;
+          }
+          if (authorization) forwardedHeaders.authorization = authorization;
+
           const executionHandler = new ExecutionHandler();
           const result = await executionHandler.execute({
             executionContext,
@@ -373,6 +389,7 @@ app.openapi(chatCompletionsRoute, async (c) => {
             requestId,
             sseHelper,
             emitOperations,
+            forwardedHeaders,
           });
 
           logger.info(