Skip to content

MCP Inspector Cannot Pass Custom Authentication HeadersΒ #879

New issue
New issue
Open
Open
MCP Inspector Cannot Pass Custom Authentication Headers#879
Labels
authIssues and PRs related to authorizationenhancementNew feature request
@lgacnik

Description

@lgacnik
lgacnik
opened on Oct 17, 2025

Inspector Version: 0.17.1

Describe the bug

MCP Inspector (CLI and Web UI) cannot pass custom authentication headers to MCP servers. Servers expecting credentials in custom headers (e.g., X-API-Credentials) never receive them, causing authentication failures.

To Reproduce

CLI Method

  1. Start MCP server expecting X-API-Credentials header:
python gmail_auth_test_server.py --transport streamable-http --port 8766 --host 0.0.0.0
  1. Server expects:
X-API-Credentials: {"auth_type":"oauth2","access_token":"<token>","token_type":"Bearer"}
  1. Run Inspector with --header flag:
npx @modelcontextprotocol/inspector@latest \
  --cli http://localhost:8766/mcp \
  --transport streamable-http \
  --header "Authorization: Bearer <valid-token>" \
  --method tools/call \
  --tool-name gmail_users_messages_list \
  --tool-arg userId=me
  1. Server logs show:
ERROR - Authentication failed: Missing or invalid X-API-Credentials header

Web UI Method

  1. Open Inspector: npx @modelcontextprotocol/inspector
  2. Configure:
  3. Connect and call tool
  4. Same authentication failure

Expected behavior

Custom headers configured in Inspector should be forwarded to the MCP server. The --header flag should pass headers to the server, not just authenticate to the Inspector proxy.

Actual behavior

  • Server receives no X-API-Credentials header
  • Authentication fails
  • Both CLI and Web UI fail to pass custom headers

Environment

  • OS: Linux (Ubuntu/Debian)
  • Browser: Chrome/Firefox
  • Inspector Version: 0.17.1
  • Transport: Streamable HTTP
  • Server Framework: FastMCP 2.12.4 with Python

Additional context

Investigation findings

  1. Token is valid (verified with direct curl to Gmail API)
  2. Server works correctly with direct HTTP clients
  3. The --header flag appears to authenticate TO the Inspector proxy, not pass headers THROUGH to the server
  4. May be an architectural gap in MCP protocol for HTTP header authentication

Workarounds

  • Direct Python MCP client with full header control (works)
  • Hardcoding credentials in server (works but insecure)
  • Inspector CLI --header flag (fails)
  • Inspector Web UI custom headers (fails)

Question

Is there a supported way to pass custom authentication headers from Inspector to MCP servers over HTTP/SSE transports? If not, this is a significant testing limitation for authenticated MCP servers.

Metadata

Metadata

Assignees

No one assigned

    Labels

    authIssues and PRs related to authorizationenhancementNew feature request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions