Skip to content

fix(oauth): pass bearer token to all streamable http requests #476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 7, 2025
Merged

fix(oauth): pass bearer token to all streamable http requests #476

merged 2 commits into from
Oct 7, 2025
+17 −6

Conversation

@gpeal
Copy link
Contributor

@gpeal gpeal commented Oct 7, 2025
edited
Loading

Motivation and Context

The auth token wasn't passed to all endpoints which causes 401s in some MCP servers such as GitHub's.

I also clarified that the auth header should be just the bearer token rather than the full header value.
It is possible that some clients were passing in the wrong value here (like Codex)
Please confirm that this is the expected behavior.

How Has This Been Tested?

I was able to repro the GitHub MCP 401 and confirm that it works after this change

Codex:
CleanShot 2025-10-06 at 17 36 17

Breaking Changes

None.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

I wrote the core code by hand (it also matches #464) but codex wrote the tests.

Fixes #464

@github-actions github-actions bot added T-core Core library changes T-transport Transport layer changes T-documentation Documentation improvements labels Oct 7, 2025
@gpeal
fix(typo): fix an unrelated typo
79548e2 
There was an errant typo in the CHANGELOG that is breaking CI
@gpeal gpeal force-pushed the gpeal/add-auth-to-streamable-http-2 branch from 6ddf259 to 79548e2 Compare October 7, 2025 00:44
@alexhancock alexhancock self-requested a review October 7, 2025 19:33
@alexhancock
Copy link
Contributor

alexhancock commented Oct 7, 2025
edited
Loading

Aligns with my understanding

Note that authorization MUST be included in every HTTP request from client to server, even if they are part of the same logical session.

per https://modelcontextprotocol.io/specification/draft/basic/authorization#token-requirements

@alexhancock alexhancock merged commit 923145a into modelcontextprotocol:main Oct 7, 2025
11 checks passed
@github-actions github-actions bot mentioned this pull request Oct 7, 2025
Merged
@reneklacan
Copy link

reneklacan commented Oct 19, 2025

@gpeal thank you very much for this fix, our MCP wasn't working properly and was planning to dig into rcmp to to figure out what's up but you beat me to it! Thanks a lot

@gpeal gpeal mentioned this pull request Oct 21, 2025
Merged
gpeal added a commit to openai/codex that referenced this pull request Oct 21, 2025
@gpeal
[MCP] Bump rmcp to 0.8.2 (#5423)
42d5c35 
[Release
notes](https://github.com/modelcontextprotocol/rust-sdk/releases)

Notably, this picks up two of my PRs that have four separate fixes for
oauth dynamic client registration and auth
modelcontextprotocol/rust-sdk#489
modelcontextprotocol/rust-sdk#476
JeffCarpenter pushed a commit to JeffCarpenter/codex that referenced this pull request Oct 24, 2025
@gpeal @JeffCarpenter
[MCP] Bump rmcp to 0.8.2 (openai#5423)
00374bb 
[Release
notes](https://github.com/modelcontextprotocol/rust-sdk/releases)

Notably, this picks up two of my PRs that have four separate fixes for
oauth dynamic client registration and auth
modelcontextprotocol/rust-sdk#489
modelcontextprotocol/rust-sdk#476
Holovkat pushed a commit to Holovkat/codex-pro that referenced this pull request Oct 29, 2025
@gpeal @Holovkat
[MCP] Bump rmcp to 0.8.2 (#5423)
edca5ae 
[Release
notes](https://github.com/modelcontextprotocol/rust-sdk/releases)

Notably, this picks up two of my PRs that have four separate fixes for
oauth dynamic client registration and auth
modelcontextprotocol/rust-sdk#489
modelcontextprotocol/rust-sdk#476
DioNanos pushed a commit to DioNanos/codex-termux that referenced this pull request Nov 10, 2025
@gpeal
[MCP] Bump rmcp to 0.8.2 (openai#5423)
503b4c1 
[Release
notes](https://github.com/modelcontextprotocol/rust-sdk/releases)

Notably, this picks up two of my PRs that have four separate fixes for
oauth dynamic client registration and auth
modelcontextprotocol/rust-sdk#489
modelcontextprotocol/rust-sdk#476
willy3087 pushed a commit to nextlw/elai_codex that referenced this pull request Nov 14, 2025
@gpeal
[MCP] Bump rmcp to 0.8.2 (openai#5423)
3f4b799 
[Release
notes](https://github.com/modelcontextprotocol/rust-sdk/releases)

Notably, this picks up two of my PRs that have four separate fixes for
oauth dynamic client registration and auth
modelcontextprotocol/rust-sdk#489
modelcontextprotocol/rust-sdk#476
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexhancock alexhancock alexhancock approved these changes

Assignees

No one assigned

Labels

T-core Core library changes T-documentation Documentation improvements T-transport Transport layer changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

StreamableHttpClientTransport fails to send auth header in SSE stream requests causing 401 errors

3 participants

@gpeal @alexhancock @reneklacan