harsha-iiiv · iwyrkore · Aug 26, 2025 · Aug 26, 2025 · Aug 26, 2025 · Aug 26, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Added
+
+- CLI option `--passthrough-auth` to forward authentication headers from MCP requests to the downstream API, per the OpenAPI security scheme. Supports http (bearer/basic), apiKey (header/query/cookie), and OpenID Connect bearer tokens. Works for SSE and StreamableHTTP transports. Requires `@modelcontextprotocol/sdk` ^1.17.4.
+
+
 ## [3.2.0] - 2025-08-24
 
 ### Added

diff --git a/README.md b/README.md
@@ -48,17 +48,18 @@ openapi-mcp-generator --input path/to/openapi.json --output path/to/output/dir -
 
 ### CLI Options
 
-| Option              | Alias | Description                                                                                                                                    | Default                           |
-| ------------------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
-| `--input`           | `-i`  | Path or URL to OpenAPI specification (YAML or JSON)                                                                                            | **Required**                      |
-| `--output`          | `-o`  | Directory to output the generated MCP project                                                                                                  | **Required**                      |
-| `--server-name`     | `-n`  | Name of the MCP server (`package.json:name`)                                                                                                   | OpenAPI title or `mcp-api-server` |
-| `--server-version`  | `-v`  | Version of the MCP server (`package.json:version`)                                                                                             | OpenAPI version or `1.0.0`        |
-| `--base-url`        | `-b`  | Base URL for API requests. Required if OpenAPI `servers` missing or ambiguous.                                                                 | Auto-detected if possible         |
-| `--transport`       | `-t`  | Transport mode: `"stdio"` (default), `"web"`, or `"streamable-http"`                                                                           | `"stdio"`                         |
-| `--port`            | `-p`  | Port for web-based transports                                                                                                                  | `3000`                            |
-| `--default-include` |       | Default behavior for x-mcp filtering. Accepts `true` or `false` (case-insensitive). `true` = include by default, `false` = exclude by default. | `true`                            |
-| `--force`           |       | Overwrite existing files in the output directory without confirmation                                                                          | `false`                           |
+| Option               | Alias | Description                                                                                                                                    | Default                           |
+| -------------------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
+| `--input`            | `-i`  | Path or URL to OpenAPI specification (YAML or JSON)                                                                                            | **Required**                      |
+| `--output`           | `-o`  | Directory to output the generated MCP project                                                                                                  | **Required**                      |
+| `--server-name`      | `-n`  | Name of the MCP server (`package.json:name`)                                                                                                   | OpenAPI title or `mcp-api-server` |
+| `--server-version`   | `-v`  | Version of the MCP server (`package.json:version`)                                                                                             | OpenAPI version or `1.0.0`        |
+| `--base-url`         | `-b`  | Base URL for API requests. Required if OpenAPI `servers` missing or ambiguous.                                                                 | Auto-detected if possible         |
+| `--transport`        | `-t`  | Transport mode: `"stdio"` (default), `"web"`, or `"streamable-http"`                                                                           | `"stdio"`                         |
+| `--port`             | `-p`  | Port for web-based transports                                                                                                                  | `3000`                            |
+| `--default-include`  |       | Default behavior for x-mcp filtering. Accepts `true` or `false` (case-insensitive). `true` = include by default, `false` = exclude by default. | `true`                            |
+| `--force`            |       | Overwrite existing files in the output directory without confirmation                                                                          | `false`                           |
+| `--passthrough-auth` |       | Forward auth headers in MCP requests to the downstream API, as specified by the OpenAPI spec.                                                    | `false`                           |
 
 ## 📦 Programmatic API
 
@@ -125,6 +126,7 @@ Launches a fully functional HTTP server with:
 - In-browser test client UI
 - Multi-connection support
 - Built with lightweight Hono framework
+- Optional pass-through auth headers
 
 ### StreamableHTTP
 
@@ -137,6 +139,7 @@ Implements the MCP StreamableHTTP transport which offers:
 - Compatibility with MCP StreamableHTTPClientTransport
 - In-browser test client UI
 - Built with lightweight Hono framework
+- Optional pass-through auth headers
 
 ### Transport Comparison
 
@@ -151,6 +154,7 @@ Implements the MCP StreamableHTTP transport which offers:
 | Load balancing     | No                  | Limited           | Yes                |
 | Status codes       | No                  | Limited           | Full HTTP codes    |
 | Headers            | No                  | Limited           | Full HTTP headers  |
+| Pass-through Auth  | No                  | Optional          | Optional           |
 | Test client        | No                  | Yes               | Yes                |
 
 ---
@@ -168,6 +172,33 @@ Configure auth credentials in your environment:
 
 ---
 
+## 🔐 Pass-through Headers for Authentication
+
+Use the CLI option `--passthrough-auth` to have the server pass-through client auth headers to the downstream API. The headers forwarded are for the auth schemes defined in the OpenAPI spec. Scheme types http (bearer or basic), apiKey (header, query param, or cookie), and openIdConnect bearer tokens are supported.
+
+The client should configure the auth credentials to be sent, for example:
+
+```
+"mcpServers": {
+      "my-api": {
+        "transport": "HTTP",
+        "url": "http://localhost:3000/sse",
+        "headers": {
+          "Authorization": "Bearer MY_TOKEN"
+        }
+      },
+      "my-other-api": {
+        "transport": "Streamable-HTTP",
+        "url": "http://localhost:4000/mcp",
+        "headers": {
+          "X-API-Key": "MY_API_KEY"
+        }
+      },
+}
+```
+
+---
+
 ## 🔎 Filtering Endpoints with OpenAPI Extensions
 
 You can control which operations are exposed as MCP tools using a vendor extension flag `x-mcp`. This extension is supported at the root, path, and operation levels. By default, endpoints are included unless explicitly excluded.

diff --git a/examples/pet-store-sse/package-lock.json b/examples/pet-store-sse/package-lock.json
diff --git a/examples/pet-store-sse/package.json b/examples/pet-store-sse/package.json
@@ -20,7 +20,7 @@
     "node": ">=20.0.0"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.10.0",
+    "@modelcontextprotocol/sdk": "^1.17.4",
     "axios": "^1.9.0",
     "dotenv": "^16.4.5",
     "zod": "^3.24.3",

diff --git a/examples/pet-store-streamable-http/package-lock.json b/examples/pet-store-streamable-http/package-lock.json
diff --git a/examples/pet-store-streamable-http/package.json b/examples/pet-store-streamable-http/package.json
@@ -22,7 +22,7 @@
     "node": ">=20.0.0"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.10.0",
+    "@modelcontextprotocol/sdk": "^1.17.4",
     "axios": "^1.9.0",
     "dotenv": "^16.4.5",
     "zod": "^3.24.3",

diff --git a/examples/petstore-mcp/package.json b/examples/petstore-mcp/package.json
@@ -19,7 +19,7 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.9.0",
+    "@modelcontextprotocol/sdk": "^1.17.4",
     "axios": "^1.8.4",
     "json-schema-to-zod": "^2.6.1",
     "zod": "^3.24.2"