diff --git a/articles/api-management/secure-mcp-servers.md b/articles/api-management/secure-mcp-servers.md
index 555dc311ec1fa..5cf84b0213e2c 100644
--- a/articles/api-management/secure-mcp-servers.md
+++ b/articles/api-management/secure-mcp-servers.md
@@ -59,16 +59,25 @@ For example, use the [validate-azure-ad-token](validate-azure-ad-token-policy.md
By default, API Management doesn't automatically forward incoming headers such as `Authorization` to an MCP server backend. To forward tokens securely today, you currently have these options:
-* Explicitly define `Authorization` as a required header in the API settings and forward the header in the `Outbound` policy.
+* BUG: Currently the only header that gets forwarded to your backend APIM API via MCP policy is the 'Ocp-Apim-Subscription-Key' header. If you want to passthrough an authentication header, transform it to the 'Ocp-Apim-Subscription-Key' header in the MCP 'inbound' policy first.
- Example policy snippet:
- ```xml
-
-
- @(context.Request.Headers.GetValueOrDefault("Authorization"))
-
- ```
+MCP policy 'inbound' section
+
+```xml
+
+ @((string)context.Request.Headers.GetValueOrDefault("Authorization",""))
+
+```
+
+Backing REST API 'inbound' section
+
+```xml
+
+ @((string)context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key",""))
+
+```
+
* Use API Management credential manager and policies (`get-authorization-context`, `set-header`) to securely forward the token. See [Secure outbound access](#secure-outbound-access) for details.
@@ -119,4 +128,4 @@ For a step-by-step guide to call an example backend using credentials generated
* [Expose REST API in API Management as an MCP server](export-rest-mcp-server.md)
-* [Expose and govern existing MCP server](expose-existing-mcp-server.md)
\ No newline at end of file
+* [Expose and govern existing MCP server](expose-existing-mcp-server.md)