Skip to content

Updating documentation around forwarding headers from MCP policy to backend API (BUG?) #127625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Updating documentation around forwarding headers from MCP policy to backend API (BUG?) #127625

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 18 additions & 9 deletions articles/api-management/secure-mcp-servers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,16 +59,25 @@ For example, use the [validate-azure-ad-token](validate-azure-ad-token-policy.md

By default, API Management doesn't automatically forward incoming headers such as `Authorization` to an MCP server backend. To forward tokens securely today, you currently have these options:

* Explicitly define `Authorization` as a required header in the API settings and forward the header in the `Outbound` policy.
* BUG: Currently the only header that gets forwarded to your backend APIM API via MCP policy is the 'Ocp-Apim-Subscription-Key' header. If you want to passthrough an authentication header, transform it to the 'Ocp-Apim-Subscription-Key' header in the MCP 'inbound' policy first.

Example policy snippet:

```xml
<!-- Forward Authorization header to backend -->
<set-header name="Authorization" exists-action="override">
<value>@(context.Request.Headers.GetValueOrDefault("Authorization"))</value>
</set-header>
```
MCP policy 'inbound' section

```xml
<set-header name="Ocp-Apim-Subscription-Key" exists-action="override">
<value>@((string)context.Request.Headers.GetValueOrDefault("Authorization",""))</value>
</set-header>
```

Backing REST API 'inbound' section

```xml
<set-header name="Authorization" exists-action="override">
<value>@((string)context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key",""))</value>
</set-header>
```


* Use API Management credential manager and policies (`get-authorization-context`, `set-header`) to securely forward the token. See [Secure outbound access](#secure-outbound-access) for details.

Expand Down Expand Up @@ -119,4 +128,4 @@ For a step-by-step guide to call an example backend using credentials generated

* [Expose REST API in API Management as an MCP server](export-rest-mcp-server.md)

* [Expose and govern existing MCP server](expose-existing-mcp-server.md)
* [Expose and govern existing MCP server](expose-existing-mcp-server.md)