Sorry I missed this earlier, @JMGaia. Your message got buried in the thread. After discussing those use cases further, we’ve identified an important distinction: token passthrough and header forwarding aren’t the same thing. Having said that, users could technically take an advantage of generic HTTP header propagation to pass API keys or tokens through, which is not recommended.
I see a few potential approaches:
- Leave header filtering to user discretion (maximum flexibility, higher risk)
- Block sensitive headers by default with opt-in overrides
- Provide configurable allowlists/blocklists for header forwarding
The core architectural question remains: what’s the best mechanism for LLMs to pass HTTP headers to MCP tools? Should this happen at the tool level, session level, or through the MCP protocol itself? Thoughts on which direction feels most promising?