Hey folks - is there any way to forward a header from the MCP server through to the router? I know you can define static headers, but looking to forward one that is dynamic.

Hi @mjfaga, dynamic header forwarding will be included in v1.1. The release date depends on the security review results, but it should be ready by next week. If you’d like to take a peek at what it will look like, please see the following PR. Thank you!

Cool - I just found that as well…. you guys happen to have a release candidate I can play with while the official stuff goes through security review?

Hi @mjfaga , that sounds like a great idea! I’ll check with the team and get back to you.

Love it. Thank you very much!

I’m currently running the apolloruntime:0.0.25_router2.7.0_mcp-server1.0.0 if it helps.

@mjfaga You can download the release candidate using the following command:

curl -sSL https://mcp.apollo.dev/download/nix/v1.1.0-rc.1 | sh

Or, you can download the Docker image with this command:

docker image pull ghcr.io/apollographql/apollo-mcp-server:v1.1.0-rc.1

You can configure using the forward_headers setting in the config file:

forward_headers:
  - x-tenant-id
  - x-experiment-id
  - x-geo-country

Please let me know if this works for you and share any feedback before we ship it next week.

Awesome. I’ll give it a run this evening and confirm back. Thank you!

Something seems a bit off to me…

Dockerfile.mcp

FROM Package apollo-mcp-server · GitHub
COPY mcp-dev.yaml /data/config.yaml
COPY operations/ /data/operations/

mcp-dev.yaml

I can DM this too you, but it’s the one I’m already running… interesting bits:
transport:
type: streamable_http
address: 0.0.0.0
port: 5000
forward_headers:
- x-test-header
cors:
allow_any_origin: true
methods:
- GET
- POST
- OPTIONS
allow_headers:
- content-type
- x-test-header
- mcp-protocol-version

docker-compose.yml

mcp:
build:
context: .
dockerfile: Dockerfile.mcp
restart: always
command: ['/config.yaml']
ports:
- ‘5050:5000’
environment:
- APOLLO_KEY
- APOLLO_GRAPH_REF

Something off I noticed about the startup… For some reason, the MCP server binds to port 8000 in the container… If I update my docker-compose.yml port binding to ‘5050:8000‘, I can at least hit the MCP server, but then I hit the second issue.
mcp-1 | 2025-10-17T01:36:10.210660Z INFO Starting MCP server in Streamable HTTP mode port=8000 address=0.0.0.0

Also, when using MCP Inspector, despite my CORS config, I’m getting CORS errors. This is the config I use for my current server (but I’m using the apollo-runtime container), so I know it works. Looking at the repo source code, the cors config matches what is in apollo-mcp-server/crates/apollo-mcp-server/src/cors.rs at main · apollographql/apollo-mcp-server · GitHub oddly enough, that is missing allowing OPTIONS requests, so the attempt to actual send the CORS request fails. Seems like you guys should patch that?

I also attempted to run the docker container directly, but that didn’t work either. If I’m passing the config in wrong, let me know
docker run \
-it --rm \
–name apollo-mcp-server \
-p 5001:8000 \
-v mcp-dev.yaml:/data/config.yaml \
-v operations:/data/operations \
-e APOLLO_KEY=XXXXXXXXXXXXXXXXXXXXXX \
-e APOLLO_GRAPH_REF=XXXXXXXXXXXXX \
–pull always \
Package apollo-mcp-server · GitHub /data/config.yaml

Hi @mjfaga, it looks like there are likely some configuration issues.

For the port configuration, we decided to change the default port from 5000 to 8000 in v1.1. This change is based on feedback from developers who often run into port conflicts because some other tools such as AirPlay and Flask use the same port. This is noted as a breaking change in the release notes:

Regarding CORS, it looks like your configuration doesn’t enable it at all. By default, the Apollo MCP Server has CORS disabled. Please make sure to enable it explicitly:

cors:
  enabled: true  # Must explicitly enable!
  allow_any_origin: true
  methods:
    - GET
    - POST
    - OPTIONS

Please check this docs on how to configure CORS with the Apollo MCP Server:

Thanks for explaining the port change. Still, it’s odd that it seems to be ignoring my config explicitly telling it to run on port 5000, no?

My bad. I enabled it and that resolved part of the problem.

I’m not seeing the Access-Control-Allow-Origin header come back from the CORS OPTIONS response still though:

CleanShot 2025-10-17 at 09.32.32@2x966×438 33.9 KB

I’ve tried all of the documented config options, starting with:
cors:
allow_any_origin: true

And then:
cors:
origins: ``http://localhost:6274`` # MCP Inspector Only

And then:
cors:
match_origins: “^http://localhost:6274$” # MCP Inspector Only

Hmm… the X-Amzn-Requestid header suggests the server is running behind AWS. Could you try reproducing locally to confirm the behavior is the same? If it only happens on AWS, there may be a service-level CORS setting you need to enable.

I can’t reproduce the issue with your port setting being ignored. Just in case, could you try using a different port, like 5050? I’ve seen many folks having issues with 0.0.0.0:5000 in various environments for unexpected reasons, which is why we want to move away from port 5000.

I think this was a me issue… I rebuilt the image with –no-cache and then reran MCP inspector and the CORS issues are gone, as is that AWS header. I’m still seeing a different issue though. Working through it.

OK - so everything is up and running and custom headers are passing through successfully…

Most of the issues I encountered I think were from bouncing from the apollo-runtime container to directly running only the MCP (e.g. I didn’t have that CORS enabled flag set, but for some reason, on the apollo-runtime, I didn’t need it). I also ran some docker stuff I had to fix as a result of that change (e.g. host.docker.internal vs. localhost).

Looks like there is a new header we need to pass to CORS as well that I had to quickly debug through x-custom-auth-headers that I didn’t realize I would need to set up and configure.

None-the-less, this is awesome, thank you very much! Appreciate you guys banging out an RC that I can play with. I’m off to the races!

Does this allow for passing through an Authorization header? We have bearer tokens (JWT) which we need to pass through to our graphql endpoint. I’ve tried adding ‘Authorization’ to the ‘allow_headers’, but still getting authorization issues using the MCP inspector with the a configured authorization header value.

Hi @mtinnes, this feature is designed for forwarding non-sensitive metadata like A/B testing, feature flagging, geo information from CDNs, or internal instrumentation.

We strongly recommend against using header forwarding for passing through credentials such as API keys or access tokens. Forwarding credentials can introduce confused deputy vulnerabilities where your GraphQL API may incorrectly trust headers as though they were validated by the MCP Server.

We support OAuth for authorizing MCP clients in accordance with the MCP specification:

Please check the following docs for more security best practices:

Understood, but I’m wondering how we work with server-side MCP implementations, by that I mean the backend server is interfacing with the MCP, not the user via a client (ie Claude Desktop). We have users of our SaaS service already authenticated with our IdP and already have a valid token usable with our GraphQL endpoint. The user interfaces with our SaaS frontend which in turn makes a request to an Anthropic library utilizing the Apollo MCP server. Since the MCP server is running server-side we don’t have a method for re-authenticating with OAuth specifically for the Apollo MCP server. The only solution I can see if for the existing token be provided to the MCP server which can then be utilized in the GraphQL calls. Since it’s all performed server-side, I don’t see an issue with doing it this way.