Document header injection for MCPRemoteProxy

jhrozek · jhrozek · commit 1004e396fca8 · 2026-01-28T22:32:04.000Z
Add documentation for the headerForward field in MCPRemoteProxy CRD,
which allows injecting custom headers into requests to remote MCP
servers. Covers plaintext headers, secret-backed headers, and combined
usage with security considerations.
diff --git a/docs/toolhive/guides-k8s/remote-mcp-proxy.mdx b/docs/toolhive/guides-k8s/remote-mcp-proxy.mdx
@@ -431,6 +431,89 @@ spec:
 Now the proxy exchanges validated company tokens for remote service tokens
 before forwarding requests.
 
+### Inject custom headers
+
+Some remote MCP servers require custom headers for tenant identification, API
+keys, or other purposes. Use the `headerForward` field to inject headers into
+every request forwarded to the remote server.
+
+For non-sensitive values like tenant IDs or correlation headers, use
+`addPlaintextHeaders`:
+
+```yaml {6-9}
+spec:
+  remoteURL: https://mcp.analytics.example.com
+  # ... other config ...
+
+  headerForward:
+    addPlaintextHeaders:
+      X-Tenant-ID: 'tenant-123'
+      X-Correlation-ID: 'corr-abc-def-456'
+```
+
+For sensitive values like API keys, reference Kubernetes Secrets using
+`addHeadersFromSecret`:
+
+```yaml title="api-key-secret.yaml"
+apiVersion: v1
+kind: Secret
+metadata:
+  name: api-key-secret
+  namespace: toolhive-system
+type: Opaque
+stringData:
+  api-key: 'your-api-key-value'
+---
+apiVersion: toolhive.stacklok.dev/v1alpha1
+kind: MCPRemoteProxy
+metadata:
+  name: analytics-proxy
+  namespace: toolhive-system
+spec:
+  remoteURL: https://mcp.analytics.example.com
+  # ... other config ...
+
+  # highlight-start
+  headerForward:
+    addHeadersFromSecret:
+      - headerName: 'X-API-Key'
+        valueSecretRef:
+          name: api-key-secret
+          key: api-key
+  # highlight-end
+```
+
+You can combine plaintext and secret-backed headers:
+
+```yaml {6-14}
+spec:
+  remoteURL: https://mcp.analytics.example.com
+  # ... other config ...
+
+  headerForward:
+    addPlaintextHeaders:
+      X-Tenant-ID: 'tenant-123'
+      X-Request-Source: 'toolhive-proxy'
+    addHeadersFromSecret:
+      - headerName: 'X-API-Key'
+        valueSecretRef:
+          name: api-key-secret
+          key: api-key
+```
+
+:::warning[Security considerations]
+
+- Plaintext header values are visible via `kubectl get` and `kubectl describe`
+  commands. For sensitive values (API keys, tokens), always use
+  `addHeadersFromSecret`.
+- Secret-backed header values are resolved at runtime from Kubernetes Secrets
+  and are never stored in ConfigMaps.
+- Certain headers cannot be configured for security reasons, including `Host`,
+  `Connection`, `Transfer-Encoding`, and proxy-related headers like
+  `X-Forwarded-For`.
+
+:::
+
 ## Quick start example
 
 For testing and development, you can use the public MCP specification server:
