Skip to content

Document header injection for MCPRemoteProxy #476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jhrozek merged 2 commits into from
Feb 2, 2026
Merged

Document header injection for MCPRemoteProxy #476

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9d13acd
Document header injection for MCPRemoteProxy
jhrozek Jan 28, 2026
80719ac
Address review feedback for K8s header injection docs
jhrozek Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 86 additions & 0 deletions docs/toolhive/guides-k8s/remote-mcp-proxy.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,92 @@ spec:
Now the proxy exchanges validated company tokens for remote service tokens
before forwarding requests.

### Inject custom headers

Some remote MCP servers require custom headers for tenant identification, API
keys, or other purposes. Use the `headerForward` field to inject headers into
every request forwarded to the remote server.

For non-sensitive values like tenant IDs or correlation headers, use
`addPlaintextHeaders`:

```yaml {6-9}
spec:
remoteURL: https://mcp.analytics.example.com
# ... other config ...

headerForward:
addPlaintextHeaders:
X-Tenant-ID: 'tenant-123'
X-Correlation-ID: 'corr-abc-def-456'
```

For sensitive values like API keys, reference Kubernetes Secrets using
`addHeadersFromSecret`. First, create a Secret containing the header value:

```yaml title="api-key-secret.yaml"
apiVersion: v1
kind: Secret
metadata:
name: api-key-secret
namespace: toolhive-system
type: Opaque
stringData:
api-key: 'your-api-key-value'
```

Then reference the Secret in your MCPRemoteProxy:

```yaml title="analytics-proxy.yaml" {12-17}
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPRemoteProxy
metadata:
name: analytics-proxy
namespace: toolhive-system
spec:
remoteURL: https://mcp.analytics.example.com
# ... other config ...

headerForward:
addHeadersFromSecret:
- headerName: 'X-API-Key'
valueSecretRef:
name: api-key-secret
key: api-key
```

You can combine plaintext and secret-backed headers:

```yaml {6-14}
spec:
remoteURL: https://mcp.analytics.example.com
# ... other config ...

headerForward:
addPlaintextHeaders:
X-Tenant-ID: 'tenant-123'
X-Request-Source: 'toolhive-proxy'
addHeadersFromSecret:
- headerName: 'X-API-Key'
valueSecretRef:
name: api-key-secret
key: api-key
```

:::warning[Security considerations]

- Plaintext header values are visible when you inspect the full resource (e.g.,
`kubectl get ... -o yaml` or `kubectl describe`). For sensitive values (API
keys, tokens), always use `addHeadersFromSecret`.
- Secret-backed header values are stored in Kubernetes Secrets and resolved at
runtime. Only secret references (not actual values) appear in ConfigMaps used
internally by ToolHive.
- Certain headers cannot be configured for security reasons, including `Host`,
`Connection`, `Transfer-Encoding`, and proxy-related headers like
`X-Forwarded-For`.

:::

## Quick start example

For testing and development, you can use the public MCP specification server:
Expand Down
Loading