Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.getmcp.com/llms.txt

Use this file to discover all available pages before exploring further.

GetMCP authentication has two separate layers. Confusing them is the most common source of auth errors.
Layer 1Layer 2
What it protectsAccess to your MCP serverThe external API your tool calls
Who configures itServer ownerServer owner (fixed key) or end user (own key)
Where it goesMCP client config — --header args (Claude Desktop) or headers object (others)Tool’s Custom Headers or MCP client headers

Layer 1 — Who Can Connect to Your Server

Every GetMCP server has a unique URL: 
https://yoursite.com/mcp/{server-slug}
The URL is unique to your server. Anyone with this URL can connect and call your tools.
Treat your server URL like a password. Don’t post it publicly or commit it to source code. If compromised, regenerate it in Server Settings.
For an extra layer of security, enable inbound authentication in the server detail page → Authentication tab → Auth Type:
Auth TypeClient must send
noneNothing (URL alone grants access)
bearer-tokenAuthorization: Bearer <token>
api-keyAuthorization: <api-key> or ?keyName=value in the URL
basic-authHTTP Basic credentials (Authorization: Basic <base64>)
oauthBrowser-based OAuth flow (no static credential)
When inbound auth is enabled, add it to your MCP client config:
Pass the credential as a --header arg (no space after the colon):Bearer token:
{
  "mcpServers": {
    "my-server": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://yoursite.com/mcp/my-server",
        "--header",
        "Authorization:Bearer YOUR_BEARER_TOKEN"
      ]
    }
  }
}
Basic auth (base64-encode username:password first):
{
  "mcpServers": {
    "my-server": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://yoursite.com/mcp/my-server",
        "--header",
        "Authorization:Basic BASE64_USERNAME_PASSWORD"
      ]
    }
  }
}
API key (header):
{
  "mcpServers": {
    "my-server": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://yoursite.com/mcp/my-server",
        "--header",
        "X-API-Key:YOUR_API_KEY"
      ]
    }
  }
}
API key (query param) or OAuth: Use the plain URL — no --header needed. For query-param keys, append ?keyName=YOUR_KEY to the URL. OAuth opens a browser flow automatically.On Windows, replace "command": "npx" with "command": "cmd" and add "/c" and "npx" as the first two args before "mcp-remote".

Layer 2 — API Credentials for Tool Calls

When a tool runs, GetMCP calls an external API. That API usually requires credentials. There are two ways to supply them:

Fixed credentials — all users share the same key

Add the key as a Custom Header in the tool’s Advanced Settings:
Header nameHeader value
AuthorizationBearer sk_your_token
X-API-Keyyour_api_key
You can also embed an API key in the endpoint URL: https://api.example.com/data?api_key=your_key Each tool has its own Custom Headers, so different tools can call different APIs with different credentials.

User-supplied credentials — each user brings their own key

When each user has their own account on the external service (e.g., their own OpenAI key), they pass their key through their own MCP client config:
Pass the key as a --header arg to mcp-remote (no space after the colon):
{
  "mcpServers": {
    "my-server": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://yoursite.com/mcp/my-server",
        "--header",
        "Authorization:Bearer sk-their-own-openai-key"
      ]
    }
  }
}
On Windows, replace "command": "npx" with "command": "cmd" and add "/c" and "npx" as the first two args before "mcp-remote".
GetMCP forwards that header to the external API on every tool call. The key is never stored in GetMCP — it travels from the client to the API with each request. Claude Desktop config file location:
  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
For other clients, see Connecting AI Clients.

Test Credentials

When you click Test on a tool in the admin, GetMCP uses test credentials — not the production keys in Custom Headers. Configure test credentials in the server detail page → Authentication tabTest Credentials section. All tools in the server share the same test credentials, keeping your production keys safe during development.
Test credentials are only used when you click Test in the admin panel. AI client calls always use the tool’s Custom Headers — never test credentials.
Server Settings — Test Auth

Troubleshooting

Tool returns 401 Unauthorized → The API key is missing or wrong. For user-supplied keys, check the auth config in your MCP client (for Claude Desktop, --header args; for others, the headers block). For fixed keys, check the tool’s Custom Headers in the admin. Tool returns 403 Forbidden → The key is valid but lacks permissions. Check the scopes or roles for that key in the external service’s dashboard. Server connects but tools fail with auth errors → You may be confusing Layer 1 and Layer 2. The headers you add to connect to GetMCP (Layer 1) are separate from the API credentials the tool uses to call an external service (Layer 2). You may need to configure both. Don’t know where your config file is → See Connecting AI Clients for file paths per client.