API key for SSE MCP servers

mkschreder · March 13, 2025, 4:06am

I need a way to pass api key to MCP server. This is not needed for cli mcp but when we add an SSE mcp we should have an additional box called API key and then cursor ahould pass it as authroization or X-API-Key header when making requests to the sse and messages endpoints.

fankaidev · March 13, 2025, 5:08am

need this as well

avi-pinecone · March 18, 2025, 8:29am

+1
The config JSON should be able to forward headers.
I added bearer token to the inspector for debugging, but general headers is better. Also, the Cursor docs shows (probably copy-paste mistake) that you can pass a key to the ssh, you can rename the “env” and pass the token in “Authorization” header

davidfungf · March 23, 2025, 1:55pm

I connect to Home Assistant via SSE by the below configuration. It requests the token embedded in header authorization. Looks failure. Is my configuration correct?

Home Assistant log found: Login attempt or request with invalid authentication from x.x.x.x . Requested URL: '/mcp_server/sse'. (node)

{
    "mcpServers": {
          "Home Assistant": {
                  "url": "http://192.x.x.x:8123/mcp_server/sse",
                  "env": { "API_KEY": "xyz123"}
      }
   }
}

mkschreder · March 30, 2025, 9:33pm

I don’t think this is what we need. When we have a shared mcp sse server, we need to be able to pass the api key for the user session. This is essential for supporting a multiuser system. The problem we have then is that we can not support this unless the mcp server in cursor can be configured with an api key. The only way we can solve it is to provide a separate stdio client that has an external configuration file and then forwards the requests to the actual mcp server and passes api key with the request. It would be great if cursor supported this out of the box by sending api key as X-API-Key header with every mcp sse request.

sandyskies · April 1, 2025, 2:22am

Can anybody fix that？ I can’t pass any header to mcp sse server，which is quite unconvinced

naivefun · April 4, 2025, 3:28am

+1, cannot pass env object to sse server.

However there is a bypass: https://url?key=xxxxxx, this way you can catch your key using query parameter. But still, the env object in the config file should be passed to the server.

avi-pinecone · April 6, 2025, 10:14am

Technically you can, but the protocol prohibits sending keys in the query:

Access tokens MUST NOT be included in the URI query string

naivefun · April 6, 2025, 2:59pm

Yes I agree. So have to wait for cursor to support sending env to server.

mkschreder · April 6, 2025, 5:31pm

I see an option to set the API key in the new settings Cursor – Model Context Protocol

However this api key is not being sent in headers with each request.

mkschreder · April 6, 2025, 5:34pm

There are also other minor glitches with MCP. For example even though server is at port 8007, cursor for some reason tries to connect to port 8006

avi-pinecone · April 7, 2025, 9:43am

@mkschreder yes, see my comment above. This is probably just a copy-paste mistake

naivefun · April 7, 2025, 2:56pm

Plus I think the client should implement reconnect when server disconnect. I’m facing the issue that when server is deployed with a new version, cursor will simply disable the mcp server. It will be pretty common the server needs updates once in a while.

tidbeck · April 8, 2025, 8:06am

Visual Studio Code has added support for headers when using MCP over SSE. Hopefully Cursor will use the same format to make them compatible.

naivefun · April 8, 2025, 12:01pm

I actually just tried cline mcp sse with headers yesterday but no luck.

jthomas-dd · April 10, 2025, 9:12pm

Being able to add/customize headers like vscode has exposed would be the most practical approach for now.

The SSE standard includes OAuth 2.0, and suggests a number of features like dynamic client registration which can be pretty complicated to implement.

It would be great to have something for more traditional, out-of-band auth tokens for the time being, even if it strictly falls out of spec.

cybertheory · April 12, 2025, 11:56pm

+1 this has halted my teams progress

Domas · April 13, 2025, 12:04am

workaround for now is using supergateway as it has --header when connecting to sse and converting to STDIO that cursor supports. Like:

{
  "mcpServers": {
    "supergatewayExample": {
      "command": "npx",
      "args": [
        "-y",
        "supergateway",
        "--sse",
        "https://mcp-server-ab71a6b2-cd55-49d0-adba-562bc85956e3.supermachine.app",
        "--header",
        "X-My-Header:some-value"
      ]
    }
  }
}

cybertheory · April 13, 2025, 12:15am

@Domas this is a cool fix, but there’s a ton of assumptions here the the cursor user will have npm/js installed (not true if it is a python dev or anyother dev)- we wanted to provide a seamless experience with a custom installer to handle the config for dev

another way to do this is create a custom endpoint for each user or project to save session data as a workaround but this is a hassle

fengkx · April 16, 2025, 9:00am

VSCode is supporting adding HTTP headers in MCP config

Hope Cursor support this too

Topic		Replies	Views
Cursor MCP requests do not honour API-key provision to sse (only stdio works) Bug Reports	6	97	April 15, 2025
Integrating Google OAuth for MCP SSE Connections in Cursor Discussion	2	843	February 19, 2025
Cursor SSE MCP Server Integration Flow? How To	4	274	April 5, 2025
Solved: Specify SSE Server in mcp.json How To	3	1394	April 4, 2025
SSE MCP registered via `mcp.json` is disabled by default Bug Reports	4	808	April 17, 2025

API key for SSE MCP servers

Related topics