I need a way to pass api key to MCP server. This is not needed for cli mcp but when we add an SSE mcp we should have an additional box called API key and then cursor ahould pass it as authroization or X-API-Key header when making requests to the sse and messages endpoints.
need this as well
+1
The config JSON should be able to forward headers.
I added bearer token to the inspector for debugging, but general headers is better. Also, the Cursor docs shows (probably copy-paste mistake) that you can pass a key to the ssh, you can rename the “env” and pass the token in “Authorization” header
I connect to Home Assistant via SSE by the below configuration. It requests the token embedded in header authorization. Looks failure. Is my configuration correct?
Home Assistant log found: Login attempt or request with invalid authentication from x.x.x.x . Requested URL: '/mcp_server/sse'. (node)
{
"mcpServers": {
"Home Assistant": {
"url": "http://192.x.x.x:8123/mcp_server/sse",
"env": { "API_KEY": "xyz123"}
}
}
}
I don’t think this is what we need. When we have a shared mcp sse server, we need to be able to pass the api key for the user session. This is essential for supporting a multiuser system. The problem we have then is that we can not support this unless the mcp server in cursor can be configured with an api key. The only way we can solve it is to provide a separate stdio client that has an external configuration file and then forwards the requests to the actual mcp server and passes api key with the request. It would be great if cursor supported this out of the box by sending api key as X-API-Key header with every mcp sse request.
Can anybody fix that? I can’t pass any header to mcp sse server,which is quite unconvinced
+1, cannot pass env object to sse server.
However there is a bypass: https://url?key=xxxxxx, this way you can catch your key using query parameter. But still, the env object in the config file should be passed to the server.
Technically you can, but the protocol prohibits sending keys in the query:
Access tokens MUST NOT be included in the URI query string
Yes I agree. So have to wait for cursor to support sending env to server.
I see an option to set the API key in the new settings Cursor – Model Context Protocol
However this api key is not being sent in headers with each request.
There are also other minor glitches with MCP. For example even though server is at port 8007, cursor for some reason tries to connect to port 8006
@mkschreder yes, see my comment above. This is probably just a copy-paste mistake
Plus I think the client should implement reconnect when server disconnect. I’m facing the issue that when server is deployed with a new version, cursor will simply disable the mcp server. It will be pretty common the server needs updates once in a while.
Visual Studio Code has added support for headers when using MCP over SSE. Hopefully Cursor will use the same format to make them compatible.
I actually just tried cline mcp sse with headers yesterday but no luck.
Being able to add/customize headers like vscode has exposed would be the most practical approach for now.
The SSE standard includes OAuth 2.0, and suggests a number of features like dynamic client registration which can be pretty complicated to implement.
It would be great to have something for more traditional, out-of-band auth tokens for the time being, even if it strictly falls out of spec.
+1 this has halted my teams progress
workaround for now is using supergateway as it has --header
when connecting to sse and converting to STDIO that cursor supports. Like:
{
"mcpServers": {
"supergatewayExample": {
"command": "npx",
"args": [
"-y",
"supergateway",
"--sse",
"https://mcp-server-ab71a6b2-cd55-49d0-adba-562bc85956e3.supermachine.app",
"--header",
"X-My-Header:some-value"
]
}
}
}
@Domas this is a cool fix, but there’s a ton of assumptions here the the cursor user will have npm/js installed (not true if it is a python dev or anyother dev)- we wanted to provide a seamless experience with a custom installer to handle the config for dev
another way to do this is create a custom endpoint for each user or project to save session data as a workaround but this is a hassle
VSCode is supporting adding HTTP headers in MCP config
Hope Cursor support this too