Implementation guide
Authentication pass-through for hosted MCP servers
0mcp is a credential pass-through, not an upstream identity provider. A protected tool call must include the credential expected by the API, and the API still decides whether the caller is authenticated and authorized.
Supported patterns
Authentication requirements come from the published API contract.
- Bearer and OAuth access tokens in the Authorization header
- API keys in an API-defined header
- Query API keys converted from a generated gateway header
- Per-server or per-operation requirements
Secret handling
Keep secrets in the MCP client's credential store or environment.
- Do not put keys in an MCP endpoint URL
- Do not commit client configuration containing secrets
- Rotate credentials through the upstream system
- Use upstream logs to investigate detailed authorization failures
For complete product instructions, read the 0mcp documentation. Protocol reference: Model Context Protocol specification.
Published and last reviewed: July 13, 2026