[Bug]: after issue 1078 change, how to add X-Upstream-Authorization header when click Authorize in admin UI

[feiyang9999]

🐞 Bug Summary

After #1078 merged, I understand when use curl, it need to add below header info -H "X-Upstream-Authorization: Bearer $MCP_SERVER_TOKEN", but when use admin UI in http://mcpgateway/admin/#gateways, after configure one MCP server as Oauth2, then click button Authorize, it always failed as {"detail":"Authentication required"}, so question is how to add such header info when trigger from admin web UI?

🧩 Affected Component

Select the area of the project impacted:

• mcpgateway - API
• mcpgateway - UI (admin panel)
• mcpgateway.wrapper - stdio wrapper
• Federation or Transports
• CLI, Makefiles, or shell scripts
• Container setup (Docker/Podman/Compose)
• Other (explain below)

---

🔁 Steps to Reproduce

1. login to http://mcpgateway/admin/#gateways
2. add one MCP server as Oauth2
3. click button Authorize

---

🤔 Expected Behavior

It should start Oauth authorize workflow after click the Authorize button.

📓 Logs / Error Output

Paste any relevant stack traces or logs here.
⚠️ Do not paste secrets, credentials, or tokens.

---

🧠 Environment Info

You can retrieve most of this from the /version endpoint.
commit: 0de855b

---

🧩 Additional Context (optional)

Add any configuration details, flags, or related issues.

[crivetimihai]

Hi @feiyang9999,

Thanks for reporting this! I can see the confusion here. The X-Upstream-Authorization header you mentioned is actually for a different use case than what you're trying to do.

What's Actually Happening

The X-Upstream-Authorization header is used when you're invoking tools and need to pass credentials to the upstream MCP server (not for authenticating with the gateway itself). It's useful when the gateway uses JWT auth and you want to send a different Authorization header to the backing server.

For the OAuth authorization flow you're trying to use, you just need to be logged into the Admin UI first.

Why the "Authorize" Button Fails

After the changes in #1078, the /oauth/authorize/{gateway_id} endpoint now requires authentication. This was necessary to implement user-scoped OAuth tokens (so User A can't accidentally use User B's OAuth credentials).

When you click the "Authorize" button in the Admin UI, your browser should automatically send your JWT token cookie to authenticate the request. If you're seeing {"detail":"Authentication required"}, it means:

1. You're not logged into the Admin UI, or
2. Your session has expired, or
3. There's a cookie issue (domain/path mismatch)

Solution

Simple fix: Make sure you're logged into the Admin UI before clicking the "Authorize" button.

1. Go to http://mcpgateway/admin/login and log in
2. Navigate to the Gateways tab
3. Now click the "🔐 Authorize" button

Your browser will automatically include your JWT token cookie, and it should work.

If you're using curl instead of the Admin UI:

# First, get a JWT token by logging in
TOKEN=$(curl -X POST "http://mcpgateway/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"yourpassword"}' \
  | jq -r '.access_token')

# Then use it for the OAuth authorization
curl "http://mcpgateway/oauth/authorize/YOUR_GATEWAY_ID" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Accept: text/html" \
  -L  # Follow redirects to OAuth provider

Or use cookies:

# Login and save cookies
curl -X POST "http://mcpgateway/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"yourpassword"}' \
  -c cookies.txt

# Use cookies for authorization
curl "http://mcpgateway/oauth/authorize/YOUR_GATEWAY_ID" \
  -b cookies.txt -L

When You DO Need X-Upstream-Authorization

Just for clarity, X-Upstream-Authorization is used like this:

# When invoking a tool and you need to pass creds to the upstream server
curl -X POST "http://mcpgateway/rpc" \
  -H "Authorization: Bearer $MCPGATEWAY_TOKEN" \
  -H "X-Upstream-Authorization: Bearer $MCP_SERVER_TOKEN" \
  -d '{"method":"tools/call","params":{...}}'

The gateway uses your Authorization header to authenticate you, then forwards the X-Upstream-Authorization (renamed to Authorization) to the upstream MCP server.

Let me know

Try logging into the Admin UI first and see if the Authorize button works. If you're still having issues, let me know:

• Are you already logged in when you click Authorize?
• What's the exact error message you see?
• Are you using the Admin UI or making curl requests?

Happy to help debug further!