Skip to content

fix(plugin-mcp): accept both Bearer and API-Key authorization patterns#16577

Open
algojogacor wants to merge 1 commit into
payloadcms:mainfrom
algojogacor:fix/plugin-mcp-accept-both-auth-patterns
Open

fix(plugin-mcp): accept both Bearer and API-Key authorization patterns#16577
algojogacor wants to merge 1 commit into
payloadcms:mainfrom
algojogacor:fix/plugin-mcp-accept-both-auth-patterns

Conversation

@algojogacor
Copy link
Copy Markdown

@algojogacor algojogacor commented May 11, 2026

Description

The MCP plugin endpoint /api/mcp currently only accepts Authorization: Bearer <KEY> header. This is inconsistent with Payload's standard API-Key authorization pattern which uses <collection-slug> API-Key <KEY>.

This PR updates the authorization check in packages/plugin-mcp/src/endpoints/mcp.ts to accept both patterns:

  • Authorization: Bearer <KEY> (existing behavior)
  • Authorization: API-Key <KEY> (new — matches Payload's standard pattern)

Related Issue

Fixes #16572

Changes

  • Modified getDefaultMcpAccessSettings to check for both Bearer and API-Key prefixes in the Authorization header
  • The API key extraction now handles both patterns correctly

@algojogacor
fix(plugin-mcp): accept both Bearer and API-Key authorization patterns
ff13ead 
The MCP plugin endpoint /api/mcp currently only accepts
Authorization: Bearer <KEY>. This is inconsistent with Payload's
standard API-Key pattern.

This change updates the authorization check to accept both:
- Authorization: Bearer <KEY>
- Authorization: API-Key <KEY>
@AlessioGr AlessioGr self-assigned this May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@AlessioGr AlessioGr

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@algojogacor @AlessioGr