Skip to content

Document static header injection outgoing auth in vMCP#892

Merged
jhrozek merged 2 commits into
mainfrom
docs-vmcp-header-injection
May 21, 2026
Merged

Document static header injection outgoing auth in vMCP#892
jhrozek merged 2 commits into
mainfrom
docs-vmcp-header-injection

Conversation

@jhrozek
Copy link
Copy Markdown
Contributor

@jhrozek jhrozek commented May 21, 2026

Description

Adds a section to the Virtual MCP Server authentication guide documenting the headerInjection outgoing auth strategy. Until now, this strategy existed in the CRD but had no user-facing docs, so users had no guidance on when to use it or how to wire it up.

The new section covers:

  • When to use headerInjection (pre-issued API keys, static bearer tokens, single shared SaaS credentials)
  • The Secret + MCPExternalAuthConfig pair, with full YAML examples
  • How to reference the config from a VirtualMCPServer via outgoingAuth.source: inline, plus a note about the discovered alternative
  • The Authorization: Bearer <token> variant (store the full prefixed string in the Secret)
  • That the header value must come from a Kubernetes Secret (plaintext inline values are rejected at the CRD layer)
  • Credential rotation: update the Secret and restart the affected backend pods

Type of change

  • Documentation update

Related issues/PRs

Submitter checklist

Content and formatting

  • I have reviewed the content for technical accuracy
  • I have reviewed the content for spelling, grammar, and style

🤖 Generated with Claude Code

@jhrozek
Document static header injection outgoing auth
52e5572 
Add a section to the vMCP authentication guide describing the
headerInjection outgoing auth strategy: when to use it, the
Secret + MCPExternalAuthConfig pair, how to wire it into a
VirtualMCPServer via inline or discovered source, and the
Authorization: Bearer variant. Notes that values must come from
a Secret and that backend pods need a restart to pick up
rotations.
Copilot AI review requested due to automatic review settings May 21, 2026 16:08
@vercel
Copy link
Copy Markdown

vercel Bot commented May 21, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs-website Ready Ready Preview, Comment May 21, 2026 4:34pm

Request Review

Copilot AI reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds user-facing documentation for the headerInjection outgoing auth strategy in the vMCP authentication guide, covering when to use it and how to configure it via a Secret + MCPExternalAuthConfig, with examples for wiring that config into VirtualMCPServer.

Changes:

  • Documented the headerInjection outgoing auth strategy and recommended use cases.
  • Added end-to-end YAML examples for Secret, MCPExternalAuthConfig, and VirtualMCPServer references (including Authorization: Bearer <token> guidance).
  • Clarified constraints around sourcing header values from Kubernetes Secrets and briefly described rotation.

Comment thread docs/toolhive/guides-vmcp/authentication.mdx Outdated
tgrunnagle
tgrunnagle previously approved these changes May 21, 2026
View reviewed changes
@jhrozek
Potential fix for pull request finding
a092b0e 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@jhrozek jhrozek merged commit 3378369 into main May 21, 2026
4 checks passed
@jhrozek jhrozek deleted the docs-vmcp-header-injection branch May 21, 2026 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tgrunnagle tgrunnagle tgrunnagle approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jhrozek @tgrunnagle