Skip to content

fix(transport): add optional bearer token authentication for HTTP transport#162

Merged
abubnalitic-nbl merged 1 commit into
mainfrom
fix/http-transport-optional-auth
Jun 17, 2026
Merged

fix(transport): add optional bearer token authentication for HTTP transport#162
abubnalitic-nbl merged 1 commit into
mainfrom
fix/http-transport-optional-auth

Conversation

@abubnalitic-nbl

Copy link
Copy Markdown
Contributor

Adds an optional MCP_AUTH_TOKEN for the HTTP transport. When set, requests to the MCP endpoint must present Authorization: Bearer <token>, verified in constant time via a TokenVerifier plugged into FastMCP's auth layer. Defaults are unchanged (stdio transport, 127.0.0.1 bind, no token), so existing deployments are unaffected; running HTTP without a token logs a warning at startup.

The README documents the option in the Docker examples and recommends terminating TLS at a reverse proxy or gateway when exposing the endpoint. Tests cover the 401/200 auth gate, empty/whitespace-token normalization, env and CLI wiring, and secret redaction.

🤖 Generated with Claude Code

…nsport

The HTTP transport had no built-in way to require authentication. Add an
optional MCP_AUTH_TOKEN that, when set, requires
'Authorization: Bearer <token>' on requests to the MCP endpoint, verified
in constant time (digest compare, safe for non-ASCII input) via a
TokenVerifier plugged into FastMCP's auth layer. Empty or whitespace-only
tokens are normalized to unset.

Defaults are unchanged (stdio transport, 127.0.0.1 bind, no token), so
existing deployments are unaffected; HTTP without a token logs a warning.
README documents the option and recommends terminating TLS at a reverse
proxy or gateway.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
@github-actions

Copy link
Copy Markdown
Contributor

Vulnerability Scan: Passed

Image: netbox-mcp-server:scan

No vulnerabilities found.

Commit: ea97f49

@abubnalitic-nbl abubnalitic-nbl merged commit 17df465 into main Jun 17, 2026
13 checks passed
@abubnalitic-nbl abubnalitic-nbl deleted the fix/http-transport-optional-auth branch June 17, 2026 19:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants