r/pallas
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

feat(pallas): add opt-in bearer token forwarding to downstream MCP servers

Browse Source 
Introduce per-server `forward_inbound_auth` flag that controls whether the
inbound MCP bearer token is propagated to outbound MCP transport calls.
Implemented as a fast-agent monkey-patch auto-installed on package import,
preventing accidental credential leakage to unrelated downstream servers.

Update docs to describe the two bearer token consumers (LLM provider
passthrough and opt-in downstream MCP forwarding) with a config example.
This commit is contained in:
Robert Helewka
2026-05-03 17:17:50 -04:00
parent 95fa6e6fc0
commit be71709608
3 changed files with 101 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
docs/pallas.md
View File

@@ -417,7 +417,27 @@ For agents with `instance_scope != "request"`, a `{agent}_history` prompt is reg
### Bearer Token Propagation
The server captures the authenticated bearer token from the incoming MCP request and propagates it via `request_bearer_token` context variable to downstream calls.
The server captures the authenticated bearer token from the incoming MCP request into the `request_bearer_token` context variable. Two consumers read it:
- **LLM-provider passthrough** — the agent's LLM provider key manager picks it up automatically (used by HuggingFace and any other token-passthrough providers).
- **Downstream MCP servers (opt-in)** — outgoing MCP calls inherit the same bearer when the downstream server is marked `forward_inbound_auth: true` in `fastagent.config.yaml`. Without that flag, `request_bearer_token` is **not** forwarded to MCP transport calls — `server_config.headers` is the only header source. This is implemented as a fast-agent monkey-patch in `pallas._fastagent_patch` and is per-server so a FastAgent attached to both a credentialed downstream (e.g. Mnemosyne) and an unrelated public server doesn't leak the bearer to the latter.
Example:
```yaml
mcp:
servers:
mnemosyne:
transport: http
url: "https://mnemosyne.example/mcp/"
forward_inbound_auth: true # inbound bearer rides outbound
weather:
transport: http
url: "https://weather.example/mcp/"
# no flag → outbound calls go unauthenticated
```
When the agent receives a request with `Authorization: Bearer X`, `mnemosyne` will see `Authorization: Bearer X` on the outbound call; `weather` will see no `Authorization` header. If `mnemosyne.headers.Authorization` is set explicitly, that wins (the inbound bearer is not overwritten on top of an explicit header).
---