diff --git a/docs/toolhive/_partials/_remote-mcp-auth-examples.mdx b/docs/toolhive/_partials/_remote-mcp-auth-examples.mdx index af1b84c6..af0ff48e 100644 --- a/docs/toolhive/_partials/_remote-mcp-auth-examples.mdx +++ b/docs/toolhive/_partials/_remote-mcp-auth-examples.mdx @@ -16,6 +16,22 @@ that supports this feature: 1. Your browser opens for authentication. After you authorize access, the remote MCP server appears in your server list with a "Running" status. +#### Remote MCP server with Bearer Token authentication + +Bearer Token authentication is the simplest option for MCP servers that accept a +bearer token in the `Authorization` header. Brave Search's remote MCP server is +one example: + +1. Configuration settings: + - **Server name**: `brave-search` + - **Server URL**: `https://mcp.bravesearch.com/sse` + - **Transport**: SSE + - **Authorization method**: Bearer Token + - **Bearer token**: Your Brave Search API key +1. When you install the server, ToolHive stores the token securely and injects + it as an `Authorization: Bearer ` header on every request. +1. The remote MCP server appears in your server list with a "Running" status. + #### Remote MCP server with OAuth2 authentication GitHub's remote MCP server requires manual OAuth configuration. You'll need to diff --git a/docs/toolhive/guides-ui/run-mcp-servers.mdx b/docs/toolhive/guides-ui/run-mcp-servers.mdx index 969fc549..678a8ebf 100644 --- a/docs/toolhive/guides-ui/run-mcp-servers.mdx +++ b/docs/toolhive/guides-ui/run-mcp-servers.mdx @@ -145,9 +145,20 @@ remaining required information and adjust any optional settings as needed: - Obtains and manages client credentials - Handles token lifecycle automatically - For MCP servers that require manual configuration, ToolHive supports OAuth2 - and OIDC authentication. Obtain the necessary information from the MCP - server's documentation or administrator. + For MCP servers that accept a bearer token in the `Authorization` header, + select **Bearer Token**. ToolHive stores the token securely and sends it as + an `Authorization: Bearer ` header on every request. For servers that + expect a different header (such as `X-API-Key`), use **Custom headers** + instead. + + **Bearer Token authentication options:** + - **Bearer token**: The token value. Enter a value to create a new secret or + select an existing secret from the provider. Secrets are stored securely + and are not exposed in plaintext in configuration files. See + [Secrets management](./secrets-management.mdx) for details. [Required] + + For MCP servers that require OAuth2 or OIDC authentication, obtain the + necessary information from the MCP server's documentation or administrator. **OAuth2 authentication options:** - **Authorize URL**: The URL where users are redirected to authenticate and @@ -158,9 +169,9 @@ remaining required information and adjust any optional settings as needed: provider. [Required] - **Client secret**: The secret key that proves your application's identity. Enter a value to create a new secret or select an existing secret from the - provider. Secrets are stored securely and can be used by the MCP server - without exposing them in plaintext. See - [Secrets management](./secrets-management.mdx) for details. [Optional] + provider. Secrets are stored securely and are not exposed in plaintext in + configuration files. See [Secrets management](./secrets-management.mdx) for + details. [Optional] - **Scopes**: List of permissions your application is requesting. [Optional] - **PKCE**: Enable Proof Key for Code Exchange (RFC 7636) for enhanced security without requiring a client secret. [Optional] @@ -171,9 +182,9 @@ remaining required information and adjust any optional settings as needed: provider. [Required] - **Client secret**: The secret key that proves your application's identity. Enter a value to create a new secret or select an existing secret from the - provider. Secrets are stored securely and can be used by the MCP server - without exposing them in plaintext. See - [Secrets management](./secrets-management.mdx) for details. [Optional] + provider. Secrets are stored securely and are not exposed in plaintext in + configuration files. See [Secrets management](./secrets-management.mdx) for + details. [Optional] - **PKCE**: Enable Proof Key for Code Exchange (RFC 7636) for enhanced security without requiring a client secret. [Optional] @@ -405,9 +416,20 @@ On the configuration form, enter: - Obtains and manages client credentials - Handles token lifecycle automatically - For MCP servers that require manual configuration, ToolHive supports OAuth2 - and OIDC authentication. Obtain the necessary information from the MCP - server's documentation or administrator. + For MCP servers that accept a bearer token in the `Authorization` header, + select **Bearer Token**. ToolHive stores the token securely and sends it as + an `Authorization: Bearer ` header on every request. For servers that + expect a different header (such as `X-API-Key`), use **Custom headers** + instead. + + **Bearer Token authentication options:** + - **Bearer token**: The token value. Enter a value to create a new secret or + select an existing secret from the provider. Secrets are stored securely + and are not exposed in plaintext in configuration files. See + [Secrets management](./secrets-management.mdx) for details. [Required] + + For MCP servers that require OAuth2 or OIDC authentication, obtain the + necessary information from the MCP server's documentation or administrator. **OAuth2 authentication options:** - **Authorize URL**: The URL where users are redirected to authenticate and @@ -418,10 +440,12 @@ On the configuration form, enter: provider. [Required] - **Client secret**: The secret key that proves your application's identity. Enter a value to create a new secret or select an existing secret from the - provider. Secrets are stored securely and can be used by the MCP server - without exposing them in plaintext. See - [Secrets management](./secrets-management.mdx) for details. [Optional] + provider. Secrets are stored securely and are not exposed in plaintext in + configuration files. See [Secrets management](./secrets-management.mdx) for + details. [Optional] - **Scopes**: List of permissions your application is requesting. [Optional] + - **PKCE**: Enable Proof Key for Code Exchange (RFC 7636) for enhanced + security without requiring a client secret. [Optional] **OIDC authentication options:** - **Issuer URL**: The base URL of the OIDC provider. [Required] @@ -429,9 +453,9 @@ On the configuration form, enter: provider. [Required] - **Client secret**: The secret key that proves your application's identity. Enter a value to create a new secret or select an existing secret from the - provider. Secrets are stored securely and can be used by the MCP server - without exposing them in plaintext. See - [Secrets management](./secrets-management.mdx) for details. [Optional] + provider. Secrets are stored securely and are not exposed in plaintext in + configuration files. See [Secrets management](./secrets-management.mdx) for + details. [Optional] - **PKCE**: Enable Proof Key for Code Exchange (RFC 7636) for enhanced security without requiring a client secret. [Optional]