fix: include API key in CORS proxy requests for MCP connections#21193
Merged
allozaur merged 2 commits intoggml-org:masterfrom Mar 31, 2026
Merged
fix: include API key in CORS proxy requests for MCP connections#21193allozaur merged 2 commits intoggml-org:masterfrom
allozaur merged 2 commits intoggml-org:masterfrom
Conversation
When llama-server is started with --api-key-file and --webui-mcp-proxy, the /cors-proxy endpoint requires authentication. The WebUI was not including the Authorization header in proxy requests, causing MCP connections to fail with 401. Inject getAuthHeaders() into requestInit when useProxy is true so the proxy request carries the Bearer token alongside the forwarded target headers. Fixes ggml-org#21167
This comment was marked as off-topic.
This comment was marked as off-topic.
ngxson
reviewed
Mar 30, 2026
Contributor
Author
|
Thanks for the note. The fix was written by me - I traced the issue through |
Contributor
Author
|
Good catch, that's cleaner. I'll update the PR with your suggestion. |
Apply buildProxiedHeaders only when useProxy is true, pass headers directly to the transport otherwise.
ngxson
approved these changes
Mar 31, 2026
allozaur
approved these changes
Mar 31, 2026
Contributor
allozaur
left a comment
allozaur
left a comment
There was a problem hiding this comment.
I will merge this and push static build in another PR that im about to merge
slartibardfast
pushed a commit
to slartibardfast/llama.cpp
that referenced
this pull request
Apr 12, 2026
…-org#21193) * fix: include API key in CORS proxy requests for MCP connections When llama-server is started with --api-key-file and --webui-mcp-proxy, the /cors-proxy endpoint requires authentication. The WebUI was not including the Authorization header in proxy requests, causing MCP connections to fail with 401. Inject getAuthHeaders() into requestInit when useProxy is true so the proxy request carries the Bearer token alongside the forwarded target headers. Fixes ggml-org#21167 * fix: simplify headers assignment based on reviewer suggestion Apply buildProxiedHeaders only when useProxy is true, pass headers directly to the transport otherwise.
Seunghhon
pushed a commit
to Seunghhon/llama.cpp
that referenced
this pull request
Apr 26, 2026
…-org#21193) * fix: include API key in CORS proxy requests for MCP connections When llama-server is started with --api-key-file and --webui-mcp-proxy, the /cors-proxy endpoint requires authentication. The WebUI was not including the Authorization header in proxy requests, causing MCP connections to fail with 401. Inject getAuthHeaders() into requestInit when useProxy is true so the proxy request carries the Bearer token alongside the forwarded target headers. Fixes ggml-org#21167 * fix: simplify headers assignment based on reviewer suggestion Apply buildProxiedHeaders only when useProxy is true, pass headers directly to the transport otherwise.
rsenthilkumar6
pushed a commit
to rsenthilkumar6/llama.cpp
that referenced
this pull request
May 1, 2026
…-org#21193) * fix: include API key in CORS proxy requests for MCP connections When llama-server is started with --api-key-file and --webui-mcp-proxy, the /cors-proxy endpoint requires authentication. The WebUI was not including the Authorization header in proxy requests, causing MCP connections to fail with 401. Inject getAuthHeaders() into requestInit when useProxy is true so the proxy request carries the Bearer token alongside the forwarded target headers. Fixes ggml-org#21167 * fix: simplify headers assignment based on reviewer suggestion Apply buildProxiedHeaders only when useProxy is true, pass headers directly to the transport otherwise.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When
llama-serveris started with both--api-key-fileand--webui-mcp-proxy, the/cors-proxyendpoint is subject to the global API key validation middleware. MCP connections configured with "Use Proxy" fail with a 401 because the WebUI does not include theAuthorizationheader in its requests to/cors-proxy.Fixes #21167
Root Cause
In
MCPService.createTransport(),requestInit.headerswas only populated withbuildProxiedHeaders(config.headers)— which wraps the target MCP server's headers using theX-Proxy-Header-*convention. TheAuthorization: Bearer <api-key>header needed to authenticate the request against llama-server itself was never included.Fix
Import the existing
getAuthHeaders()utility and spread it intorequestInit.headerswhenuseProxyis true:getAuthHeaders()returns{ Authorization: 'Bearer <key>' }when an API key is configured, or an empty object otherwise — so there is no regression when no API key is set.Testing
llama-serverwith--api-key-file <file> --webui-mcp-proxy