fix(mcp): Stop sending API key as Bearer token in MCP client

[Cristhianzl]

Objective
Fix MCP client authentication failing with 401 when using LANGFLOW_API_KEY environment variable.

Changes

• Remove API key from Authorization: Bearer header in LangflowClient._headers()
• Send API key only via x-api-key header; reserve Authorization: Bearer for JWT access tokens

Notes
When both Authorization: Bearer <api_key> and x-api-key: <api_key> headers were sent, the backend validated the Bearer token first as a JWT, failed with "Invalid token", and returned 401 before ever checking the x-api-key header. This made LANGFLOW_API_KEY env var auth unusable for the MCP server. The fix ensures each header is used only for its intended auth mechanism: x-api-key for API keys, Authorization: Bearer for JWT tokens from login.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c76925fd-6292-4a6a-970e-41664a7417fd

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cz/fix-mcp-auth-api-key

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	24.49% (8791/35894)	17.23% (4862/28217)	17.14% (1288/7513)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
2795	0 💤	0 ❌	0 🔥	46.99s ⏱️

[codecov]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (feat/flow-polling-mechanism@951c603). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
src/lfx/src/lfx/mcp/client.py	0.00%	2 Missing ⚠️

Additional details and impacted files

@@                      Coverage Diff                       @@
##             feat/flow-polling-mechanism   #12349   +/-   ##
==============================================================
  Coverage                               ?   37.69%           
==============================================================
  Files                                  ?     1663           
  Lines                                  ?    83783           
  Branches                               ?    12492           
==============================================================
  Hits                                   ?    31580           
  Misses                                 ?    50365           
  Partials                               ?     1838           

Flag	Coverage Δ
backend	51.63% <ø> (?)
frontend	21.84% <ø> (?)
lfx	45.40% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/lfx/src/lfx/mcp/client.py	23.25% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.