Skip to main content
This page is about upstream authentication: how Mcpjungle authenticates when it calls an upstream MCP server.

When you need this

Use upstream authentication when the MCP server you are registering requires some form of authentication (eg- static bearer token or custom headers). Typical examples:
  • SaaS-hosted MCP servers
  • Internal MCP servers behind an API gateway
  • Self-hosted MCP servers using static bearer-token auth

Bearer token via CLI flag

If the upstream server accepts a standard bearer token, pass it at registration time: 
mcpjungle register \
  --name huggingface \
  --description "HuggingFace MCP Server" \
  --url https://huggingface.co/mcp \
  --bearer-token <your-hf-api-token>
Mcpjungle will send: 
Authorization: Bearer <your-hf-api-token>
on requests to that upstream server.

Bearer token in a config file

{
  "name": "huggingface",
  "transport": "streamable_http",
  "url": "https://huggingface.co/mcp",
  "description": "HuggingFace MCP Server",
  "bearer_token": "<your-hf-api-token>"
}

Custom headers

If the upstream server expects a non-standard authorization format or additional headers, use the headers field: 
{
  "name": "sourcegraph",
  "transport": "streamable_http",
  "url": "https://sourcegraph.mycompany.com/.api/mcp",
  "headers": {
    "Authorization": "token <your-sourcegraph-token>",
    "Custom-Header": "custom-value"
  }
}
If you set both bearer_token and headers.Authorization, the explicit header value should be treated as the more specific configuration.

Environment variable placeholders

JSON config files support ${VAR_NAME} placeholders in string fields, including bearer_token and header values: 
{
  "name": "affine-main",
  "transport": "streamable_http",
  "url": "https://app.affine.pro/api/workspaces/${AFFINE_WORKSPACE_ID}/mcp",
  "bearer_token": "${AFFINE_API_TOKEN}",
  "headers": {
    "X-Workspace": "${AFFINE_WORKSPACE_ID}"
  }
}
Placeholder expansion happens in the CLI process before the config is sent to Mcpjungle. See the configuration file reference for the full substitution rules.

STDIO servers and auth via environment variables

For STDIO-based MCP servers, authentication is typically passed through environment variables in the server config. Example: 
{
  "name": "my-stdio-server",
  "transport": "stdio",
  "command": "uvx",
  "args": ["my-server"],
  "env": {
    "API_TOKEN": "${API_TOKEN}"
  }
}
Mcpjungle will start the STDIO server process with those environment variables, allowing the upstream server to read its credentials from the process environment.

Important scope distinction

Two different authentication layers can exist in the same deployment:
  • Gateway authentication: Enterprise-mode clients authenticating to Mcpjungle.
  • Upstream authentication: Mcpjungle authenticating to a registered MCP server.
Those are separate concerns and use different configuration points.

Current limitation

Mcpjungle does not yet support OAuth flow for upstream server authentication. Support for Oauth flows is being worked on and will soon be available.

Register servers

Register streamable HTTP MCP servers with CLI flags or config files.

Access control

Configure how MCP clients authenticate to the Mcpjungle gateway itself.

Clients and users

Manage human and machine identities in enterprise mode.

Limitations

Review current gaps, including OAuth support.