feat!: support credentials per user for tools (with example implementation)#5
Conversation
j08lue
left a comment
There was a problem hiding this comment.
Is this (passing credentials, via headers, to an MCP service to use inside tools) a pattern that exists elsewhere?
Not sure how else you'd do it. 😄 Just curious whether this is already something other clients than our bespoke frontend would support.
This would also work with a token from an auth redirect flow that the frontend performs against CDS IAM or so, right?
As mentioned in slack, for history: |
7dd0f81 to
e260c3b
Compare
Per-user credentials for MCP toolsets
Tools can now act on behalf of the calling user instead of a shared
service identity. Credentials ride the MCP transport as HTTP headers —
they never appear in the model context, tool arguments, chat history or
traces.
How it works
CREDENTIAL_HEADERSexport (validated by the contract test). Tools read values at call time
with the new
mcp_runtime.credentialshelpers./healthand the index, so clients know which toolset needs whichcredential — and send each one only to the connections that declare
it, never to unrelated toolsets.
is built once and injects the current user's headers at request time
(
user_credentialscontext manager + per-connection httpx clientfactories) — the shape a multi-user deployment needs. The Chainlit UI
auto-generates a settings field for every advertised header.
mcp-cligains curl-style-H/--headerfor driving credentialtools from the terminal.
BREAKING: cds toolset now authenticates as the calling user
The shared
CDS_API_KEYSecret is gone. Retrieve-API tools read thecaller's key from the
x-cds-tokenheader (sent upstream asPRIVATE-TOKEN); clients are created per tool call so no state can leakbetween users.
search_datasets(public catalogue) still works withoutcredentials.
After deploy: callers must supply their own CDS key, and the unused
cds-credentialsSecret can be deleted from the cluster.Also included
toolsets/credential-demo— a minimal stubbed example (whoami) ofthe pattern, with credential-presence logging.
a hint when the URL is missing its
/mcppath, instead of anExceptionGroup traceback).