MCP Auth

mcp-auth
exercises
02.init
01.problem.authenticate

README.mdx•2.18 KiB

# Authenticate Header <EpicVideo url="https://www.epicai.pro/workshops/day-7-8-mcp-auth/authenticate-header-0n13b" /> 👨‍💼 In EpicMe, the `Authorization` header is the gatekeeper for every journal entry. Its job is simple but critical: make sure that only requests with valid credentials can access or change journal data. If a request doesn't include this header, it shouldn't get through—no exceptions. Once the client has an auth token, it'll send that token in the `Authorization` header. If that header doesn't exist, then we know they don't have a token and shouldn't be able to access our server. But we can help them out by telling them what they need to do to get access. This is where the `WWW-Authenticate` header comes in. It tells the client what kind of authentication is required. For example, if someone tries to fetch `/api/secret-sandwich-recipes` without authenticating, the server should respond with a clear message and a `WWW-Authenticate` header: ```ts const hasToken = request.headers.get('authorization') if (!hasToken) { return new Response('Unauthorized', { status: 401, headers: { 'WWW-Authenticate': 'Bearer', }, }) } ``` This check is the first and most basic requirement for a secure journal app. The `WWW-Authenticate` header in the response tells the client what kind of credentials are needed to try again. <callout-info> If a request is missing the `Authorization` header, always include the `WWW-Authenticate` header in your 401 response. This helps clients know how to try again. </callout-info> Without this check, nothing else about security matters. Make sure every request is challenged at the door. <callout-danger> If you're experiencing issues when clicking "Connenct" in the inspector, double-check the "Authentication" dropdown. Clicking that will show you a UI for custom headers and if there's a custom "Authentication" header, it could be messing with your connection request. Delete that header and the inspector will add the correct "Authorization" header for you automatically. </callout-danger> 📜 For more details, see the [MDN documentation on WWW-Authenticate](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate).

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/rubenpenap/mcp-auth'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

README.mdx•2.18 KiB