Authentication & Authorization

Understanding Authentication and Authorization

MCP Servers in Infragate can operate with or without authorization.
This guide explains how each mode works, how to configure authorization, and what headers are required when invoking an MCP Server securely.

---

Authorization Modes

When creating an MCP Server, you can choose one of the following modes:

1. No Authorizer (Public Access)

When an MCP Server is created without an authorizer, it is fully public.
Any client that knows the server endpoint can send MCP requests directly.

Caution

This mode is not recommended for production workloads or sensitive data.

Example:

{
  "mcpServers": {
    "My First Server": {
      "url": "https://abcd12345678.serverless.api.infragate.co/mcp"
    }
  }
}

---

2. API Key Authorizer

When an API Key Authorizer is enabled, each incoming request must include the API key header.

Required Header

Header	Description
x-api-key	The Infragate API key you generated for this server.

Example:

{
  "mcpServers": {
    "My First Server": {
      "url": "https://abcd12345678.serverless.api.infragate.co/mcp",
      "headers": {
        "x-api-key": "ae501f2f-89ce-40d7-8e52-61bc18026abb"
      }
    }
  }
}

Note

The Infragate authorizer verifies the validity of the API key before the request reaches your server logic.

---

3. Bearer Passthrough Authorizer

The Bearer Passthrough mode allows your MCP Server to forward authentication credentials to downstream services.
This mode is ideal when your tools depend on external APIs or microservices that implement their own authentication logic.

Required Headers

Header	Description
x-api-key	Validates the request against Infragate’s authorizer.
Authorization	A bearer or custom auth token passed unchanged to downstream services.

Note

Infragate does not inspect or validate the Authorization header - it only forwards it. This lets you integrate with APIs that require OAuth or other bearer-based tokens.

Example:

{
  "mcpServers": {
    "My First Server": {
      "url": "https://abcd12345678.serverless.api.infragate.co/mcp",
      "headers": {
        "x-api-key": "ae501f2f-89ce-40d7-8e52-61bc18026abb",
        "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
      }
    }
  }
}

Choosing the Right Mode

Mode	Access Control	Recommended Use Case
No Authorizer	None	Prototyping, local testing
API Key	Strong key-based authentication	Production and shared environments
Bearer Passthrough	Hybrid: API key + downstream bearer token	Integrations with third-party APIs

Tip

You can change the authorizer mode at any time from the Settings tab of your MCP Server in the Infragate Console.

---

Summary

• Public servers allow open access (no headers required).
• API Key servers require x-api-key for every request.
• Bearer Passthrough servers require both x-api-key and Authorization headers - the latter is simply forwarded downstream.

Note

Always treat your API key as a secret. Do not embed it in frontend code or public repositories.