fix: include API key in CORS proxy requests for MCP connections#21193
Open
satishkc7 wants to merge 2 commits intoggml-org:masterfrom
Open
fix: include API key in CORS proxy requests for MCP connections#21193satishkc7 wants to merge 2 commits intoggml-org:masterfrom
satishkc7 wants to merge 2 commits intoggml-org:masterfrom
Conversation
When llama-server is started with --api-key-file and --webui-mcp-proxy, the /cors-proxy endpoint requires authentication. The WebUI was not including the Authorization header in proxy requests, causing MCP connections to fail with 401. Inject getAuthHeaders() into requestInit when useProxy is true so the proxy request carries the Bearer token alongside the forwarded target headers. Fixes ggml-org#21167
|
Hi @satishkc7, thanks for your contribution! Per our contribution guidelines, the automated PR checker found the following issue(s) that need your attention:
Please note that maintainers reserve the right to make final decisions on PRs. If you believe there is a mistake, please comment below. |
ngxson
reviewed
Mar 30, 2026
Comment on lines
127
to
130
| if (config.headers) { | ||
| requestInit.headers = buildProxiedHeaders(config.headers); | ||
| } | ||
|
|
Contributor
Author
|
Thanks for the note. The fix was written by me - I traced the issue through |
Author
|
Good catch, that's cleaner. I'll update the PR with your suggestion. |
Apply buildProxiedHeaders only when useProxy is true, pass headers directly to the transport otherwise.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When
llama-serveris started with both--api-key-fileand--webui-mcp-proxy, the/cors-proxyendpoint is subject to the global API key validation middleware. MCP connections configured with "Use Proxy" fail with a 401 because the WebUI does not include theAuthorizationheader in its requests to/cors-proxy.Fixes #21167
Root Cause
In
MCPService.createTransport(),requestInit.headerswas only populated withbuildProxiedHeaders(config.headers)— which wraps the target MCP server's headers using theX-Proxy-Header-*convention. TheAuthorization: Bearer <api-key>header needed to authenticate the request against llama-server itself was never included.Fix
Import the existing
getAuthHeaders()utility and spread it intorequestInit.headerswhenuseProxyis true:getAuthHeaders()returns{ Authorization: 'Bearer <key>' }when an API key is configured, or an empty object otherwise — so there is no regression when no API key is set.Testing
llama-serverwith--api-key-file <file> --webui-mcp-proxy