Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
OMG this randomly just started to work, thanks!!!
the Authorization token now forwards from MCP to APIM
Not able to set/forward headers in MCP server policy when using MCP server from REST API in APIM
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 77%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPF%3C/text%3E%3C/svg%3E)
Patrice Ferrot
20
Reputation points
- I have a REST API exposed as MCP server, following the documentation here
- REST API has
validate-jwtpolicy - MCP server also has
validate-jwtpolicy - Problem: I cannot get the
Authorizationheader to be forwarded from the MCP server to the API, even though I followed the instructions and added the necessaryset-headerpolicy as per the documentation here - I even tried to set hardcoded headers with various names (other than
Authorization) in the MCP server policy: they are never available in the API
Can you please suggest how to set headers in the MCP server policy so they are available in the API policy when using the "Expose REST API as an MCP server" feature?
Thanks in advance!
Azure API Management
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-08-21T01:02:37.29+00:00 Thank you for using Q&A platform.
we understand that you are not getting the Authorizazion header to be forwarded from the MCP server to the API and you want to set headers in the MCP server policy.
Headers set in MCP server policies are not automatically forwarded to the backend API unless explicitly passed through a supported mechanism.
Authorization headers are particularly sensitive and may block by default. MCP server policies apply at the tool level, not the backend API level.
To set headers in MCP server policy when using MCP server from REST API in APIM,
Use set-header in the API Policy Instead, If you're trying to pass a token from the MCP server to the backend API, you must set the header in the API’s inbound policy, not the MCP server policy:
<inbound>
<base /> override <value>Bearer @{context.Request.Headers.GetValueOrDefault("Authorization", "")}</value> </set-header></inbound>
Authorization is being stripped, use a custom header like X-Auth-Token as Proxy.
MCP server policy:
override
<value>Bearer your-token-here</value></set-header>
API policy:
<set-header name="Authorization" exists-action="overrideDefault("X-Auth-Token", ""))</value>
</set-header>
This can change restrictions on the Authorization header.
If you're using OAuth, consider integrating with Credential Manager or Microsoft Entra ID for secure token handling. It is for production-grade setups
I hope this helps in resolving the issue, do let me know if you have any further questions on this
-
Patrice Ferrot 20 Reputation points
2025-08-21T06:59:20.06+00:00 Thanks for your message, @Anonymous !
However, I tried what you suggested already. This is what I described in my first message: setting a header in the MCP server inbound policy does not make it available in the API inbound policy, regardless of the header name.
MCP inbound policy
... <inbound> <base> <set-header name="X-Test-Header" exists-action="override"> <value>test-value</value> </set-header> ...API inbound policy
... <inbound> <base /> <check-header name="X-Test-Header" failed-check-httpcode="499" failed-check-error-message="X-Test-Header not present" ignore-case="true"> <value>test-value</value> </check-header> ...This always cause a 499 when calling the corresponding MCP tool, see response payload below (from Postman).
{ "content": [ { "type": "text", "text": "{ \"statusCode\": 499, \"message\": \"X-Test-Header not present \" }" } ] }Am I missing something or is this simply not possible?
-
Patrice Ferrot 20 Reputation points
2025-08-21T07:17:17.85+00:00 Thanks for your message, @Anonymous !
However, I tried what you suggested already. This is what I described in my first message: setting a header in the MCP server inbound policy does not make it available in the API inbound policy, regardless of the header name.
MCP inbound policy
... <inbound> <base> <set-header name="X-Test-Header" exists-action="override"> <value>test-value</value> </set-header> ...API inbound policy
... <inbound> <base /> <check-header name="X-Test-Header" failed-check-httpcode="499" failed-check-error-message="X-Test-Header not present" ignore-case="true"> <value>test-value</value> </check-header> ...This always cause a 499 when calling the corresponding MCP tool, see response payload below (from Postman).
{ "content": [ { "type": "text", "text": "{ \"statusCode\": 499, \"message\": \"X-Test-Header not present \" }" } ] }Am I missing something or is this simply not possible?
-
Anonymous
2025-08-21T21:07:57.1233333+00:00 Try remove validate-jwt from the MCP server and perform all token validation at the API level. This avoids the need to forward headers entirely.
Make sure your MCP server implements the /.well-known/oauth-protected-resource endpoint to advertise supported scopes. This is crucial for token validation properly and audience binding.
For production grade setups, consider integrating with Microsoft Entra ID or Credential Manager for secure token handling and delegation.
if you are still facing the issue please reach out to us further questions
-
Patrice Ferrot 20 Reputation points
2025-08-22T06:43:04.7233333+00:00 Again: no header is forwarded to the API, even if the validate-jwt is not used in the MCP server. Also, headers coming from the MCP client or set in the MCP server with the set-header policy are never available in the API.
I don't understand if this is a bug or as designed!?
-
Anonymous
2025-08-28T23:37:08.18+00:00 @Patrice Ferrot The behavior you're seeing headers set in the MCP server policy not being forwarded to the backend API is a bug or by design.
This generally happens due to The MCP server acts as a proxy layer, and its policies are scoped to the tool invocation context.
The actual request to the backend API is reconstructed by APIM, and unless headers are explicitly passed through a supported mechanism, they are dropped
I recommend using policy fragments to avoid duplicating logic across APIs and integrating with Credential Manager or Microsoft Entra ID for secure token handling in production environments
I hope this helps in resolving the issue, do let me know if you have any further questions on this
-
Anonymous
2025-08-29T17:20:38.7933333+00:00 @Patrice Ferrot Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.
-
Patrice Ferrot 20 Reputation points
2025-08-29T17:42:54.8033333+00:00 Hi @Anonymous - I checked your comment, but not sure how it is supposed to help me. It looks like you didn't really read ma question. Or you are a bot :-)
-
Anonymous
2025-09-07T21:27:08.46+00:00 @Patrice Ferrot Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this
-
Anonymous
2025-09-08T18:45:21.65+00:00 @Patrice Ferrot Following up to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 0%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHG%3C/text%3E%3C/svg%3E)
Harrison Gibbs 0 Reputation points2025-09-15T16:45:30.9133333+00:00 I was in the same boat as you - it looks like the ONLY header that it lets you forward currently is 'Ocp-Apim-Subscription-Key'. So what I did is on my MCP server policy I take my auth header and put it into that key header, and then in my rest API policy I take that token and put it back into the auth header. In my actual policies I have it doing a token exchange in an OBO flow but below is a simplified version for just passing it straightup to the backend.
Frontend MCP server policy (in the inbound section):
<set-header name="Ocp-Apim-Subscription-Key" exists-action="override"> <value>@((string)context.Request.Headers.GetValueOrDefault("Authorization","")) )</value> </set-header>API policy at the 'all operations' level (also in the inbound section):
<set-header name="Authorization" exists-action="override"> <value>@((string)context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key",""))</value> </set-header>Hope this helps you or whoever else runs into this!
Sign in to comment
Answer accepted by question author
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
Allen Chen 80 Reputation points2025-11-07T19:30:26.8833333+00:00 -
Patrice Ferrot 20 Reputation points
2025-11-11T10:45:34.5833333+00:00 Indeed, just tested it, it works now. Amazing ;-)
-
Patrice Ferrot 20 Reputation points
2025-12-03T09:48:25.8566667+00:00 And now it does not work in some of our environments!? Maybe Microsoft has not rolled out the the fix everywhere yet!?
Sign in to comment -
2 additional answers
Sort by: Most helpful
-
Harrison Gibbs 0 Reputation points
2025-09-15T16:47:18.19+00:00 Adding this as an answer too even though it's more of a workaround:
It looks like the ONLY header that it lets you forward currently is 'Ocp-Apim-Subscription-Key'. So what I did is on my MCP server policy I take my auth header and put it into that key header, and then in my rest API policy I take that token and put it back into the auth header. In my actual policies I have it doing a token exchange in an OBO flow but below is a simplified version for just passing it straightup to the backend.
Frontend MCP server policy (in the inbound section):
<set-header name="Ocp-Apim-Subscription-Key" exists-action="override"> <value>@((string)context.Request.Headers.GetValueOrDefault("Authorization","")) )</value> </set-header>API policy at the 'all operations' level (also in the inbound section):
<set-header name="Authorization" exists-action="override"> <value>@((string)context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key",""))</value> </set-header>Hope this helps you or whoever else runs into this!
-
Patrice Ferrot 20 Reputation points
2025-09-20T13:08:11.6533333+00:00 Hi @Harrison Gibbs , thanks for your comment. I haven't had time to test the suggested workaround yet, but will definitely give it a try.
Microsoft still really need to fix the issue: not being able to set or forward headers is a blocker for many (or even most) scenarios.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 92%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Kollar Martin 0 Reputation points2025-10-02T05:57:55.77+00:00 Based on MCP Specification (https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#sequence-diagram)
Client is sending Access Token to the MCP server. So shouldn't it be a default that MCP via APIM just forwards it to the API. I shouldn't do any special settings/policies for header forwarding.
Sign in to comment -
-
Anonymous
2025-09-05T18:27:31.2033333+00:00 we are sorry that the previous response could'nt help you. please find out below to to set headers in the MCP server policy so they are available in the API policy when using the Expose REST API as an MCP server feature
Ensure that the
Authorizationheader (or any other headers) is forwarded from the MCP server to the backend API, you need to configure the Outbound Policy in the MCP server. Below is the correct approach to configure the MCP outbound policy:
Step 1: Add the
set-headerPolicy in MCP OutboundThe
set-headerpolicy in the Outbound section of the MCP server ensures that headers are passed to the backend API. Here's an example:xml
Copy snippet
XML
<policies><outbound><set-header name="Authorization" exists-action="override"><value>@(context.Request.Headers.GetValueOrDefault("Authorization", ""))</value></set-header></outbound></policies>- Explanation:
-
context.Request.Headers.GetValueOrDefault("Authorization", ""): Retrieves theAuthorizationheader from the incoming request to the MCP server.-
exists-action="override": Ensures the header is set even if it already exists.
-
-
Step 2: Test with Hardcoded Headers
To confirm that the outbound policy is working, try setting a hardcoded header:
xml
Copy snippet
XML
<policies><outbound><set-header name="X-Test-Header" exists-action="override"><value>TestValue</value></set-header></outbound></policies>- Make a request to the MCP server and check if the
X-Test-Headeris available in the backend API.
Step 3: Debug Header Forwarding
Use the Trace feature in Azure API Management to debug the outbound headers:
- Enable Tracing in your API Management instance.
- Make a request to the MCP server.
- Inspect the trace logs to confirm whether the
Authorizationheader is being forwarded.
Step 4: Ensure No Conflicting Policies
Check for any policies in the MCP server or backend API that might be removing or altering headers:
- Look for
remove-headerpolicies that may be stripping headers. - Ensure the backend API is not rejecting headers due to security or configuration settings.
Step 5: Validate Backend API Configuration
Ensure the backend API is configured to accept headers forwarded from the MCP server. Some backend APIs may require explicit configuration to handle custom headers.
Step 6: Use Context Variables for Debugging
If the issue persists, use context variables to inspect the request and response headers:
xml
Copy snippet
XML
<log-to-eventhub><message>@(context.Request.Headers)</message></log-to-eventhub>This will help you confirm whether the
Authorizationheader is present in the outbound request.
Step 7: Special Considerations for
AuthorizationHeaderThe
Authorizationheader is treated specially by Azure API Management:- If the
validate-jwtpolicy is applied in the MCP server or backend API, ensure the token matches the expected configuration (issuer, audience, etc.). - If the backend API also has a
validate-jwtpolicy, ensure it is not rejecting the forwarded token.
Final Notes
If headers are still not being forwarded, consider:
- Using a custom header name instead of
Authorization(e.g.,X-Custom-Auth) to test if the issue is specific to theAuthorizationheader. - Checking the backend API
I hope this helps in resolving the issue, do let me know if you have any further questions on this
-
Allen Chen 80 Reputation points
2025-09-19T23:40:07.8466667+00:00 Also running into this issue, attempting to test the full mcp server -> apim -> backend -> apim -> mcp server flow.
The stated approach did not work, inspecting the request headers at APIM reflects no header forwarded. The only header that sticks is Ocp-Apim-Subscription-Key.
Tried setting any header at <Inbound> and <Outbound> of MCP server policy, nothing works
Sign in to comment - Explanation: