feat: enhance visual hierarchy on LoginPage by increasing slogan size and spacing (#347)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

README.fr.md

@@ -0,0 +1,235 @@
+[English](README.md) | Français | [中文版](README.zh.md)
+
+# MCPHub : Le Hub Unifié pour les Serveurs MCP (Model Context Protocol)
+
+MCPHub facilite la gestion et la mise à l'échelle de plusieurs serveurs MCP (Model Context Protocol) en les organisant en points de terminaison HTTP streamables (SSE) flexibles, prenant en charge l'accès à tous les serveurs, à des serveurs individuels ou à des groupes de serveurs logiques.
+
+![Aperçu du tableau de bord](assets/dashboard.zh.png)
+
+## 🌐 Démo en direct et Documentation
+
+- **Documentation** : [docs.mcphubx.com](https://docs.mcphubx.com/)
+- **Environnement de démo** : [demo.mcphubx.com](https://demo.mcphubx.com/)
+
+## 🚀 Fonctionnalités
+
+- **Support étendu des serveurs MCP** : Intégrez de manière transparente n'importe quel serveur MCP avec une configuration minimale.
+- **Tableau de bord centralisé** : Surveillez l'état en temps réel et les métriques de performance depuis une interface web élégante.
+- **Gestion flexible des protocoles** : Compatibilité totale avec les protocoles MCP stdio et SSE.
+- **Configuration à chaud** : Ajoutez, supprimez ou mettez à jour les serveurs MCP à la volée, sans temps d'arrêt.
+- **Contrôle d'accès basé sur les groupes** : Organisez les serveurs en groupes personnalisables pour une gestion simplifiée des autorisations.
+- **Authentification sécurisée** : Gestion des utilisateurs intégrée avec contrôle d'accès basé sur les rôles, optimisée par JWT et bcrypt.
+- **Prêt pour Docker** : Déployez instantanément avec notre configuration conteneurisée.
+
+## 🔧 Démarrage rapide
+
+### Configuration
+
+Créez un fichier `mcp_settings.json` pour personnaliser les paramètres de votre serveur :
+
+```json
+{
+  "mcpServers": {
+    "amap": {
+      "command": "npx",
+      "args": ["-y", "@amap/amap-maps-mcp-server"],
+      "env": {
+        "AMAP_MAPS_API_KEY": "votre-clé-api"
+      }
+    },
+    "playwright": {
+      "command": "npx",
+      "args": ["@playwright/mcp@latest", "--headless"]
+    },
+    "fetch": {
+      "command": "uvx",
+      "args": ["mcp-server-fetch"]
+    },
+    "slack": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-slack"],
+      "env": {
+        "SLACK_BOT_TOKEN": "votre-jeton-bot",
+        "SLACK_TEAM_ID": "votre-id-équipe"
+      }
+    }
+  }
+}
+```
+
+### Déploiement avec Docker
+
+**Recommandé** : Montez votre configuration personnalisée :
+
+```bash
+docker run -p 3000:3000 -v ./mcp_settings.json:/app/mcp_settings.json -v ./data:/app/data samanhappy/mcphub
+```
+
+Ou exécutez avec les paramètres par défaut :
+
+```bash
+docker run -p 3000:3000 samanhappy/mcphub
+```
+
+### Accéder au tableau de bord
+
+Ouvrez `http://localhost:3000` et connectez-vous avec vos identifiants.
+
+> **Note** : Les identifiants par défaut sont `admin` / `admin123`.
+
+**Aperçu du tableau de bord** :
+
+- État en direct de tous les serveurs MCP
+- Activer/désactiver ou reconfigurer les serveurs
+- Gestion des groupes pour organiser les serveurs
+- Administration des utilisateurs pour le contrôle d'accès
+
+### Point de terminaison HTTP streamable
+
+> Pour le moment, la prise en charge des points de terminaison HTTP en streaming varie selon les clients IA. Si vous rencontrez des problèmes, vous pouvez utiliser le point de terminaison SSE ou attendre les futures mises à jour.
+
+Connectez les clients IA (par exemple, Claude Desktop, Cursor, DeepChat, etc.) via :
+
+```
+http://localhost:3000/mcp
+```
+
+Ce point de terminaison fournit une interface HTTP streamable unifiée pour tous vos serveurs MCP. Il vous permet de :
+
+- Envoyer des requêtes à n'importe quel serveur MCP configuré
+- Recevoir des réponses en temps réel
+- Intégrer facilement avec divers clients et outils IA
+- Utiliser le même point de terminaison pour tous les serveurs, simplifiant votre processus d'intégration
+
+**Routage intelligent (expérimental)** :
+
+Le routage intelligent est le système de découverte d'outils intelligent de MCPHub qui utilise la recherche sémantique vectorielle pour trouver automatiquement les outils les plus pertinents pour une tâche donnée.
+
+```
+http://localhost:3000/mcp/$smart
+```
+
+**Comment ça marche** :
+
+1.  **Indexation des outils** : Tous les outils MCP sont automatiquement convertis en plongements vectoriels et stockés dans PostgreSQL avec pgvector.
+2.  **Recherche sémantique** : Les requêtes des utilisateurs sont converties en vecteurs et comparées aux plongements des outils en utilisant la similarité cosinus.
+3.  **Filtrage intelligent** : Des seuils dynamiques garantissent des résultats pertinents sans bruit.
+4.  **Exécution précise** : Les outils trouvés peuvent être directement exécutés avec une validation appropriée des paramètres.
+
+**Prérequis pour la configuration** :
+
+![Routage intelligent](assets/smart-routing.zh.png)
+
+Pour activer le routage intelligent, vous avez besoin de :
+
+- PostgreSQL avec l'extension pgvector
+- Une clé API OpenAI (ou un service de plongement compatible)
+- Activer le routage intelligent dans les paramètres de MCPHub
+
+**Points de terminaison spécifiques aux groupes (recommandé)** :
+
+![Gestion des groupes](assets/group.zh.png)
+
+Pour un accès ciblé à des groupes de serveurs spécifiques, utilisez le point de terminaison HTTP basé sur les groupes :
+
+```
+http://localhost:3000/mcp/{group}
+```
+
+Où `{group}` est l'ID ou le nom du groupe que vous avez créé dans le tableau de bord. Cela vous permet de :
+
+- Vous connecter à un sous-ensemble spécifique de serveurs MCP organisés par cas d'utilisation
+- Isoler différents outils IA pour n'accéder qu'aux serveurs pertinents
+- Mettre en œuvre un contrôle d'accès plus granulaire pour différents environnements ou équipes
+
+**Points de terminaison spécifiques aux serveurs** :
+Pour un accès direct à des serveurs individuels, utilisez le point de terminaison HTTP spécifique au serveur :
+
+```
+http://localhost:3000/mcp/{server}
+```
+
+Où `{server}` est le nom du serveur auquel vous souhaitez vous connecter. Cela vous permet d'accéder directement à un serveur MCP spécifique.
+
+> **Note** : Si le nom du serveur et le nom du groupe sont identiques, le nom du groupe aura la priorité.
+
+### Point de terminaison SSE (obsolète à l'avenir)
+
+Connectez les clients IA (par exemple, Claude Desktop, Cursor, DeepChat, etc.) via :
+
+```
+http://localhost:3000/sse
+```
+
+Pour le routage intelligent, utilisez :
+
+```
+http://localhost:3000/sse/$smart
+```
+
+Pour un accès ciblé à des groupes de serveurs spécifiques, utilisez le point de terminaison SSE basé sur les groupes :
+
+```
+http://localhost:3000/sse/{group}
+```
+
+Pour un accès direct à des serveurs individuels, utilisez le point de terminaison SSE spécifique au serveur :
+
+```
+http://localhost:3000/sse/{server}
+```
+
+## 🧑‍💻 Développement local
+
+```bash
+git clone https://github.com/samanhappy/mcphub.git
+cd mcphub
+pnpm install
+pnpm dev
+```
+
+Cela démarre à la fois le frontend et le backend en mode développement avec rechargement à chaud.
+
+> Pour les utilisateurs de Windows, vous devrez peut-être démarrer le serveur backend et le frontend séparément : `pnpm backend:dev`, `pnpm frontend:dev`.
+
+## 🛠️ Problèmes courants
+
+### Utiliser Nginx comme proxy inverse
+
+Si vous utilisez Nginx pour inverser le proxy de MCPHub, assurez-vous d'ajouter la configuration suivante dans votre configuration Nginx :
+
+```nginx
+proxy_buffering off
+```
+
+## 🔍 Stack technique
+
+- **Backend** : Node.js, Express, TypeScript
+- **Frontend** : React, Vite, Tailwind CSS
+- **Authentification** : JWT & bcrypt
+- **Protocole** : Model Context Protocol SDK
+
+## 👥 Contribuer
+
+Les contributions de toute nature sont les bienvenues !
+
+- Nouvelles fonctionnalités et optimisations
+- Améliorations de la documentation
+- Rapports de bugs et corrections
+- Traductions et suggestions
+
+Rejoignez notre [communauté Discord](https://discord.gg/qMKNsn5Q) pour des discussions et du soutien.
+
+## ❤️ Sponsor
+
+Si vous aimez ce projet, vous pouvez peut-être envisager de :
+
+[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/samanhappy)
+
+## 🌟 Historique des étoiles
+
+[![Historique des étoiles](https://api.star-history.com/svg?repos=samanhappy/mcphub&type=Date)](https://www.star-history.com/#samanhappy/mcphub&Date)
+
+## 📄 Licence
+
+Sous licence [Apache 2.0 License](LICENSE).

README.md

@@ -1,6 +1,6 @@
 # MCPHub: The Unified Hub for Model Context Protocol (MCP) Servers
 
-English | [中文版](README.zh.md)
+English | [Français](README.fr.md) | [中文版](README.zh.md)
 
 MCPHub makes it easy to manage and scale multiple MCP (Model Context Protocol) servers by organizing them into flexible Streamable HTTP (SSE) endpoints—supporting access to all servers, individual servers, or logical server groups.
 

README.zh.md

@@ -1,6 +1,6 @@
 # MCPHub：一站式 MCP 服务器聚合平台
 
-[English Version](README.md) | 中文版
+[English](README.md) | [Français](README.fr.md) | 中文版
 
 MCPHub 通过将多个 MCP（Model Context Protocol）服务器组织为灵活的流式 HTTP（SSE）端点，简化了管理与扩展工作。系统支持按需访问全部服务器、单个服务器或按场景分组的服务器集合。
 

docs/openapi-schema-support.md

@@ -121,6 +121,66 @@ See the `examples/openapi-schema-config.json` file for complete configuration ex
 - **Validation**: Enhanced validation logic in server controllers
 - **Type Safety**: Updated TypeScript interfaces for both input modes
 
+## Header Passthrough Support
+
+MCPHub supports passing through specific headers from tool call requests to upstream OpenAPI endpoints. This is useful for authentication tokens, API keys, and other request-specific headers.
+
+### Configuration
+
+Add `passthroughHeaders` to your OpenAPI configuration:
+
+```json
+{
+  "type": "openapi",
+  "openapi": {
+    "url": "https://api.example.com/openapi.json",
+    "version": "3.1.0",
+    "passthroughHeaders": ["Authorization", "X-API-Key", "X-Custom-Header"],
+    "security": {
+      "type": "apiKey",
+      "apiKey": {
+        "name": "X-API-Key",
+        "in": "header",
+        "value": "your-api-key"
+      }
+    }
+  }
+}
+```
+
+### How It Works
+
+1. **Configuration**: List header names in the `passthroughHeaders` array
+2. **Tool Calls**: When calling tools via HTTP API, include headers in the request
+3. **Passthrough**: Only configured headers are forwarded to the upstream API
+4. **Case Insensitive**: Header matching is case-insensitive for flexibility
+
+### Example Usage
+
+```bash
+# Call an OpenAPI tool with passthrough headers
+curl -X POST "http://localhost:3000/api/tools/myapi/createUser" \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer your-token" \
+  -H "X-API-Key: your-api-key" \
+  -H "X-Custom-Header: custom-value" \
+  -d '{"name": "John Doe", "email": "john@example.com"}'
+```
+
+In this example:
+
+- If `passthroughHeaders` includes `["Authorization", "X-API-Key"]`
+- Only `Authorization` and `X-API-Key` headers will be forwarded
+- `X-Custom-Header` will be ignored (not in passthrough list)
+- `Content-Type` is handled by the OpenAPI operation definition
+
+### Security Considerations
+
+- **Whitelist Only**: Only explicitly configured headers are passed through
+- **Sensitive Data**: Be careful with headers containing sensitive information
+- **Validation**: Upstream APIs should validate all received headers
+- **Logging**: Headers may appear in logs - consider this for sensitive data
+
 ## Security Considerations
 
 When using JSON schemas:

frontend/src/components/ServerForm.tsx

@@ -65,13 +65,16 @@ const ServerForm = ({ onSubmit, onCancel, initialData = null, modalTitle, formEr
       oauth2Token: initialData.config.openapi.security?.oauth2?.token || '',
       // OpenID Connect initialization
       openIdConnectUrl: initialData.config.openapi.security?.openIdConnect?.url || '',
-      openIdConnectToken: initialData.config.openapi.security?.openIdConnect?.token || ''
+      openIdConnectToken: initialData.config.openapi.security?.openIdConnect?.token || '',
+      // Passthrough headers initialization
+      passthroughHeaders: initialData.config.openapi.passthroughHeaders ? initialData.config.openapi.passthroughHeaders.join(', ') : '',
     } : {
       inputMode: 'url',
       url: '',
       schema: '',
       version: '3.1.0',
-      securityType: 'none'
+      securityType: 'none',
+      passthroughHeaders: '',
     }
   })
 
@@ -235,6 +238,14 @@ const ServerForm = ({ onSubmit, onCancel, initialData = null, modalTitle, formEr
                   };
                 }
 
+                // Add passthrough headers if provided
+                if (formData.openapi?.passthroughHeaders && formData.openapi.passthroughHeaders.trim()) {
+                  openapi.passthroughHeaders = formData.openapi.passthroughHeaders
+                    .split(',')
+                    .map(header => header.trim())
+                    .filter(header => header.length > 0);
+                }
+
                 return openapi;
               })(),
               ...(Object.keys(headers).length > 0 ? { headers } : {})
@@ -616,6 +627,24 @@ const ServerForm = ({ onSubmit, onCancel, initialData = null, modalTitle, formEr
               </div>
             )}
 
+            {/* Passthrough Headers Configuration */}
+            <div className="mb-4">
+              <label className="block text-gray-700 text-sm font-bold mb-2">
+                {t('server.openapi.passthroughHeaders')}
+              </label>
+              <input
+                type="text"
+                value={formData.openapi?.passthroughHeaders || ''}
+                onChange={(e) => setFormData(prev => ({
+                  ...prev,
+                  openapi: { ...prev.openapi, passthroughHeaders: e.target.value, url: prev.openapi?.url || '' }
+                }))}
+                className="shadow appearance-none border rounded w-full py-2 px-3 text-gray-700 leading-tight focus:outline-none focus:shadow-outline form-input"
+                placeholder="Authorization, X-API-Key, X-Custom-Header"
+              />
+              <p className="text-xs text-gray-500 mt-1">{t('server.openapi.passthroughHeadersHelp')}</p>
+            </div>
+
             <div className="mb-4">
               <div className="flex justify-between items-center mb-2">
                 <label className="block text-gray-700 text-sm font-bold">

frontend/src/pages/LoginPage.tsx

@@ -69,10 +69,10 @@ const LoginPage: React.FC = () => {
 
       {/* Main content */}
       <div className="relative mx-auto flex min-h-screen w-full max-w-md items-center justify-center px-6 py-16">
-        <div className="w-full space-y-6">
+        <div className="w-full space-y-16">
           {/* Centered slogan */}
           <div className="flex justify-center w-full">
-            <h1 className="text-3xl font-extrabold leading-tight tracking-tight text-gray-900 dark:text-white sm:text-4xl whitespace-nowrap">
+            <h1 className="text-5xl sm:text-5xl font-extrabold leading-tight tracking-tight text-gray-900 dark:text-white whitespace-nowrap">
               <span className="bg-gradient-to-r from-indigo-400 via-cyan-400 to-emerald-400 bg-clip-text text-transparent">
                 {t('auth.slogan')}
               </span>

frontend/src/types/index.ts

@@ -127,6 +127,7 @@ export interface ServerConfig {
     schema?: Record<string, any>; // Complete OpenAPI JSON schema
     version?: string; // OpenAPI version (default: '3.1.0')
     security?: OpenAPISecurityConfig; // Security configuration for API calls
+    passthroughHeaders?: string[]; // Header names to pass through from tool call requests to upstream OpenAPI endpoints
   };
 }
 
@@ -232,6 +233,8 @@ export interface ServerFormData {
     openIdConnectClientId?: string;
     openIdConnectClientSecret?: string;
     openIdConnectToken?: string;
+    // Passthrough headers
+    passthroughHeaders?: string; // Comma-separated list of header names
   };
 }
 

locales/en.json

@@ -159,7 +159,9 @@
       "openIdConnectToken": "ID Token",
       "apiKeyInHeader": "Header",
       "apiKeyInQuery": "Query",
-      "apiKeyInCookie": "Cookie"
+      "apiKeyInCookie": "Cookie",
+      "passthroughHeaders": "Passthrough Headers",
+      "passthroughHeadersHelp": "Comma-separated list of header names to pass through from tool call requests to upstream OpenAPI endpoints (e.g., Authorization, X-API-Key)"
     }
   },
   "status": {

locales/fr.json

@@ -159,7 +159,9 @@
       "openIdConnectToken": "Jeton d'identification",
       "apiKeyInHeader": "En-tête",
       "apiKeyInQuery": "Requête",
-      "apiKeyInCookie": "Cookie"
+      "apiKeyInCookie": "Cookie",
+      "passthroughHeaders": "En-têtes de transmission",
+      "passthroughHeadersHelp": "Liste séparée par des virgules des noms d'en-têtes à transmettre des requêtes d'appel d'outils vers les points de terminaison OpenAPI en amont (par ex. : Authorization, X-API-Key)"
     }
   },
   "status": {
@@ -618,4 +620,4 @@
       "serverToolsUpdated": "Outils du serveur mis à jour avec succès"
     }
   }
-}
+}

locales/zh.json

@@ -159,7 +159,9 @@
       "openIdConnectToken": "ID 令牌",
       "apiKeyInHeader": "请求头",
       "apiKeyInQuery": "查询",
-      "apiKeyInCookie": "Cookie"
+      "apiKeyInCookie": "Cookie",
+      "passthroughHeaders": "透传请求头",
+      "passthroughHeadersHelp": "要从工具调用请求透传到上游OpenAPI接口的请求头名称列表，用逗号分隔（如：Authorization, X-API-Key）"
     }
   },
   "status": {

package.json

@@ -46,13 +46,13 @@
   "license": "ISC",
   "dependencies": {
     "@apidevtools/swagger-parser": "^12.0.0",
-    "@modelcontextprotocol/sdk": "^1.17.4",
+    "@modelcontextprotocol/sdk": "^1.18.1",
     "@types/adm-zip": "^0.5.7",
     "@types/bcrypt": "^6.0.0",
     "@types/multer": "^1.4.13",
     "@types/pg": "^8.15.5",
     "adm-zip": "^0.5.16",
-    "axios": "^1.11.0",
+    "axios": "^1.12.2",
     "bcrypt": "^6.0.0",
     "bcryptjs": "^3.0.2",
     "cors": "^2.8.5",

pnpm-lock.yaml

@@ -16,8 +16,8 @@ importers:
         specifier: ^12.0.0
         version: 12.0.0(openapi-types@12.1.3)
       '@modelcontextprotocol/sdk':
-        specifier: ^1.17.4
-        version: 1.17.4
+        specifier: ^1.18.1
+        version: 1.18.1
       '@types/adm-zip':
         specifier: ^0.5.7
         version: 0.5.7
@@ -34,8 +34,8 @@ importers:
         specifier: ^0.5.16
         version: 0.5.16
       axios:
-        specifier: ^1.11.0
-        version: 1.11.0
+        specifier: ^1.12.2
+        version: 1.12.2
       bcrypt:
         specifier: ^6.0.0
         version: 6.0.0
@@ -891,8 +891,8 @@ packages:
   '@jridgewell/trace-mapping@0.3.9':
     resolution: {integrity: sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ==}
 
-  '@modelcontextprotocol/sdk@1.17.4':
-    resolution: {integrity: sha512-zq24hfuAmmlNZvik0FLI58uE5sriN0WWsQzIlYnzSuKDAHFqJtBFrl/LfB1NLgJT5Y7dEBzaX4yAKqOPrcetaw==}
+  '@modelcontextprotocol/sdk@1.18.1':
+    resolution: {integrity: sha512-d//GE8/Yh7aC3e7p+kZG8JqqEAwwDUmAfvH1quogtbk+ksS6E0RR6toKKESPYYZVre0meqkJb27zb+dhqE9Sgw==}
     engines: {node: '>=18'}
 
   '@next/env@15.5.2':
@@ -1779,8 +1779,8 @@ packages:
     resolution: {integrity: sha512-wvUjBtSGN7+7SjNpq/9M2Tg350UZD3q62IFZLbRAR1bSMlCo1ZaeW+BJ+D090e4hIIZLBcTDWe4Mh4jvUDajzQ==}
     engines: {node: '>= 0.4'}
 
-  axios@1.11.0:
-    resolution: {integrity: sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==}
+  axios@1.12.2:
+    resolution: {integrity: sha512-vMJzPewAlRyOgxV2dU0Cuz2O8zzzx9VYtbJOaBgXFeLc4IV/Eg50n4LowmehOOR61S8ZMpc2K5Sa7g6A4jfkUw==}
 
   babel-jest@29.7.0:
     resolution: {integrity: sha512-BrvGY3xZSwEcCzKvKsCi2GgHqDqsYkOP4/by5xCgIwGXQxIEh+8ew3gmrE1y7XRR6LHZIj6yLYnUi/mm2KXKBg==}
@@ -5002,7 +5002,7 @@ snapshots:
       '@jridgewell/resolve-uri': 3.1.2
       '@jridgewell/sourcemap-codec': 1.5.5
 
-  '@modelcontextprotocol/sdk@1.17.4':
+  '@modelcontextprotocol/sdk@1.18.1':
     dependencies:
       ajv: 6.12.6
       content-type: 1.0.5
@@ -5837,7 +5837,7 @@ snapshots:
     dependencies:
       possible-typed-array-names: 1.1.0
 
-  axios@1.11.0:
+  axios@1.12.2:
     dependencies:
       follow-redirects: 1.15.11
       form-data: 4.0.4

src/clients/openapi.ts

@@ -299,7 +299,11 @@ export class OpenAPIClient {
     return schema;
   }
 
-  async callTool(toolName: string, args: Record<string, unknown>): Promise<unknown> {
+  async callTool(
+    toolName: string,
+    args: Record<string, unknown>,
+    passthroughHeaders?: Record<string, string>,
+  ): Promise<unknown> {
     const tool = this.tools.find((t) => t.name === toolName);
     if (!tool) {
       throw new Error(`Tool '${toolName}' not found`);
@@ -340,18 +344,32 @@ export class OpenAPIClient {
         requestConfig.data = args.body;
       }
 
+      // Collect all headers to be sent
+      const allHeaders: Record<string, string> = {};
+
       // Add headers if any header parameters are defined
       const headerParams = tool.parameters?.filter((p) => p.in === 'header') || [];
-      if (headerParams.length > 0) {
-        requestConfig.headers = {};
-        for (const param of headerParams) {
-          const value = args[param.name];
-          if (value !== undefined) {
-            requestConfig.headers[param.name] = String(value);
+      for (const param of headerParams) {
+        const value = args[param.name];
+        if (value !== undefined) {
+          allHeaders[param.name] = String(value);
+        }
+      }
+
+      // Add passthrough headers based on configuration
+      if (passthroughHeaders && this.config.openapi?.passthroughHeaders) {
+        for (const headerName of this.config.openapi.passthroughHeaders) {
+          if (passthroughHeaders[headerName]) {
+            allHeaders[headerName] = passthroughHeaders[headerName];
           }
         }
       }
 
+      // Set headers if any were collected
+      if (Object.keys(allHeaders).length > 0) {
+        requestConfig.headers = allHeaders;
+      }
+
       const response = await this.httpClient.request(requestConfig);
       return response.data;
     } catch (error) {

src/controllers/openApiController.ts

@@ -201,6 +201,7 @@ export const executeToolViaOpenAPI = async (req: Request, res: Response): Promis
     const extra = {
       sessionId: (req.headers['x-session-id'] as string) || 'openapi-session',
       server: serverName,
+      headers: req.headers, // Pass all request headers for potential passthrough
     };
 
     const result = await handleCallToolRequest(mockRequest, extra);

src/controllers/toolController.ts

@@ -61,6 +61,7 @@ export const callTool = async (req: Request, res: Response): Promise<void> => {
     const extra = {
       sessionId: req.headers['x-session-id'] || 'api-session',
       server: server || undefined,
+      headers: req.headers, // Include request headers for passthrough
     };
 
     const result = (await handleCallToolRequest(mockRequest, extra)) as ToolCallResult;

src/services/mcpService.ts

@@ -18,6 +18,7 @@ import { getGroup } from './sseService.js';
 import { getServersInGroup, getServerConfigInGroup } from './groupService.js';
 import { saveToolsAsVectorEmbeddings, searchToolsByVector } from './vectorSearchService.js';
 import { OpenAPIClient } from '../clients/openapi.js';
+import { RequestContextService } from './requestContextService.js';
 import { getDataService } from './services.js';
 import { getServerDao, ServerConfigWithName } from '../dao/index.js';
 
@@ -403,6 +404,7 @@ export const initializeClientsFromSettings = async (
         prompts: [],
         createTime: Date.now(),
         enabled: conf.enabled === undefined ? true : conf.enabled,
+        config: conf, // Store reference to original config for OpenAPI passthrough headers
       };
       serverInfos.push(serverInfo);
 
@@ -487,6 +489,7 @@ export const initializeClientsFromSettings = async (
       transport,
       options: requestOptions,
       createTime: Date.now(),
+      config: conf, // Store reference to original config
     };
     serverInfos.push(serverInfo);
 
@@ -1036,7 +1039,34 @@ export const handleCallToolRequest = async (request: any, extra: any) => {
           ? toolName.replace(`${targetServerInfo.name}-`, '')
           : toolName;
 
-        const result = await openApiClient.callTool(cleanToolName, finalArgs);
+        // Extract passthrough headers from extra or request context
+        let passthroughHeaders: Record<string, string> | undefined;
+        let requestHeaders: Record<string, string | string[] | undefined> | null = null;
+
+        // Try to get headers from extra parameter first (if available)
+        if (extra?.headers) {
+          requestHeaders = extra.headers;
+        } else {
+          // Fallback to request context service
+          const requestContextService = RequestContextService.getInstance();
+          requestHeaders = requestContextService.getHeaders();
+        }
+
+        if (requestHeaders && targetServerInfo.config?.openapi?.passthroughHeaders) {
+          passthroughHeaders = {};
+          for (const headerName of targetServerInfo.config.openapi.passthroughHeaders) {
+            // Handle different header name cases (Express normalizes headers to lowercase)
+            const headerValue =
+              requestHeaders[headerName] || requestHeaders[headerName.toLowerCase()];
+            if (headerValue) {
+              passthroughHeaders[headerName] = Array.isArray(headerValue)
+                ? headerValue[0]
+                : String(headerValue);
+            }
+          }
+        }
+
+        const result = await openApiClient.callTool(cleanToolName, finalArgs, passthroughHeaders);
 
         console.log(`OpenAPI tool invocation result: ${JSON.stringify(result)}`);
         return {
@@ -1099,7 +1129,38 @@ export const handleCallToolRequest = async (request: any, extra: any) => {
         `Invoking OpenAPI tool '${cleanToolName}' on server '${serverInfo.name}' with arguments: ${JSON.stringify(request.params.arguments)}`,
       );
 
-      const result = await openApiClient.callTool(cleanToolName, request.params.arguments || {});
+      // Extract passthrough headers from extra or request context
+      let passthroughHeaders: Record<string, string> | undefined;
+      let requestHeaders: Record<string, string | string[] | undefined> | null = null;
+
+      // Try to get headers from extra parameter first (if available)
+      if (extra?.headers) {
+        requestHeaders = extra.headers;
+      } else {
+        // Fallback to request context service
+        const requestContextService = RequestContextService.getInstance();
+        requestHeaders = requestContextService.getHeaders();
+      }
+
+      if (requestHeaders && serverInfo.config?.openapi?.passthroughHeaders) {
+        passthroughHeaders = {};
+        for (const headerName of serverInfo.config.openapi.passthroughHeaders) {
+          // Handle different header name cases (Express normalizes headers to lowercase)
+          const headerValue =
+            requestHeaders[headerName] || requestHeaders[headerName.toLowerCase()];
+          if (headerValue) {
+            passthroughHeaders[headerName] = Array.isArray(headerValue)
+              ? headerValue[0]
+              : String(headerValue);
+          }
+        }
+      }
+
+      const result = await openApiClient.callTool(
+        cleanToolName,
+        request.params.arguments || {},
+        passthroughHeaders,
+      );
 
       console.log(`OpenAPI tool invocation result: ${JSON.stringify(result)}`);
       return {

src/services/requestContextService.ts

@@ -0,0 +1,105 @@
+import { Request } from 'express';
+
+/**
+ * Request context interface for MCP request handling
+ */
+export interface RequestContext {
+  headers: Record<string, string | string[] | undefined>;
+  sessionId?: string;
+  userAgent?: string;
+  remoteAddress?: string;
+}
+
+/**
+ * Service for managing request context during MCP request processing
+ * This allows MCP request handlers to access HTTP headers and other request metadata
+ */
+export class RequestContextService {
+  private static instance: RequestContextService;
+  private requestContext: RequestContext | null = null;
+
+  private constructor() {}
+
+  public static getInstance(): RequestContextService {
+    if (!RequestContextService.instance) {
+      RequestContextService.instance = new RequestContextService();
+    }
+    return RequestContextService.instance;
+  }
+
+  /**
+   * Set the current request context from Express request
+   */
+  public setRequestContext(req: Request): void {
+    this.requestContext = {
+      headers: req.headers,
+      sessionId: (req.headers['mcp-session-id'] as string) || undefined,
+      userAgent: req.headers['user-agent'] as string,
+      remoteAddress: req.ip || req.socket?.remoteAddress,
+    };
+  }
+
+  /**
+   * Set request context from custom data
+   */
+  public setCustomRequestContext(context: RequestContext): void {
+    this.requestContext = context;
+  }
+
+  /**
+   * Get the current request context
+   */
+  public getRequestContext(): RequestContext | null {
+    return this.requestContext;
+  }
+
+  /**
+   * Get headers from the current request context
+   */
+  public getHeaders(): Record<string, string | string[] | undefined> | null {
+    return this.requestContext?.headers || null;
+  }
+
+  /**
+   * Get a specific header value (case-insensitive)
+   */
+  public getHeader(name: string): string | string[] | undefined {
+    if (!this.requestContext?.headers) {
+      return undefined;
+    }
+
+    // Try exact match first
+    if (this.requestContext.headers[name]) {
+      return this.requestContext.headers[name];
+    }
+
+    // Try lowercase match (Express normalizes headers to lowercase)
+    const lowerName = name.toLowerCase();
+    if (this.requestContext.headers[lowerName]) {
+      return this.requestContext.headers[lowerName];
+    }
+
+    // Try case-insensitive search
+    for (const [key, value] of Object.entries(this.requestContext.headers)) {
+      if (key.toLowerCase() === lowerName) {
+        return value;
+      }
+    }
+
+    return undefined;
+  }
+
+  /**
+   * Clear the current request context
+   */
+  public clearRequestContext(): void {
+    this.requestContext = null;
+  }
+
+  /**
+   * Get session ID from current request context
+   */
+  public getSessionId(): string | undefined {
+    return this.requestContext?.sessionId;
+  }
+}

src/services/sseService.ts

@@ -8,6 +8,7 @@ import { deleteMcpServer, getMcpServer } from './mcpService.js';
 import { loadSettings } from '../config/index.js';
 import config from '../config/index.js';
 import { UserContextService } from './userContextService.js';
+import { RequestContextService } from './requestContextService.js';
 
 const transports: { [sessionId: string]: { transport: Transport; group: string } } = {};
 
@@ -131,7 +132,16 @@ export const handleSseMessage = async (req: Request, res: Response): Promise<voi
     `Received message for sessionId: ${sessionId} in group: ${group}${username ? ` for user: ${username}` : ''}`,
   );
 
-  await (transport as SSEServerTransport).handlePostMessage(req, res);
+  // Set request context for MCP handlers to access HTTP headers
+  const requestContextService = RequestContextService.getInstance();
+  requestContextService.setRequestContext(req);
+
+  try {
+    await (transport as SSEServerTransport).handlePostMessage(req, res);
+  } finally {
+    // Clean up request context after handling
+    requestContextService.clearRequestContext();
+  }
 };
 
 export const handleMcpPostRequest = async (req: Request, res: Response): Promise<void> => {
@@ -202,7 +212,17 @@ export const handleMcpPostRequest = async (req: Request, res: Response): Promise
   }
 
   console.log(`Handling request using transport with type ${transport.constructor.name}`);
-  await transport.handleRequest(req, res, req.body);
+
+  // Set request context for MCP handlers to access HTTP headers
+  const requestContextService = RequestContextService.getInstance();
+  requestContextService.setRequestContext(req);
+
+  try {
+    await transport.handleRequest(req, res, req.body);
+  } finally {
+    // Clean up request context after handling
+    requestContextService.clearRequestContext();
+  }
 };
 
 export const handleMcpOtherRequest = async (req: Request, res: Response) => {

src/types/index.ts

@@ -186,6 +186,7 @@ export interface ServerConfig {
     schema?: Record<string, any>; // Complete OpenAPI JSON schema
     version?: string; // OpenAPI version (default: '3.1.0')
     security?: OpenAPISecurityConfig; // Security configuration for API calls
+    passthroughHeaders?: string[]; // Header names to pass through from tool call requests to upstream OpenAPI endpoints
   };
 }
 
@@ -236,6 +237,7 @@ export interface ServerInfo {
   createTime: number; // Timestamp of when the server was created
   enabled?: boolean; // Flag to indicate if the server is enabled
   keepAliveIntervalId?: NodeJS.Timeout; // Timer ID for keep-alive ping interval
+  config?: ServerConfig; // Reference to the original server configuration for OpenAPI passthrough headers
 }
 
 // Details about a tool available on the server

tests/services/requestContextService.test.ts

@@ -0,0 +1,141 @@
+import { RequestContextService } from '../../src/services/requestContextService.js';
+import { Request } from 'express';
+
+describe('RequestContextService', () => {
+  let service: RequestContextService;
+
+  beforeEach(() => {
+    service = RequestContextService.getInstance();
+    service.clearRequestContext();
+  });
+
+  afterEach(() => {
+    service.clearRequestContext();
+  });
+
+  it('should be a singleton', () => {
+    const service1 = RequestContextService.getInstance();
+    const service2 = RequestContextService.getInstance();
+    expect(service1).toBe(service2);
+  });
+
+  it('should set and get request context from Express request', () => {
+    const mockRequest = {
+      headers: {
+        authorization: 'Bearer test-token',
+        'x-api-key': 'test-api-key',
+        'user-agent': 'test-agent',
+      },
+      ip: '127.0.0.1',
+      connection: { remoteAddress: '127.0.0.1' },
+    } as unknown as Request;
+
+    service.setRequestContext(mockRequest);
+    const context = service.getRequestContext();
+
+    expect(context).toBeTruthy();
+    expect(context?.headers).toEqual(mockRequest.headers);
+    expect(context?.userAgent).toBe('test-agent');
+    expect(context?.remoteAddress).toBe('127.0.0.1');
+  });
+
+  it('should get specific headers case-insensitively', () => {
+    const mockRequest = {
+      headers: {
+        authorization: 'Bearer test-token',
+        'X-API-Key': 'test-api-key',
+        'content-type': 'application/json',
+      },
+      ip: '127.0.0.1',
+      connection: { remoteAddress: '127.0.0.1' },
+    } as unknown as Request;
+
+    service.setRequestContext(mockRequest);
+
+    // Test exact match
+    expect(service.getHeader('authorization')).toBe('Bearer test-token');
+    expect(service.getHeader('X-API-Key')).toBe('test-api-key');
+
+    // Test case-insensitive match
+    expect(service.getHeader('Authorization')).toBe('Bearer test-token');
+    expect(service.getHeader('x-api-key')).toBe('test-api-key');
+    expect(service.getHeader('CONTENT-TYPE')).toBe('application/json');
+
+    // Test non-existent header
+    expect(service.getHeader('non-existent')).toBeUndefined();
+  });
+
+  it('should handle array header values', () => {
+    const mockRequest = {
+      headers: {
+        accept: ['application/json', 'text/html'],
+        authorization: 'Bearer test-token',
+      },
+      ip: '127.0.0.1',
+      connection: { remoteAddress: '127.0.0.1' },
+    } as unknown as Request;
+
+    service.setRequestContext(mockRequest);
+
+    const acceptHeader = service.getHeader('accept');
+    expect(acceptHeader).toEqual(['application/json', 'text/html']);
+
+    const authHeader = service.getHeader('authorization');
+    expect(authHeader).toBe('Bearer test-token');
+  });
+
+  it('should extract session ID from mcp-session-id header', () => {
+    const mockRequest = {
+      headers: {
+        'mcp-session-id': 'test-session-123',
+        authorization: 'Bearer test-token',
+      },
+      ip: '127.0.0.1',
+      connection: { remoteAddress: '127.0.0.1' },
+    } as unknown as Request;
+
+    service.setRequestContext(mockRequest);
+
+    expect(service.getSessionId()).toBe('test-session-123');
+  });
+
+  it('should handle custom request context', () => {
+    const customContext = {
+      headers: {
+        'custom-header': 'custom-value',
+        authorization: 'Bearer custom-token',
+      },
+      sessionId: 'custom-session',
+      userAgent: 'custom-agent',
+      remoteAddress: '192.168.1.1',
+    };
+
+    service.setCustomRequestContext(customContext);
+    const context = service.getRequestContext();
+
+    expect(context).toEqual(customContext);
+    expect(service.getHeader('custom-header')).toBe('custom-value');
+    expect(service.getSessionId()).toBe('custom-session');
+  });
+
+  it('should return null when no context is set', () => {
+    expect(service.getRequestContext()).toBeNull();
+    expect(service.getHeaders()).toBeNull();
+    expect(service.getHeader('any-header')).toBeUndefined();
+    expect(service.getSessionId()).toBeUndefined();
+  });
+
+  it('should clear request context', () => {
+    const mockRequest = {
+      headers: { authorization: 'Bearer test-token' },
+      ip: '127.0.0.1',
+      connection: { remoteAddress: '127.0.0.1' },
+    } as unknown as Request;
+
+    service.setRequestContext(mockRequest);
+    expect(service.getRequestContext()).toBeTruthy();
+
+    service.clearRequestContext();
+    expect(service.getRequestContext()).toBeNull();
+  });
+});