Share via

Azure APIM MCP Servers - Issues passing headers to backend.

Josh Innes 0 Reputation points
2025-09-04T15:25:54.7433333+00:00

Hi, I've been looking at implementing an existing API Management API as an MCP server. This API uses JWT tokens for authentication.

I am having trouble understanding the pass through mechanism for the tokens, I tried implementing something based on the documentation here https://learn.microsoft.com/en-us/azure/api-management/secure-mcp-servers#secure-outbound-access, I have confirmed in the MCP policy the auth token is received, but it never reaches the backend service.

I have tried using set-header in both the API and MCP policies for both backend and frontend, and it seems that no matter what, the API policy never has access to any headers from the MCP client's request, or as set by the MCP server policies even when I hard-code them using set-header.

I guess I am wondering if this is a known issue, and if it is likely to be fixed? I see others have had similar issues with little success:
https://learn.microsoft.com/en-us/answers/questions/4371821/exposing-api-as-mcp-server-in-azure-api-manager-is
https://learn.microsoft.com/en-us/answers/questions/5529138/not-able-to-set-forward-headers-in-mcp-server-poli

Let me know if you need any more information, I can anonymise and send through an example of the policies if needed.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harrison Gibbs 5 Reputation points
    2025-09-15T16:48:40.9266667+00:00

    Adding this as an answer even though it's more of a workaround: It looks like the ONLY header that it lets you forward currently is 'Ocp-Apim-Subscription-Key'. So what I did is on my MCP server policy I take my auth header and put it into that key header, and then in my rest API policy I take that token and put it back into the auth header. In my actual policies I have it doing a token exchange in an OBO flow but below is a simplified version for just passing it straightup to the backend.

    Frontend MCP server policy (in the inbound section):

    		<set-header name="Ocp-Apim-Subscription-Key" exists-action="override">
			<value>@((string)context.Request.Headers.GetValueOrDefault("Authorization",""))
)</value>
		</set-header>

    API policy at the 'all operations' level (also in the inbound section):

    <set-header name="Authorization" exists-action="override">
            <value>@((string)context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key",""))</value>
        </set-header>

    Hope this helps you or whoever else runs into this!

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.