Can mcpo support multi-user/multi-authentication scenarios?

[miraculixx]

I'm wondering how to implement this scenarios:

1. run mcpo for per-user authenticated mcp servers, e.g. github, gmail, etc.
2. depending on the connecting user, a user-specific instance of the mcp server is started, authenticated with user's credential to the backend service
3. all queries on behalf of that user go through the user's specific instance of the mcp server

Alternatively, and efficiently, (2) would start a single mcp server and in (3) pass on the respective credentials. However currently mcp servers don't seem to support that.

[csanz91]

I would love to see something like that. Any feedback regarding this feature?

[17jmumford]

Some thoughts as to why this is currently not supported:

MCPO is effectively acting as both the server and the client. It hosts the server, and then connects and authentications to it with a client, and exposes an API that forwards the request through the MCP client to the MCP server. That's why MCPO requires you to provide a config file, which is used by all MCP clients.

The challenge here is that while MCP servers can dynamically accept incoming requests from different user clients based on API keys and authentication, this dynamicism is closed off once the client connects. The client is instantiated and authenticated with the config file on startup.

This highlights one of the fundamental challenges of Open WebUI attempting to funnel everyone through MCPO. There is no option for multi-user flexibility.

Let's take ClickUp for example. ClickUp allows users to generate an API key. This API key can be used with a ClickUp MCP. When you authenticate with said API key, all actions taken by the AI through the MCP server have your name associated with it. ClickUp does not offer any sort of service account or machine API keys, because they want all incoming assets to be associated with a real human, even if its created on their behalf by a machine.

MCPO requires you to provide the API key ON STARTUP. This means once the MCPO server is running, you are locked into having all calls associated with that user. This means an organization with hundreds of employees would have all ClickUp assets associated with that user.

So what's the solution here? I suppose we could try to dynamically spin up and down hundreds of MCPO servers for different users. That seems.... inefficient. We could patch MCPO to expose the endpoints but then create a unique client instance when a user sends a request. This would require a major refactor of how MCPO currently does authentication. Or Open WebUI could open up compatibility with MCP.

I won't pretend to be the expert here: I've made only the smallest of contributions to the Open WebUI codebase. However, I am happy to support whatever solution the project leaders would recommend here, as long as it solves this pain point for us. At the end of the day, we just want a way for each of our users to be able to connect to the MCP servers inside of MCPO as themselves, rather than whatever API key is provided at startup.

[gabriel-ecegi]

Hey @17jmumford! 👋

We actually faced this exact problem using Open WebUI - the single-config authentication just didn't work for our multi-user needs. That's why we built Agentsfera.

🏗️ Our Solution:

• Multi-session MCP server with per-user credential isolation
• OAuth 2.0 handles authentication seamlessly
• Session routing maps requests to the right user context
• Zero credential leakage between users/organizations

🔧 Architecture:

• Orchestrator Pattern: MCP client managing multiple authenticated sessions
• Enterprise-Ready: Multi-tenant with organization-level isolation
• Production Ready: Already handling concurrent users live

Instead of modifying MCPO's architecture, we built this from the ground up for exactly your use case.

Happy to share technical details if you're interested! 🤓