docs: Document MCP streamable HTTP auth parameters

claudespice · lukekim · commit 72fa531b476a · 2026-05-20T11:21:49.000+09:00
Adds `mcp_auth_token` and `mcp_headers` parameter coverage to the MCP Tools docs to match spiceai/spiceai#10927. Source: spiceai/spiceai#10927
diff --git a/website/docs/components/tools/mcp.md b/website/docs/components/tools/mcp.md
@@ -38,6 +38,34 @@ tools:
     from: mcp:http://example.com/v1/mcp
 ```
 
+### Example: Connecting to an Auth-Enabled MCP Server (Streamable HTTP)
+
+Streamable HTTP MCP tools support sending an `Authorization: Bearer` token via `mcp_auth_token`, or arbitrary HTTP headers via `mcp_headers`. Both parameters resolve [secret references](../secret-stores/) before the MCP client is constructed.
+
+Sending a bearer token:
+
+```yaml
+tools:
+  - name: remote_spice
+    from: mcp:https://my-spice.example.com/v1/mcp
+    params:
+      # Sends: Authorization: Bearer <expanded secret value>
+      mcp_auth_token: ${ secrets:MCP_SERVER_API_KEY }
+```
+
+Sending a custom header (e.g., API key):
+
+```yaml
+tools:
+  - name: remote_spice
+    from: mcp:https://my-spice.example.com/v1/mcp
+    params:
+      # Sends: X-API-Key: <expanded secret value>
+      mcp_headers: 'X-API-Key: ${ secrets:MCP_SERVER_API_KEY }'
+```
+
+If both `mcp_auth_token` and a custom `Authorization` header in `mcp_headers` are set, `mcp_auth_token` wins and a warning is logged.
+
 ## Using MCP Tools with Models
 
 Once configured, MCP tools can be assigned to models via the `tools` parameter. For example:
@@ -87,7 +115,9 @@ The `from` field specifies the transport mechanism for the MCP tool:
 
 ### `params`
 
-The `params` field provides additional configuration for MCP tools. For stdio-based tools, use `mcp_args` to specify command-line arguments.
+The `params` field provides additional configuration for MCP tools.
+
+For stdio-based tools, use `mcp_args` to specify command-line arguments:
 
 ```yaml
 tools:
@@ -97,6 +127,13 @@ tools:
       mcp_args: -y @custom/tool
 ```
 
+For Streamable HTTP tools, the following auth parameters are supported:
+
+- `mcp_auth_token` — Sends `Authorization: Bearer <token>` on every request to the MCP server.
+- `mcp_headers` — Sends additional HTTP headers using the same `Header: Value` comma- or semicolon-delimited format as the [HTTP data connector's `http_headers`](../data-connectors/https). Header values are marked sensitive.
+
+Both parameters support [secret expansion](../secret-stores/). When `mcp_auth_token` is set, an `Authorization` header in `mcp_headers` is ignored and a warning is logged to avoid duplicate auth headers.
+
 ### `env`
 
 For stdio-based MCP tools, environment variables can be set using the `env` field.
