From d07962129dcc64b80067e018c02e488c699408ab Mon Sep 17 00:00:00 2001 From: Dan Barr <6922515+danbarr@users.noreply.github.com> Date: Thu, 11 Jun 2026 22:40:51 -0400 Subject: [PATCH] Document bearer token auth for CLI remote servers The CLI guide covered only OAuth/OIDC flows for remote MCP server authentication. Add a Bearer token subsection covering the --remote-auth-bearer-token and --remote-auth-bearer-token-file flags, matching the coverage already present in the UI guide. Closes #456. Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/toolhive/guides-cli/run-mcp-servers.mdx | 29 ++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs/toolhive/guides-cli/run-mcp-servers.mdx b/docs/toolhive/guides-cli/run-mcp-servers.mdx index e08a58ad..bc5fa0a4 100644 --- a/docs/toolhive/guides-cli/run-mcp-servers.mdx +++ b/docs/toolhive/guides-cli/run-mcp-servers.mdx @@ -713,6 +713,35 @@ authorization server using one of two mechanisms: Either path eliminates the need to pre-configure a client ID and secret for authorization servers that support them. +#### Bearer token authentication + +Some remote MCP servers accept a static bearer token in the `Authorization` +header instead of a full OAuth flow. Use `--remote-auth-bearer-token` to provide +the token directly: + +```bash +thv run https://api.example.com/mcp \ + --name my-server \ + --remote-auth-bearer-token +``` + +ToolHive sends the value as an `Authorization: Bearer ` header on every +request forwarded to the remote server. The token is stored in ToolHive's +secrets manager; only a reference to it is saved in the run configuration, never +the token itself. + +To keep the token out of your shell history and process list, store it in a file +and reference it with `--remote-auth-bearer-token-file`: + +```bash +thv run https://api.example.com/mcp \ + --name my-server \ + --remote-auth-bearer-token-file ./token.txt +``` + +For servers that expect the credential in a different header, such as +`X-API-Key`, use [forwarded headers](#inject-custom-headers) instead. + #### OIDC authentication For servers using OpenID Connect (OIDC), provide the issuer URL, client ID, and