MCP with OAuth is not supported. Only custom header with X-API-Key.

Author: neoneye

docs/mcp/planexe_mcp_interface.md

@@ -416,6 +416,12 @@ At minimum:
 - logs may include model prompts/responses → treat logs as sensitive artifacts
 - allow a config option to redact prompt content in event streaming
 
+### 10.4 Authentication mode
+
+- MCP authentication is API-key header based.
+- Clients should send `X-API-Key: pex_...` on MCP requests.
+- OAuth is not supported for the MCP API.
+
 ---
 
 ## 11. Performance Requirements

mcp_cloud/README.md

@@ -35,8 +35,9 @@ docker compose up --build mcp_cloud
 
 mcp_cloud exposes HTTP endpoints on port `8001` (or `${PLANEXE_MCP_HTTP_PORT}`). Authentication is controlled by `PLANEXE_MCP_REQUIRE_AUTH`:
 - `false`: no API key needed (local docker default).
-- `true`: provide a valid `X-API-Key` or `Authorization: Bearer <key>`.
+- `true`: provide a valid `X-API-Key`.
 Accepted keys are (1) UserApiKey from home.planexe.org (`pex_...`), or (2) `PLANEXE_MCP_API_KEY` if set (for dev or shared secret).
+OAuth is not supported for the MCP API.
 
 ### Connecting via HTTP/URL
 
@@ -72,21 +73,6 @@ After starting with Docker, configure your MCP client (e.g., LM Studio) to conne
 }
 ```
 
-**Alternative header format** (also supported):
-
-```json
-{
-  "mcpServers": {
-    "planexe": {
-      "url": "https://your-app.up.railway.app/mcp",
-      "headers": {
-        "API_KEY": "your-api-key-here"
-      }
-    }
-  }
-}
-```
-
 Use a UserApiKey from home.planexe.org, or set `PLANEXE_MCP_API_KEY` to a shared secret for local/dev use.
 
 ### Available HTTP Endpoints
@@ -176,9 +162,8 @@ Steps:
 
 ### Production (with API key authentication)
 
-When auth is enabled, the inspector must send the key
-with every request. The inspector proxy forwards the `Authorization` header to
-the remote server.
+When auth is enabled, the inspector must send the key with every request.
+Do not use the inspector OAuth flow for PlanExe MCP.
 
 ```bash
 npx @modelcontextprotocol/inspector --transport http --server-url https://mcp.planexe.org/mcp/
@@ -187,14 +172,11 @@ npx @modelcontextprotocol/inspector --transport http --server-url https://mcp.pl
 Steps:
 1. In the inspector UI, expand **"Authentication"** in the left sidebar
 2. Select **Custom Headers**
-3. Add a header. Either:
-   - **X-API-Key** → your API key (e.g. `pex_...`)
-   - or **Authorization** → `Bearer pex_...` (include the word `Bearer` and a space)
+3. Add header **X-API-Key** with your API key value (e.g. `pex_...`)
 4. Click **"Connect"**
 5. Click **"Tools"** then **"List Tools"** to verify
 
-The inspector forwards these headers to the remote server, which accepts
-`Authorization: Bearer <key>`, `X-API-Key`, or `API_KEY`.
+The inspector forwards this custom header to the remote server.
 
 **CORS errors:** If you see "CORS preflight response did not succeed" or "status
 code: 400" in the browser console when connecting to a deployed MCP server:

mcp_cloud/http_server.py

@@ -136,7 +136,7 @@ async def _validate_api_key(request: Request) -> Optional[JSONResponse]:
         return JSONResponse(
             status_code=401,
             content={
-                "detail": "Missing API key. Use Authorization: Bearer <key> or X-API-Key."
+                "detail": "Missing API key. Use X-API-Key."
             },
         )
 
@@ -640,7 +640,7 @@ def root() -> dict[str, Any]:
         },
         "documentation": "See /docs for OpenAPI documentation",
         "authentication": (
-            "Required: X-API-Key or Authorization: Bearer <key> (UserApiKey from home.planexe.org, "
+            "Required: X-API-Key (UserApiKey from home.planexe.org, "
             "or PLANEXE_MCP_API_KEY)"
             if AUTH_REQUIRED
             else "Disabled (PLANEXE_MCP_REQUIRE_AUTH=false)"

public/llms.txt

@@ -81,6 +81,7 @@ Cloud:
 2. Go to Account -> API Keys
 3. Generate a new API key
 4. Use as custom header X-API-Key: <API_KEY>
+5. OAuth is not supported for the MCP API. Use custom headers only.
 
 Local/self-hosted deployments:
 - Often configured without auth for local development.