Skip to main content
0mcp uses a pass-through authentication model. Instead of storing or managing your API credentials, 0mcp forwards the credentials provided by the MCP client to your upstream API. Your existing authentication and authorization logic continues to work exactly as it does today.
0mcp is a pass-through, not an authentication provider. Your API remains responsible for checking credentials and deciding what the caller can access.

How it works

When a tool requires authentication, the request follows this flow:
MCP Client

Authorization / API Key

Hosted 0mcp Server

Credentials forwarded

Your API
0mcp does not authenticate the upstream request itself. It forwards the required credentials and returns your API’s response to the client.

Supported authentication methods

0mcp supports the authentication methods commonly defined in OpenAPI specifications.

Bearer tokens

Forwarded using the standard HTTP header:
Authorization: Bearer YOUR_TOKEN
Bearer tokens are suitable for JWTs, OAuth access tokens, and other bearer-based authentication.

Header API keys

Forwarded using the header defined by your API. Example:
X-API-Key: YOUR_API_KEY

Query API keys

Some APIs require authentication as a query parameter. To avoid exposing secrets in client configurations, 0mcp provides a secure gateway header. During the request, 0mcp automatically converts that header into the required query parameter before sending the request to your upstream API.
Do not add an API key directly to your MCP endpoint URL. Use the gateway header generated on the Setup page.

Authentication scope

Authentication requirements are determined from your published OpenAPI specification. Credentials can be required:
  • For the entire MCP server
  • For specific tools only
The Setup page automatically detects these requirements and tells you which credentials your MCP client must provide.

Security best practices

  • Store credentials in environment variables or your client’s secure credential store.
  • Never commit API keys or access tokens to source control.
  • Avoid sharing credentials in screenshots or configuration files.
  • Rotate credentials regularly using your existing API security practices.

What 0mcp stores

0mcp is designed to pass requests through, not store secrets. 0mcp does not store:
  • Bearer tokens
  • API keys
  • Authentication headers
  • Request payloads
  • Response payloads
The Playground stores your AI provider key only in your browser’s session storage, and credentials are never recorded in activity logs.
Activity logs contain only the operational details needed to understand server health and usage, such as status, response time, capability name, and data size.

Important

Signing in to your 0mcp account only gives you access to the 0mcp dashboard. It does not authenticate requests to your upstream API. Every protected tool call still requires the credentials expected by your API.
If authentication fails, see Authentication errors for troubleshooting.