0mcp is a pass-through, not an authentication provider. Your API remains responsible for checking credentials and deciding what the caller can access.
How it works
When a tool requires authentication, the request follows this flow:Supported authentication methods
0mcp supports the authentication methods commonly defined in OpenAPI specifications.Bearer tokens
Forwarded using the standard HTTP header:Header API keys
Forwarded using the header defined by your API. Example:Query API keys
Some APIs require authentication as a query parameter. To avoid exposing secrets in client configurations, 0mcp provides a secure gateway header. During the request, 0mcp automatically converts that header into the required query parameter before sending the request to your upstream API.Authentication scope
Authentication requirements are determined from your published OpenAPI specification. Credentials can be required:- For the entire MCP server
- For specific tools only
Security best practices
- Store credentials in environment variables or your client’s secure credential store.
- Never commit API keys or access tokens to source control.
- Avoid sharing credentials in screenshots or configuration files.
- Rotate credentials regularly using your existing API security practices.
What 0mcp stores
0mcp is designed to pass requests through, not store secrets. 0mcp does not store:- Bearer tokens
- API keys
- Authentication headers
- Request payloads
- Response payloads
Activity logs contain only the operational details needed to understand server health and usage, such as status, response time, capability name, and data size.