0mcp translates and forwards requests. Your API still owns its business logic, data, authentication, and authorization decisions.
Request flow
When an AI client calls a tool, the request follows this path:Authentication
Authentication stays with your API. When a tool requires authentication, the MCP client provides the necessary credentials, such as a Bearer token or API key, when invoking the tool. 0mcp securely forwards those credentials to your upstream API as part of the HTTP request. Your API authenticates the request exactly as it would for any other client. This means:- No changes to your existing authentication system
- No shared API secrets stored in 0mcp
- Your API remains the source of truth for authorization