Authentication

FlashMCP forwards your credentials to upstream APIs. You authenticate to the target API the same way you normally would — FlashMCP simply passes your headers through.

How it works

FlashMCP acts as a transparent proxy for authentication. When your MCP client sends a request, FlashMCP extracts specific headers and forwards them directly to the upstream API.

  • Supported headers: Authorization, X-API-Key, and any X-* custom headers
  • Your credentials never touch FlashMCP's storage — pure passthrough
  • Headers are forwarded over HTTPS to the upstream API exactly as received

Bearer tokens

Most APIs use Bearer token authentication via the Authorization header. Pass it through your MCP client config using custom headers.

claude_desktop_config.json 
{
  "mcpServers": {
    "my-api": {
      "url": "https://flashmcp.dev/api.example.com",
      "headers": {
        "Authorization": "Bearer sk-your-token-here"
      }
    }
  }
}

API keys

Some APIs use a dedicated API key header. FlashMCP forwards X-API-Key and all other X-* headers automatically.

claude_desktop_config.json 
{
  "mcpServers": {
    "my-api": {
      "url": "https://flashmcp.dev/api.example.com",
      "headers": {
        "X-API-Key": "your-api-key-here"
      }
    }
  }
}

Custom headers

Any header prefixed with X- is forwarded to the upstream API. This covers proprietary authentication schemes, tenant identifiers, and other custom headers your API may require.

claude_desktop_config.json 
{
  "mcpServers": {
    "my-api": {
      "url": "https://flashmcp.dev/api.example.com",
      "headers": {
        "X-Custom-Auth": "custom-token-value",
        "X-Tenant-ID": "tenant-12345"
      }
    }
  }
}

Multiple headers

You can combine multiple authentication headers in a single configuration. This is useful for APIs that require both an API key and a bearer token, or for APIs that use layered authentication.

claude_desktop_config.json 
{
  "mcpServers": {
    "my-api": {
      "url": "https://flashmcp.dev/api.example.com",
      "headers": {
        "Authorization": "Bearer sk-your-token-here",
        "X-API-Key": "your-api-key",
        "X-Workspace-ID": "ws-abc123"
      }
    }
  }
}

All headers listed above will be forwarded together to the upstream API on every request.

FlashMCP API key

In addition to your upstream API credentials, you need a FlashMCP API key for billing and usage tracking. You can find your API key in the FlashMCP dashboard after signing up.

Your FlashMCP API key is separate from your upstream API credentials. It goes in the X-FlashMCP-Key header.

claude_desktop_config.json 
{
  "mcpServers": {
    "stripe": {
      "url": "https://flashmcp.dev/api.stripe.com",
      "headers": {
        // Your FlashMCP API key (billing)
        "X-FlashMCP-Key": "fmcp_live_abc123...",

        // Your upstream API credentials
        "Authorization": "Bearer sk_live_..."
      }
    }
  }
}

Security

Your credentials are safe. FlashMCP never logs, stores, or inspects your authentication headers. All credentials are forwarded over HTTPS directly to the upstream API in a single request. FlashMCP operates as a stateless proxy — no session data, no credential caching, no persistence of any kind.

  • All traffic between your MCP client and FlashMCP is encrypted via TLS
  • All traffic between FlashMCP and the upstream API is encrypted via HTTPS
  • Headers are forwarded in-memory during the request and discarded immediately
  • FlashMCP is stateless — no sessions, no databases, no credential storage