Updated the authentication field to take just the token

client-sdks/stainless/openapi.yml

@@ -7135,7 +7135,8 @@ components:
         authorization:
           type: string
           description: >-
-            (Optional) Bearer token authorization string (format: "Bearer <token>")
+            (Optional) OAuth access token for authenticating with the MCP server (provide
+            just the token, not "Bearer <token>")
         require_approval:
           oneOf:
             - type: string

docs/static/llama-stack-spec.yaml

@@ -6419,7 +6419,8 @@ components:
         authorization:
           type: string
           description: >-
-            (Optional) Bearer token authorization string (format: "Bearer <token>")
+            (Optional) OAuth access token for authenticating with the MCP server (provide
+            just the token, not "Bearer <token>")
         require_approval:
           oneOf:
             - type: string

docs/static/stainless-llama-stack-spec.yaml

@@ -7135,7 +7135,8 @@ components:
         authorization:
           type: string
           description: >-
-            (Optional) Bearer token authorization string (format: "Bearer <token>")
+            (Optional) OAuth access token for authenticating with the MCP server (provide
+            just the token, not "Bearer <token>")
         require_approval:
           oneOf:
             - type: string

src/llama_stack/apis/agents/openai_responses.py

@@ -487,7 +487,7 @@ class OpenAIResponseInputToolMCP(BaseModel):
     :param server_label: Label to identify this MCP server
     :param server_url: URL endpoint of the MCP server
     :param headers: (Optional) HTTP headers to include when connecting to the server
-    :param authorization: (Optional) Bearer token authorization string (format: "Bearer <token>")
+    :param authorization: (Optional) OAuth access token for authenticating with the MCP server (provide just the token, not "Bearer <token>")
     :param require_approval: Approval requirement for tool calls ("always", "never", or filter)
     :param allowed_tools: (Optional) Restriction on which tools can be used from this server
     """
@@ -496,8 +496,8 @@ class OpenAIResponseInputToolMCP(BaseModel):
     server_label: str
     server_url: str
     headers: dict[str, Any] | None = None
-    # OpenAI's MCP authorization currently only supports bearer tokens as a simple string
-    # Format: "Bearer <token>" (e.g., "Bearer my-secret-token")
+    # OAuth access token for MCP server authentication
+    # Provide just the token (e.g., "my-secret-token"), the "Bearer " prefix will be added automatically
     authorization: str | None = None
 
     require_approval: Literal["always"] | Literal["never"] | ApprovalFilter = "never"

src/llama_stack/providers/inline/agents/meta_reference/responses/streaming.py

@@ -1085,7 +1085,8 @@ class StreamingResponseOrchestrator:
                 # Don't override existing Authorization header (case-insensitive check)
                 existing_keys_lower = {k.lower() for k in headers.keys()}
                 if "authorization" not in existing_keys_lower:
-                    headers["Authorization"] = mcp_tool.authorization
+                    # OAuth access token - add "Bearer " prefix
+                    headers["Authorization"] = f"Bearer {mcp_tool.authorization}"
 
             async with tracing.span("list_mcp_tools", attributes):
                 tool_defs = await list_mcp_tools(

src/llama_stack/providers/inline/agents/meta_reference/responses/tool_executor.py

@@ -305,7 +305,8 @@ class ToolExecutor:
                     # Don't override existing Authorization header (case-insensitive check)
                     existing_keys_lower = {k.lower() for k in headers.keys()}
                     if "authorization" not in existing_keys_lower:
-                        headers["Authorization"] = mcp_tool.authorization
+                        # OAuth access token - add "Bearer " prefix
+                        headers["Authorization"] = f"Bearer {mcp_tool.authorization}"
 
                 async with tracing.span("invoke_mcp_tool", attributes):
                     result = await invoke_mcp_tool(

tests/integration/responses/test_mcp_authentication.py

@@ -33,7 +33,7 @@ def test_mcp_authorization_bearer(compat_client, text_model_id):
                     "type": "mcp",
                     "server_label": "auth-mcp",
                     "server_url": "<FILLED_BY_TEST_RUNNER>",
-                    "authorization": f"Bearer {test_token}",
+                    "authorization": test_token,  # Just the token, not "Bearer <token>"
                 }
             ],
             mcp_server_info,
@@ -70,7 +70,7 @@ def test_mcp_authorization_different_token(compat_client, text_model_id):
                     "type": "mcp",
                     "server_label": "auth2-mcp",
                     "server_url": "<FILLED_BY_TEST_RUNNER>",
-                    "authorization": f"Bearer {test_token}",
+                    "authorization": test_token,  # Just the token, not "Bearer <token>"
                 }
             ],
             mcp_server_info,
@@ -106,7 +106,7 @@ def test_mcp_authorization_fallback_to_headers(compat_client, text_model_id):
                     "server_label": "headers-mcp",
                     "server_url": "<FILLED_BY_TEST_RUNNER>",
                     "headers": {"Authorization": f"Bearer {test_token}"},
-                    "authorization": "Bearer should-not-override",
+                    "authorization": "should-not-override",  # Just the token
                 }
             ],
             mcp_server_info,