fix: MCP authorization parameter implementation (#4052)

# What does this PR do? Adding a user-facing `authorization ` parameter to MCP tool definitions that allows users to explicitly configure credentials per MCP server, addressing GitHub Issue #4034 in a secure manner. ## Test Plan tests/integration/responses/test_mcp_authentication.py --------- Co-authored-by: Omar Abdelwahab <omara@fb.com> Co-authored-by: Ashwin Bharambe <ashwin.bharambe@gmail.com>
2025-12-03 09:53:45 +00:00 · 2025-11-14 08:54:42 -08:00 · 2025-11-14 08:54:42 -08:00 · eb545034ab
commit eb545034ab
parent dc49ad3f89
34 changed files with 5205 additions and 62 deletions
--- a/docs/static/llama-stack-spec.yaml
+++ b/docs/static/llama-stack-spec.yaml
@ -1878,6 +1878,13 @@ paths:
          required: false
          schema:
            $ref: '#/components/schemas/URL'
+        - name: authorization
+          in: query
+          description: >-
+            (Optional) OAuth access token for authenticating with the MCP server.
+          required: false
+          schema:
+            type: string
      deprecated: false
  /v1/toolgroups:
    get:
@ -6182,6 +6189,10 @@ components:
              - type: object
          description: >-
            (Optional) HTTP headers to include when connecting to the server
+        authorization:
+          type: string
+          description: >-
+            (Optional) OAuth access token for authenticating with the MCP server
        require_approval:
          oneOf:
            - type: string
@ -8366,6 +8377,10 @@ components:
              - type: object
          description: >-
            A dictionary of arguments to pass to the tool.
+        authorization:
+          type: string
+          description: >-
+            (Optional) OAuth access token for authenticating with the MCP server.
      additionalProperties: false
      required:
        - tool_name
--- a/docs/static/stainless-llama-stack-spec.yaml
+++ b/docs/static/stainless-llama-stack-spec.yaml
@ -2054,6 +2054,13 @@ paths:
          required: false
          schema:
            $ref: '#/components/schemas/URL'
+        - name: authorization
+          in: query
+          description: >-
+            (Optional) OAuth access token for authenticating with the MCP server.
+          required: false
+          schema:
+            type: string
      deprecated: false
  /v1/toolgroups:
    get:
@ -7123,6 +7130,10 @@ components:
              - type: object
          description: >-
            (Optional) HTTP headers to include when connecting to the server
+        authorization:
+          type: string
+          description: >-
+            (Optional) OAuth access token for authenticating with the MCP server
        require_approval:
          oneOf:
            - type: string
@ -9307,6 +9318,10 @@ components:
              - type: object
          description: >-
            A dictionary of arguments to pass to the tool.
+        authorization:
+          type: string
+          description: >-
+            (Optional) OAuth access token for authenticating with the MCP server.
      additionalProperties: false
      required:
        - tool_name