feat(mcp): simplify auth to single /mcp endpoint with optional api_key query param#81
Merged
electather merged 2 commits intomainfrom Mar 16, 2026
Merged
Conversation
…y query param
Remove the custom multi-tenant path-based routing (--multi-tenant flag,
tenantRoutingHandler, /{token}/mcp paths) and replace it with a simpler
per-request API key mechanism.
Add SeerrAPIKeyMiddleware that reads the Seerr API key from the X-Api-Key
request header (always on) or the api_key query parameter when
--allow-api-key-query-param is enabled. The header takes precedence when
both are present; requests with no key are rejected with 401.
Also simplify SafeLogPath (remove multiTenant parameter) and add
SafeLogQuery to redact api_key values from logged query strings.
Closes #80
Remove --route-token flag and path-based routing entirely. The MCP endpoint is now always /mcp. All documentation (README, AGENT.md, docker-compose.yml, schema) updated to replace route-token examples with --allow-api-key-query-param and remove SEERR_MCP_ROUTE_TOKEN / SEERR_MCP_MULTI_TENANT env var references. Also remove SafeLogPath (no longer needed without path-based tokens) and simplify httpLoggingMiddleware signature accordingly. Auth validation now accepts --allow-api-key-query-param as a valid alternative to --auth-token.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements #80, extended to also remove
--route-tokenas it is superseded by--allow-api-key-query-param.Removed:
--multi-tenantflag,TenantRoutingHandler,/{token}/mcppath-based routing--route-tokenflag and path-prefix routing (/abc123/mcp)SafeLogPath(no longer needed without path-based tokens)SEERR_MCP_ROUTE_TOKENandSEERR_MCP_MULTI_TENANTenv vars from all docsAdded:
SeerrAPIKeyMiddleware— reads Seerr API key fromX-Api-Keyheader (always on in HTTP mode) or?api_key=query param (opt-in via--allow-api-key-query-param); header takes precedence; requests with no key return 401SafeLogQuery— redactsapi_key=<value>from logged query strings--allow-api-key-query-param/SEERR_MCP_ALLOW_API_KEY_QUERY_PARAMflagAuth validation updated: HTTP transport now requires
--auth-token,--allow-api-key-query-param, or--no-auth.The MCP endpoint is always
/mcp.Migration from
--route-tokenor--multi-tenantClients that used
/{token}/mcpor/{seerr-api-token}/mcpshould migrate to:X-Api-Key: <key>on each/mcprequest.--allow-api-key-query-paramand use/mcp?api_key=<key>.--auth-tokenfor MCP server access control.Test plan
TestSeerrAPIKeyMiddleware_headerOnlyTestSeerrAPIKeyMiddleware_queryParamOnlyTestSeerrAPIKeyMiddleware_headerPrecedenceOverQueryParamTestSeerrAPIKeyMiddleware_queryParamDisabled_ignoresQueryParam(returns 401)TestSeerrAPIKeyMiddleware_neitherPresent_returns401TestSeerrAPIKeyMiddleware_queryParam_sensitiveValueNotLoggedTestRouteTokenFlagNotRegisteredTestMultiTenantFlagNotRegisteredTestAllowAPIKeyQueryParamFlagRegisteredTestSafeLogQuery(table-driven)TestAPIKeyContextPropagation-racego vet ./...andgo fmt ./...clean