When to Use
Your agent includes headers with context that the MCP server needs. Maybe a trace ID for distributed tracing. Maybe a tenant ID for multi-tenant servers. Maybe custom metadata your server expects. Without header forwarding, these headers stop at Portkey. With it, they pass through to the MCP server. Common scenarios:- Distributed tracing. Forward
x-request-id,x-trace-id,x-correlation-idto correlate logs across services. - Multi-tenancy. Forward
x-tenant-id,x-org-idfor tenant-scoped operations. - User context. Forward
x-user-id,x-user-rolefor upstream authorization. - Custom metadata. Forward application-specific headers your MCP server expects.
Configuration
Configureforward_headers when adding or editing an MCP server in the MCP Registry.
Allowlist Specific Headers
Forward only the headers you specify:Explicit Allowlist Mode
The same behavior with explicit configuration:Forward All Except Specific Headers
Forward everything except headers you exclude:Security
Protected Headers
These headers are never forwarded regardless of your configuration:
In
all-except mode, these are automatically added to the blocklist. You cannot override this behavior.
Identity Headers Are Protected
If you use Identity Forwarding, identity headers are also protected:X-User-ClaimsX-User-JWT
Header Priority
When multiple sources provide headers, they merge in this order (later values override earlier ones):
Why this order matters:
- Authentication headers configured on the server cannot be overridden by agents
- Static passthrough headers take precedence over agent headers
- Identity headers always win—agents cannot spoof user identity
X-Custom: server-value (server config wins).
Agent Configuration
Include headers in your MCP client configuration:- Python
- TypeScript
Example: Distributed Tracing
You want to correlate MCP requests with your application’s traces. Server configuration:Example: Multi-Tenant Server
Your internal MCP server needs tenant context to scope data access. Server configuration:Combining with Identity Forwarding
Header forwarding and identity forwarding serve different purposes:
Use both together:
x-request-idandx-trace-idfrom the agent (for tracing)X-User-Claimsfrom Portkey (for user identity)

