MCP Docs
Authentication Strategy
Admin
2026/4/2
3 阅读
Authentication Strategy
Automatic OpenAPI signing
When MCP tools call /api/open/*, the server automatically injects:
x-user-idx-timestampx-sign
Signing rule:
signContent = userId + timestamp + bodyHash
Where:
- For GET and DELETE,
bodyHashis an empty string - For POST, PUT, and PATCH,
bodyHashis the SHA256 hash of the JSON body
Session cookie forwarding
For admin and user APIs, the MCP server forwards MCP_SESSION_COOKIE to the upstream API as-is.