HTTP Authorization
The HTTP Streaming transport specifies OAuth 2.1 for authentication. To work this needs to be implemented in both the MCP client and the MCP server. As of Spring 2025, this is not yet widely implemented.
The SSE transport only specified Implement proper authentication for all SSE connections. As again this needs to be implemented in both the MCP client and MCP server to work, this guidance is not sufficient for interoperability. THe MCP inspector lets you set a bearer token, and there are some who followed this lead. That being said, the SSE transport is now deprecated.
For stdio transports, there is no authentication; that is left entirely up to fly mcp proxy and fly mcp wrap. As these commands are designed to be used with an MCP server that was only intended to be used by a single user at a time, OAuth is substantial overkill for this purpose. Instead these commands support both basic and bearer HTTP Authorization.
To use basic authentication, set two secrets in your application. For example:
fly secrets set FLY_MCP_USER=Admin FLY_MCP_PASSWORD=S3cr3t
To use bearer authentication, set one secret in your application. For example:
fly secrets set FLY_MCP_BEARER_TOKEN=T0k3n
If you are using MacOs, Linux, or WSL2, the following command may be useful for generating a token:
openssl rand -base64 18
And then on the client side pass the same values to the proxy as flags:
For basic:
{
"mcpServers": {
"filesystem": {
"command": "/Users/rubys/.fly/bin/flyctl",
"args": [
"mcp",
"proxy",
"--url=https://mcp.fly.dev/",
"--user",
"Admin",
"--password",
"S3cr3t"
]
}
}
}
For bearer:
{
"mcpServers": {
"filesystem": {
"command": "/Users/rubys/.fly/bin/flyctl",
"args": [
"mcp",
"proxy",
"--url=https://mcp.fly.dev/",
"--bearer-token",
"T0k3n"
]
}
}
}
From a security point of view, there is not a substantial difference between these two authentication methods. Pick the one you fine most convenient.