Skip to main content
Auth Overrides let you replace an MCP server’s default credentials with user-specific tokens. As a manager, you can create, view, and delete overrides for any user on the server. When an override is set for a user or virtual account, the Gateway uses their override token instead of the server’s default credentials for all requests made by that entity.

When to use Auth Overrides

Auth Overrides are useful when:
  • The upstream MCP server requires user-specific API keys (e.g., each developer has their own key for a third-party service)
  • You need to attribute API usage to individual users at the downstream service
  • The upstream service enforces per-user rate limits or permissions
Auth Overrides work with API Key authentication configured with Individual Credentials. When Individual Credentials is selected, the header value uses a placeholder like Bearer {{API_KEY}}, and each user must supply their own key before they can use the MCP server.
For details on configuring API Key authentication with Shared or Individual Credentials, see the Getting Started guide.

Managing Auth Overrides

Navigate to the MCP server detail page and click on the Auth Overrides tab to view all existing overrides. Auth Overrides Tab The Auth Overrides table shows the following columns:
ColumnDescription
EntityThe user or virtual account the override applies to
TypeWhether the entity is a user or virtual account
AuthThe authentication type being overridden
Updated byWho last modified this override
CredentialsThe masked credential value

Adding an Auth Override

1

Open the Auth Overrides tab

Navigate to the MCP server detail page and click the Auth Overrides tab.
2

Click Add Override

Click the + Add Override button in the top right corner.
3

Configure the override

  • Subject: Select the user or virtual account that will use this override
  • API KEY: Enter the API key that this user should use when calling the upstream MCP server Add Auth Override
4

Submit

Click Submit to save the override. The Gateway will now use this key for all requests made by the selected user.

Editing or Deleting an Override

To update an existing override, click the edit icon next to the override in the Auth Overrides table. To delete an override, click the delete icon — the user will revert to the server’s default credentials (if any).

How Auth Overrides work at runtime

When a user makes a request through the Gateway to an MCP server with Auth Overrides configured:
  1. The Gateway authenticates the user (inbound authentication)
  2. The Gateway checks if an Auth Override exists for this user on this MCP server
  3. If an override exists: The Gateway injects the user’s override credentials into the request
  4. If no override exists: The Gateway uses the server’s default credentials (for Shared Credentials) or returns an error (for Individual Credentials)
For MCP servers configured with Individual Credentials, users without an Auth Override will not be able to use the server until an override is created for them.