> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Set a per-subject auth override

> Installs (or replaces) a per-subject auth override on an MCP server. Use this when a specific user or service account should authenticate against the upstream MCP server with credentials different from the server's default `auth_data`. Permissions: callers with `MANAGE_MCP_SERVER` (MCP managers) may set the override for any subject; other callers may only set their own override.



## OpenAPI

````yaml /openapi.json put /api/svc/v1/mcp/{mcpServerId}/auth
openapi: 3.1.0
info:
  title: TrueFoundry API
  description: API for TrueFoundry
  version: 0.1.0
  contact: {}
servers:
  - url: https://{controlPlaneURL}
    variables:
      controlPlaneURL:
        default: app.truefoundry.com
        description: Control Plane URL
security: []
tags:
  - name: Agent
  - name: Agent Skills
  - name: Applications
  - name: Metrics
  - name: Apply
  - name: Artifacts
  - name: Audit Logs
  - name: Clusters
  - name: Jobs
  - name: Logs
  - name: MCP Servers V2
  - name: MLRepos
  - name: Model Deployments
  - name: Models
  - name: Personal Access Tokens
  - name: Prompts
  - name: Provider Integrations
  - name: SCIM v2
  - name: Secret Groups
  - name: Secrets
  - name: Teams
  - name: Traces
  - name: Users
  - name: Virtual Accounts
  - name: Role Bindings
  - name: Workspaces
paths:
  /api/svc/v1/mcp/{mcpServerId}/auth:
    put:
      tags:
        - MCP Servers V2
      summary: Set a per-subject auth override
      description: >-
        Installs (or replaces) a per-subject auth override on an MCP server. Use
        this when a specific user or service account should authenticate against
        the upstream MCP server with credentials different from the server's
        default `auth_data`. Permissions: callers with `MANAGE_MCP_SERVER` (MCP
        managers) may set the override for any subject; other callers may only
        set their own override.
      operationId: MCPServerV2.createOrUpdateMCPUserAuth
      parameters:
        - name: mcpServerId
          required: true
          in: path
          description: MCP server id (the `id` returned by `GET /v1/mcp`, not the `name`).
          schema:
            example: mcp-01HXYZ...
            type: string
      requestBody:
        required: true
        description: Per-subject credential override input.
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/MCPUserAuthInputV2'
      responses:
        '200':
          description: Auth override saved.
        '400':
          description: >-
            Invalid body, or this MCP server's auth configuration does not
            support per-subject overrides.
        '403':
          description: >-
            Caller is not an MCP manager for this server (required when
            overriding another subject).
        '404':
          description: MCP server or subject not found.
      security:
        - jwt: []
components:
  schemas:
    MCPUserAuthInputV2:
      type: object
      required:
        - subjectId
        - subjectType
        - authOverride
      properties:
        subjectId:
          description: >-
            Principal id for this auth override (user id, virtual account id,
            etc.).
          type: string
          minLength: 1
        subjectType:
          description: Principal type for this auth override.
          type: string
          enum:
            - user
            - virtualaccount
        authOverride:
          $ref: '#/components/schemas/MCPUserAuthOverride'
      title: MCPUserAuthInputV2
      x-fern-type-name: MCPUserAuthInputV2
    MCPUserAuthOverride:
      type: object
      oneOf:
        - $ref: '#/components/schemas/HeaderAuthOverride'
        - $ref: '#/components/schemas/OAuth2ClientCredentialsOverride'
        - $ref: '#/components/schemas/EnvAuthOverride'
      title: MCPUserAuthOverride
      x-fern-type-name: MCPUserAuthOverride
    HeaderAuthOverride:
      description: Override authentication with a static header value.
      type: object
      required:
        - type
        - headerValue
      properties:
        type:
          description: +value=header
          type: string
          enum:
            - header
        headerValue:
          description: Provide your token for authentication.
          type: string
          minLength: 1
      title: HeaderAuthOverride
      x-fern-type-name: HeaderAuthOverride
    OAuth2ClientCredentialsOverride:
      description: >-
        Provide OAuth2 client credentials for the selected virtual account. Only
        available when the MCP server uses OAuth2 authentication.
      type: object
      required:
        - type
        - clientId
        - clientSecret
      properties:
        type:
          description: +value=oauth2_client_credentials
          type: string
          enum:
            - oauth2_client_credentials
        clientId:
          description: >-
            Client ID for OAuth2 or TrueFoundry secret FQN containing the client
            ID.
          type: string
          pattern: ^\S+$
        clientSecret:
          description: >-
            Client secret for OAuth2 or TrueFoundry secret FQN containing the
            client secret.
          type: string
          minLength: 1
      title: OAuth2ClientCredentialsOverride
      x-fern-type-name: OAuth2ClientCredentialsOverride
    EnvAuthOverride:
      description: >-
        Override stdio env authentication with a secret value used to replace
        the {{placeholder}} in the server env configuration.
      type: object
      required:
        - type
        - apiKey
      properties:
        type:
          description: +value=env
          type: string
          enum:
            - env
        apiKey:
          description: API key for stdio env auth.
          type: string
          minLength: 1
      title: EnvAuthOverride
      x-fern-type-name: EnvAuthOverride
  securitySchemes:
    jwt:
      type: http
      scheme: bearer
      bearerFormat: JWT

````