Skip to main content
Auth Overrides let you replace an MCP server’s default outbound credentials with user-specific tokens. When an override exists for the caller, the Gateway uses that value instead of the server’s configured defaults for upstream requests.

When to use Auth Overrides

Auth Overrides are useful when:
  • The upstream MCP server requires user-specific API keys (e.g., each developer has their own key for a third-party service)
  • You need to attribute API usage to individual users at the downstream service
  • The upstream service enforces per-user rate limits or permissions

Managing Auth Overrides

Navigate to the MCP server detail page and click on the Auth Overrides tab to view all existing overrides. Auth Overrides Tab The Auth Overrides table shows the following columns:
ColumnDescription
EntityThe user or virtual account the override applies to
TypeWhether the entity is a user or virtual account
AuthThe authentication type being overridden
Updated byWho last modified this override
CredentialsThe masked credential value

Adding an Auth Override

1

Open the Auth Overrides tab

Navigate to the MCP server detail page and click the Auth Overrides tab.
2

Click Add Override

Click the + Add Override button in the top right corner.
3

Configure the override

  • Subject (managers only): Select the user or virtual account that will use this override
  • Credential: The API key, secret, or full header value as required by the server’s auth mode (for non-template configs, provide the complete value used for Authorization header) Add Auth Override
4

Submit

Click Submit to save the override. The Gateway will now use this credential for all requests made by the selected subject.

Editing or Deleting an Auth Override

Update - click the edit icon next to the override in the Auth Overrides table. Delete - click the delete icon, the user will revert to the server’s default credentials (if any).
Changing outbound auth (type, Shared vs Individual, or related settings) can delete overrides on some transitions.

Permissions

MCP Server Manager

  • Open the Auth Overrides tab on supported servers.
  • List all overrides. The table columns are Entity, Type, Auth, Updated by, and Credentials (masked values).
  • Delete any override.

User (non-manager)

  • Add overrides only for API Key with Individual Credentials
  • View overrides they added.
  • Delete only their override.

Override support

By outbound auth

Outbound authWho can add overrides
API Key (Individual Credentials)MCP Server Managers and MCP Server Users
API Key (Shared Credentials)Not supported - coming soon
OAuth2 (Authorization Code)MCP Server Managers only
OAuth2 (Client Credentials)Not supported - coming soon
Token PassthroughNot supported
For details on configuring API Key authentication with Shared or Individual Credentials, see the Getting Started guide.

By Subject

SubjectWho can add overrides
UserMCP Server Managers and MCP Server Users
Virtual AccountMCP Server Managers
External IdentityNot supported - coming soon

By Auth override type

Auth overrideWho can add overrides
HeaderMCP Server Managers and MCP Server Users (where applicable)
Client CredentialsNot supported - coming soon

How Auth Overrides work at runtime

When a user makes a request through the Gateway to an MCP server with Auth Overrides configured:
  1. The Gateway authenticates the user (inbound authentication).
  2. The Gateway checks if an Auth Override exists for this user on this MCP server.
  3. If an override exists: The Gateway injects the user’s override credentials into the request (template substitution for Individual, or full Authorization value when applicable).
  4. If no override exists: The Gateway uses the server’s default credentials (for Shared Credentials) or returns an error (for Individual Credentials).
For MCP servers configured with Individual Credentials, users without an Auth Override will not be able to use the server until an override is created for them.