diff --git a/.gitignore b/.gitignore
index 06424dbb3..e360080fe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,7 @@ dist
 test-servers/build
 .env
 /.playwright-mcp/
+
+# Local debugging screenshots dropped at the repo root (e.g. attached to
+# Claude Code conversations). Should never be part of the source tree.
+/*.png
diff --git a/clients/web/server/web-server-config.ts b/clients/web/server/web-server-config.ts
index f219554f4..f3e834fdb 100644
--- a/clients/web/server/web-server-config.ts
+++ b/clients/web/server/web-server-config.ts
@@ -97,7 +97,6 @@ export function webServerConfigToInitialPayload(
     return {
       defaultTransport: "sse",
       defaultServerUrl: mc.url,
-      defaultHeaders: mc.headers ?? undefined,
       defaultEnvironment,
     };
   }
@@ -105,21 +104,18 @@ export function webServerConfigToInitialPayload(
     return {
       defaultTransport: "streamable-http",
       defaultServerUrl: mc.url,
-      defaultHeaders: mc.headers ?? undefined,
       defaultEnvironment,
     };
   }
   // Forward-compat fallback: if a future SDK ships a new transport type the
   // launcher hasn't taught us about yet, prefer streamable-http (the most
-  // permissive shape with `url` + optional `headers`) over throwing. Worst
-  // case the UI shows the URL the user supplied; throwing here would deny
-  // the user a hint at startup. Add a real branch above once the type is
-  // known.
-  const c = mc as unknown as { url: string; headers?: Record<string, string> };
+  // permissive shape with `url`) over throwing. Worst case the UI shows the
+  // URL the user supplied; throwing here would deny the user a hint at
+  // startup. Add a real branch above once the type is known.
+  const c = mc as unknown as { url: string };
   return {
     defaultTransport: "streamable-http",
     defaultServerUrl: c.url,
-    defaultHeaders: c.headers,
     defaultEnvironment,
   };
 }
diff --git a/clients/web/src/App.tsx b/clients/web/src/App.tsx
index 4df0a19b3..d15610af5 100644
--- a/clients/web/src/App.tsx
+++ b/clients/web/src/App.tsx
@@ -1,5 +1,6 @@
 import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { useComputedColorScheme, useMantineColorScheme } from "@mantine/core";
+import { notifications } from "@mantine/notifications";
 import type {
   InitializeResult,
   LoggingLevel,
@@ -10,6 +11,7 @@ import type { AppBridge } from "@modelcontextprotocol/ext-apps/app-bridge";
 import { InspectorClient } from "@inspector/core/mcp/index.js";
 import type { JsonValue } from "@inspector/core/mcp/index.js";
 import type {
+  InspectorServerSettings,
   MCPServerConfig,
   MessageEntry,
   ServerEntry,
@@ -45,6 +47,7 @@ import {
   ServerConfigModal,
   type ServerConfigModalMode,
 } from "./components/groups/ServerConfigModal/ServerConfigModal";
+import { ServerSettingsModal } from "./components/groups/ServerSettingsModal/ServerSettingsModal";
 import { ServerRemoveConfirmModal } from "./components/groups/ServerRemoveConfirmModal/ServerRemoveConfirmModal";
 import { downloadJsonFile } from "./lib/downloadFile";
 import { createWebEnvironment } from "./lib/environmentFactory";
@@ -135,7 +138,13 @@ function App() {
   // Server list — sourced from ~/.mcp-inspector/mcp.json via the backend's
   // `/api/servers` routes. First-launch seeds are written by the backend when
   // the file is absent, so this hook returns a non-empty list on first load.
-  const { servers, addServer, updateServer, removeServer } = useServers({
+  const {
+    servers,
+    addServer,
+    updateServer,
+    updateServerSettings,
+    removeServer,
+  } = useServers({
     baseUrl:
       typeof window !== "undefined"
         ? window.location.origin
@@ -149,6 +158,9 @@ function App() {
     mode: ServerConfigModalMode;
     targetId?: string;
   } | null>(null);
+  const [settingsModalTargetId, setSettingsModalTargetId] = useState<
+    string | undefined
+  >(undefined);
   const [removeTarget, setRemoveTarget] = useState<ServerEntry | null>(null);
 
   // The active connection target. `null` between sessions; set as soon as
@@ -336,6 +348,35 @@ function App() {
         getAuthToken(),
         redirectUrlProvider,
       );
+      // The settings node persisted in mcp.json for this server — distinct
+      // from the InspectorClient options we're about to derive from it.
+      const savedSettings = server.settings;
+      // Flatten the persisted settings into the InspectorClient options shape.
+      // Empty / zero values stay unset so the SDK defaults apply.
+      const defaultMetadata = savedSettings?.metadata
+        ? Object.fromEntries(
+            savedSettings.metadata
+              .filter((m) => m.key.trim() !== "")
+              .map((m) => [m.key, m.value]),
+          )
+        : undefined;
+      const oauth =
+        savedSettings &&
+        (savedSettings.oauthClientId ||
+          savedSettings.oauthClientSecret ||
+          savedSettings.oauthScopes)
+          ? {
+              ...(savedSettings.oauthClientId && {
+                clientId: savedSettings.oauthClientId,
+              }),
+              ...(savedSettings.oauthClientSecret && {
+                clientSecret: savedSettings.oauthClientSecret,
+              }),
+              ...(savedSettings.oauthScopes && {
+                scope: savedSettings.oauthScopes,
+              }),
+            }
+          : undefined;
       const client = new InspectorClient(server.config, {
         environment,
         // The Tasks tab needs the receiver-task pipeline; the
@@ -344,6 +385,16 @@ function App() {
         // Sampling / elicitation are on by default; keep the parameterized
         // options off until the UI grows the surface to render them.
         elicit: { form: true, url: true },
+        ...(savedSettings &&
+          savedSettings.requestTimeout > 0 && {
+            timeout: savedSettings.requestTimeout,
+          }),
+        ...(defaultMetadata &&
+          Object.keys(defaultMetadata).length > 0 && {
+            defaultMetadata,
+          }),
+        ...(oauth && { oauth }),
+        ...(savedSettings && { serverSettings: savedSettings }),
       });
 
       setInspectorClient(client);
@@ -396,16 +447,23 @@ function App() {
       const target = servers.find((s) => s.id === id);
       if (!target) return;
 
-      // Different server (or first connect): rebuild the client + managers.
-      let client = inspectorClient;
-      if (id !== activeServerId || client === null) {
-        client = setupClientForServer(target);
+      // Always rebuild the InspectorClient on a (re)connect so the latest
+      // `target.settings` (headers, metadata, timeouts, OAuth credentials)
+      // are picked up. Reusing the previous client object would freeze the
+      // settings at the moment it was first constructed, which would be
+      // surprising right after the user edited them in the settings modal.
+      const client = setupClientForServer(target);
+      if (id !== activeServerId) {
         setActiveServerId(id);
       }
 
       setErrorMessage(undefined);
       connectStartRef.current = Date.now();
       try {
+        // `settings.connectionTimeout` is consumed inside InspectorClient.connect
+        // (Promise.race + transport teardown live there now), so this branch
+        // stays unaware of the per-server timeout. TUI/CLI consumers get the
+        // same behavior by reading from `serverSettings` on the client.
         await client.connect();
       } catch (err) {
         // Handshake-only. A mid-session transport failure transitions the
@@ -705,6 +763,91 @@ function App() {
     return servers.find((s) => s.id === configModal.targetId);
   }, [configModal, servers]);
 
+  const settingsModalTarget = useMemo(() => {
+    if (!settingsModalTargetId) return undefined;
+    return servers.find((s) => s.id === settingsModalTargetId);
+  }, [settingsModalTargetId, servers]);
+
+  // Stable starting shape for entries that have no `settings` node yet — the
+  // form needs concrete arrays / numbers to render.
+  const settingsModalValue = useMemo<InspectorServerSettings>(() => {
+    return (
+      settingsModalTarget?.settings ?? {
+        headers: [],
+        metadata: [],
+        connectionTimeout: 0,
+        requestTimeout: 0,
+      }
+    );
+  }, [settingsModalTarget]);
+
+  // The settings modal fires onSettingsChange on every keystroke. Persisting
+  // each character would run a tight PUT-then-full-refresh loop against the
+  // backend (and the in-memory `servers` state could flicker mid-typing as
+  // each refresh resets the modal's prop). Debounce so a burst of edits
+  // coalesces into a single PUT, and flush on modal close so nothing is lost.
+  const pendingSettingsRef = useRef<{
+    id: string;
+    settings: InspectorServerSettings;
+  } | null>(null);
+  const pendingSettingsTimerRef = useRef<
+    ReturnType<typeof setTimeout> | undefined
+  >(undefined);
+
+  const flushPendingSettings = useCallback(() => {
+    if (pendingSettingsTimerRef.current) {
+      clearTimeout(pendingSettingsTimerRef.current);
+      pendingSettingsTimerRef.current = undefined;
+    }
+    const pending = pendingSettingsRef.current;
+    if (!pending) return;
+    pendingSettingsRef.current = null;
+    // Fire-and-forget — but surface failures via toast. The modal closes
+    // immediately on user dismiss, so a silent fail-on-flush would leave
+    // the user thinking their last edits saved when they didn't (especially
+    // painful for the OAuth client secret).
+    updateServerSettings(pending.id, pending.settings).catch((err) => {
+      notifications.show({
+        title: `Failed to save settings for "${pending.id}"`,
+        message: err instanceof Error ? err.message : String(err),
+        color: "red",
+      });
+    });
+  }, [updateServerSettings]);
+
+  const onSettingsChange = useCallback(
+    (next: InspectorServerSettings) => {
+      if (!settingsModalTargetId) return;
+      pendingSettingsRef.current = {
+        id: settingsModalTargetId,
+        settings: next,
+      };
+      if (pendingSettingsTimerRef.current) {
+        clearTimeout(pendingSettingsTimerRef.current);
+      }
+      pendingSettingsTimerRef.current = setTimeout(flushPendingSettings, 300);
+    },
+    [settingsModalTargetId, flushPendingSettings],
+  );
+
+  const onSettingsModalClose = useCallback(() => {
+    flushPendingSettings();
+    setSettingsModalTargetId(undefined);
+  }, [flushPendingSettings]);
+
+  // Cancel any pending debounce on unmount (route change / HMR). Without
+  // this a stale setTimeout could still fire one final `updateServerSettings`
+  // against an unmounted component — harmless today (just an extra PUT of
+  // the final payload) but the cleanest pattern is to clear the timer.
+  useEffect(() => {
+    return () => {
+      if (pendingSettingsTimerRef.current) {
+        clearTimeout(pendingSettingsTimerRef.current);
+        pendingSettingsTimerRef.current = undefined;
+      }
+    };
+  }, []);
+
   // The Resources screen needs `isSubscribed` to flip the Subscribe button
   // label to "Unsubscribe". Derive it from the live subscriptions list rather
   // than threading it through every setReadResourceState site — that way the
@@ -756,7 +899,7 @@ function App() {
         onServerImportJson={todoNoop}
         onServerExport={onServerExport}
         onServerInfo={todoNoop}
-        onServerSettings={todoNoop}
+        onServerSettings={(id) => setSettingsModalTargetId(id)}
         onServerEdit={(id) => setConfigModal({ mode: "edit", targetId: id })}
         onServerClone={(id) => setConfigModal({ mode: "clone", targetId: id })}
         onServerRemove={(id) => {
@@ -805,6 +948,12 @@ function App() {
         onClose={() => setConfigModal(null)}
         onSubmit={onConfigSubmit}
       />
+      <ServerSettingsModal
+        opened={settingsModalTargetId !== undefined}
+        settings={settingsModalValue}
+        onClose={onSettingsModalClose}
+        onSettingsChange={onSettingsChange}
+      />
       <ServerRemoveConfirmModal
         opened={removeTarget !== null}
         target={removeTarget}
diff --git a/clients/web/src/components/groups/HistoryListPanel/HistoryListPanel.test.tsx b/clients/web/src/components/groups/HistoryListPanel/HistoryListPanel.test.tsx
index e54fdde2c..2c98526c0 100644
--- a/clients/web/src/components/groups/HistoryListPanel/HistoryListPanel.test.tsx
+++ b/clients/web/src/components/groups/HistoryListPanel/HistoryListPanel.test.tsx
@@ -69,12 +69,10 @@ const baseProps = {
 };
 
 describe("HistoryListPanel", () => {
-  it("renders the title and Export JSON button", () => {
+  it("renders the title and Export button", () => {
     renderWithMantine(<HistoryListPanel {...baseProps} entries={[]} />);
     expect(screen.getByText("Requests")).toBeInTheDocument();
-    expect(
-      screen.getByRole("button", { name: "Export JSON" }),
-    ).toBeInTheDocument();
+    expect(screen.getByRole("button", { name: "Export" })).toBeInTheDocument();
   });
 
   it("renders the empty state when there are no entries", () => {
@@ -134,7 +132,7 @@ describe("HistoryListPanel", () => {
     expect(screen.getByText("History (1)")).toBeInTheDocument();
   });
 
-  it("invokes onExport when Export JSON is clicked", async () => {
+  it("invokes onExport when Export is clicked", async () => {
     const user = userEvent.setup();
     const onExport = vi.fn();
     renderWithMantine(
@@ -144,7 +142,7 @@ describe("HistoryListPanel", () => {
         onExport={onExport}
       />,
     );
-    await user.click(screen.getByRole("button", { name: "Export JSON" }));
+    await user.click(screen.getByRole("button", { name: "Export" }));
     expect(onExport).toHaveBeenCalledTimes(1);
   });
 
diff --git a/clients/web/src/components/groups/HistoryListPanel/HistoryListPanel.tsx b/clients/web/src/components/groups/HistoryListPanel/HistoryListPanel.tsx
index 0bd6a6f71..37fee63b8 100644
--- a/clients/web/src/components/groups/HistoryListPanel/HistoryListPanel.tsx
+++ b/clients/web/src/components/groups/HistoryListPanel/HistoryListPanel.tsx
@@ -24,11 +24,6 @@ export interface HistoryListPanelProps {
   onTogglePin: (id: string) => void;
 }
 
-const ToolbarButton = Button.withProps({
-  variant: "subtle",
-  size: "sm",
-});
-
 const PanelContainer = Paper.withProps({
   withBorder: true,
   p: "lg",
@@ -101,13 +96,22 @@ export function HistoryListPanel({
       <Group justify="space-between" mb="sm">
         <Title order={4}>Requests</Title>
         <Group gap="xs">
-          <ToolbarButton onClick={onExport}>Export JSON</ToolbarButton>
           {hasResults && (
             <ListToggle
               compact={compact}
               onToggle={() => setCompact((c) => !c)}
             />
           )}
+          <Button
+            variant="default"
+            onClick={onClearAll}
+            disabled={unpinnedEntries.length === 0}
+          >
+            Clear
+          </Button>
+          <Button variant="default" onClick={onExport} disabled={!hasResults}>
+            Export
+          </Button>
         </Group>
       </Group>
 
@@ -136,12 +140,9 @@ export function HistoryListPanel({
 
             {unpinnedEntries.length > 0 && (
               <>
-                <Group justify="space-between">
-                  <Title order={5}>
-                    {formatHistoryTitle(unpinnedEntries.length)}
-                  </Title>
-                  <ToolbarButton onClick={onClearAll}>Clear</ToolbarButton>
-                </Group>
+                <Title order={5}>
+                  {formatHistoryTitle(unpinnedEntries.length)}
+                </Title>
                 {unpinnedEntries.map((entry) => (
                   <HistoryEntry
                     key={entry.id}
diff --git a/clients/web/src/components/groups/LogStreamPanel/LogStreamPanel.tsx b/clients/web/src/components/groups/LogStreamPanel/LogStreamPanel.tsx
index 00b047b88..4e0e9c3b0 100644
--- a/clients/web/src/components/groups/LogStreamPanel/LogStreamPanel.tsx
+++ b/clients/web/src/components/groups/LogStreamPanel/LogStreamPanel.tsx
@@ -31,11 +31,6 @@ const PanelContainer = Paper.withProps({
   variant: "panel",
 });
 
-const ToolbarButton = Button.withProps({
-  variant: "subtle",
-  size: "sm",
-});
-
 const EmptyCenter = Stack.withProps({
   flex: 1,
   align: "center",
@@ -88,9 +83,27 @@ export function LogStreamPanel({
             checked={autoScroll}
             onChange={onToggleAutoScroll}
           />
-          <ToolbarButton onClick={onClear}>Clear</ToolbarButton>
-          <ToolbarButton onClick={onExport}>Export</ToolbarButton>
-          <ToolbarButton onClick={onCopyAll}>Copy All</ToolbarButton>
+          <Button
+            variant="default"
+            onClick={onClear}
+            disabled={entries.length === 0}
+          >
+            Clear
+          </Button>
+          <Button
+            variant="default"
+            onClick={onExport}
+            disabled={entries.length === 0}
+          >
+            Export
+          </Button>
+          <Button
+            variant="default"
+            onClick={onCopyAll}
+            disabled={entries.length === 0}
+          >
+            Copy All
+          </Button>
         </Group>
       </Group>
       {filteredEntries.length > 0 ? (
diff --git a/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.stories.tsx b/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.stories.tsx
index ba1d7310c..5bd4c539a 100644
--- a/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.stories.tsx
+++ b/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.stories.tsx
@@ -39,7 +39,6 @@ const stdioConfig: MCPServerConfig = {
 const sseConfig: MCPServerConfig = {
   type: "sse",
   url: "https://example.com/sse",
-  headers: { Authorization: "Bearer xxx" },
 };
 
 const meta: Meta<typeof ServerConfigModal> = {
@@ -120,6 +119,7 @@ export const EditSse: Story = {
   play: async ({ canvasElement }) => {
     const body = within(canvasElement.ownerDocument.body);
     await expect(await body.findByLabelText(/^URL/)).toBeInTheDocument();
-    await expect(body.getByLabelText(/Headers/i)).toBeInTheDocument();
+    // Headers are no longer entered here — they live in ServerSettingsForm.
+    await expect(body.queryByLabelText(/Headers/i)).toBeNull();
   },
 };
diff --git a/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.test.tsx b/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.test.tsx
index d07a3dacc..6b75611eb 100644
--- a/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.test.tsx
+++ b/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.test.tsx
@@ -95,7 +95,7 @@ describe("ServerConfigModal", () => {
   // open reliably; we exercise the sse rendering branch by seeding the form
   // with an sse initialConfig (the same code path the Select onChange takes).
 
-  it("renders url + headers (and hides stdio fields) when transport is sse", () => {
+  it("renders url (and hides stdio fields) when transport is sse", () => {
     renderWithMantine(
       <ServerConfigModal
         {...base()}
@@ -105,11 +105,11 @@ describe("ServerConfigModal", () => {
       />,
     );
     expect(screen.getByLabelText(/^URL/)).toBeInTheDocument();
-    expect(screen.getByLabelText(/Headers/i)).toBeInTheDocument();
+    expect(screen.queryByLabelText(/Headers/i)).not.toBeInTheDocument();
     expect(screen.queryByLabelText(/^Command/)).not.toBeInTheDocument();
   });
 
-  it("submits an sse config with parsed headers", async () => {
+  it("submits an sse config with just the url (headers move to the settings form)", async () => {
     const user = userEvent.setup();
     const props = base();
     renderWithMantine(
@@ -122,38 +122,16 @@ describe("ServerConfigModal", () => {
     );
 
     await user.type(screen.getByLabelText(/^URL/), "https://x.test/sse");
-    await user.type(
-      screen.getByLabelText(/Headers/i),
-      "Authorization: Bearer xxx",
-    );
     await user.click(screen.getByRole("button", { name: /^Save$/ }));
 
     await waitFor(() => expect(props.onSubmit).toHaveBeenCalledOnce());
     expect(props.onSubmit).toHaveBeenCalledWith("remote", {
       type: "sse",
       url: "https://x.test/sse",
-      headers: { Authorization: "Bearer xxx" },
     });
   });
 
-  it("rejects malformed header lines on sse submission", async () => {
-    const user = userEvent.setup();
-    const props = base();
-    renderWithMantine(
-      <ServerConfigModal
-        {...props}
-        mode="edit"
-        initialId="remote"
-        initialConfig={{ type: "sse", url: "https://x.test/sse" }}
-      />,
-    );
-    await user.type(screen.getByLabelText(/Headers/i), "BAD_HEADER_LINE");
-    await user.click(screen.getByRole("button", { name: /^Save$/ }));
-    expect(screen.getByRole("alert")).toHaveTextContent(/Invalid header/i);
-    expect(props.onSubmit).not.toHaveBeenCalled();
-  });
-
-  it("submits a streamable-http config (with no headers)", async () => {
+  it("submits a streamable-http config", async () => {
     const user = userEvent.setup();
     const props = base();
     renderWithMantine(
@@ -172,7 +150,7 @@ describe("ServerConfigModal", () => {
     });
   });
 
-  it("loads initial headers + url from a streamable-http config", () => {
+  it("loads the url from a streamable-http config", () => {
     renderWithMantine(
       <ServerConfigModal
         {...base()}
@@ -181,12 +159,10 @@ describe("ServerConfigModal", () => {
         initialConfig={{
           type: "streamable-http",
           url: "https://x.test/mcp",
-          headers: { "X-Trace": "abc" },
         }}
       />,
     );
     expect(screen.getByLabelText(/^URL/)).toHaveValue("https://x.test/mcp");
-    expect(screen.getByLabelText(/Headers/i)).toHaveValue("X-Trace: abc");
   });
 
   it("rejects an empty URL on sse submission", async () => {
diff --git a/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.tsx b/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.tsx
index 32be68268..ca7970433 100644
--- a/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.tsx
+++ b/clients/web/src/components/groups/ServerConfigModal/ServerConfigModal.tsx
@@ -11,9 +11,7 @@ import {
 } from "@mantine/core";
 import type {
   MCPServerConfig,
-  SseServerConfig,
   StdioServerConfig,
-  StreamableHttpServerConfig,
 } from "@inspector/core/mcp/types.js";
 
 /** Allowed id pattern — mirrors validateStoreId in core/storage/store-io.ts */
@@ -47,7 +45,6 @@ interface FormState {
   cwd: string;
   // sse / streamable-http
   url: string;
-  headersText: string;
 }
 
 const SectionStack = Stack.withProps({ gap: "md" });
@@ -77,7 +74,6 @@ function configToFormState(
       envText: "",
       cwd: "",
       url: "",
-      headersText: "",
     };
   }
   if (transport === "stdio") {
@@ -92,11 +88,13 @@ function configToFormState(
         .join("\n"),
       cwd: c.cwd ?? "",
       url: "",
-      headersText: "",
     };
   }
-  // sse / streamable-http
-  const c = initialConfig as SseServerConfig | StreamableHttpServerConfig;
+  // sse / streamable-http — custom headers live in ServerSettingsForm now.
+  const url =
+    initialConfig.type === "sse" || initialConfig.type === "streamable-http"
+      ? initialConfig.url
+      : "";
   return {
     id,
     transport,
@@ -104,10 +102,7 @@ function configToFormState(
     argsText: "",
     envText: "",
     cwd: "",
-    url: c.url ?? "",
-    headersText: Object.entries(c.headers ?? {})
-      .map(([k, v]) => `${k}: ${v}`)
-      .join("\n"),
+    url: url ?? "",
   };
 }
 
@@ -139,8 +134,7 @@ function parseEnv(raw: string):
     }
     const key = line.slice(0, eq).trim();
     // env values preserve trailing whitespace — they're shell-style strings
-    // where spaces / tabs can be load-bearing; header values are HTTP-style
-    // and parseHeaders below trims them per RFC 7230 §3.2.4.
+    // where spaces / tabs can be load-bearing.
     const value = line.slice(eq + 1);
     if (!key)
       return { ok: false, error: `Invalid env line "${line}". Empty key.` };
@@ -149,38 +143,6 @@ function parseEnv(raw: string):
   return { ok: true, value: out };
 }
 
-function parseHeaders(raw: string):
-  | {
-      ok: true;
-      value: Record<string, string>;
-    }
-  | {
-      ok: false;
-      error: string;
-    } {
-  const out: Record<string, string> = {};
-  const lines = raw
-    .split("\n")
-    .map((s) => s.trim())
-    .filter((s) => s.length > 0);
-  for (const line of lines) {
-    const colon = line.indexOf(":");
-    if (colon <= 0) {
-      return {
-        ok: false,
-        error: `Invalid header line "${line}". Use "Header-Name: value".`,
-      };
-    }
-    const key = line.slice(0, colon).trim();
-    const value = line.slice(colon + 1).trim();
-    if (!key) {
-      return { ok: false, error: `Invalid header line "${line}". Empty name.` };
-    }
-    out[key] = value;
-  }
-  return { ok: true, value: out };
-}
-
 export function ServerConfigModal({
   opened,
   mode,
@@ -247,14 +209,14 @@ export function ServerConfigModal({
     if (!form.url.trim()) {
       return { ok: false, error: "URL is required for sse / streamable-http." };
     }
-    const headers = parseHeaders(form.headersText);
-    if (!headers.ok) return headers;
     const base = { url: form.url.trim() };
-    const config: SseServerConfig | StreamableHttpServerConfig =
+    // Custom headers live in ServerSettingsForm now (persisted under
+    // settings.headers on the entry); the SSE / streamable-http config here
+    // only carries the canonical transport fields.
+    const config: MCPServerConfig =
       form.transport === "sse"
         ? { type: "sse", ...base }
         : { type: "streamable-http", ...base };
-    if (Object.keys(headers.value).length > 0) config.headers = headers.value;
     return { ok: true, config };
   }
 
@@ -384,32 +346,17 @@ export function ServerConfigModal({
               />
             </>
           ) : (
-            <>
-              <TextInput
-                label="URL"
-                placeholder="https://example.com/mcp"
-                value={form.url}
-                onChange={(e) => {
-                  const next = e.currentTarget.value;
-                  setForm((f) => ({ ...f, url: next }));
-                }}
-                required
-                disabled={submitting}
-              />
-              <Textarea
-                label="Headers"
-                description='"Header-Name: value" per line.'
-                placeholder="Authorization: Bearer xxxxx"
-                value={form.headersText}
-                onChange={(e) => {
-                  const next = e.currentTarget.value;
-                  setForm((f) => ({ ...f, headersText: next }));
-                }}
-                autosize
-                minRows={2}
-                disabled={submitting}
-              />
-            </>
+            <TextInput
+              label="URL"
+              placeholder="https://example.com/mcp"
+              value={form.url}
+              onChange={(e) => {
+                const next = e.currentTarget.value;
+                setForm((f) => ({ ...f, url: next }));
+              }}
+              required
+              disabled={submitting}
+            />
           )}
         </FieldGrid>
 
diff --git a/clients/web/src/components/groups/ServerSettingsForm/ServerSettingsForm.tsx b/clients/web/src/components/groups/ServerSettingsForm/ServerSettingsForm.tsx
index cf9e451dc..5551120af 100644
--- a/clients/web/src/components/groups/ServerSettingsForm/ServerSettingsForm.tsx
+++ b/clients/web/src/components/groups/ServerSettingsForm/ServerSettingsForm.tsx
@@ -135,7 +135,9 @@ export function ServerSettingsForm({
           <Stack gap="md">
             <Group justify="space-between">
               <HintText>
-                Headers sent with every HTTP request to this server
+                Headers sent with every HTTP request to this server. If OAuth is
+                configured below, the `Authorization` header is owned by the
+                OAuth flow and any value set here is ignored.
               </HintText>
               <AddButton onClick={onAddHeader}>+ Add Header</AddButton>
             </Group>
diff --git a/clients/web/src/components/groups/ServerSettingsModal/ServerSettingsModal.tsx b/clients/web/src/components/groups/ServerSettingsModal/ServerSettingsModal.tsx
index abc8a05aa..463693a86 100644
--- a/clients/web/src/components/groups/ServerSettingsModal/ServerSettingsModal.tsx
+++ b/clients/web/src/components/groups/ServerSettingsModal/ServerSettingsModal.tsx
@@ -109,7 +109,7 @@ export function ServerSettingsModal({
       <Stack gap="md">
         <Group justify="space-between" wrap="nowrap">
           <ListToggle
-            compact={allExpanded}
+            compact={!allExpanded}
             variant="subtle"
             onToggle={handleToggleAll}
           />
diff --git a/clients/web/src/components/screens/LoggingScreen/LoggingScreen.test.tsx b/clients/web/src/components/screens/LoggingScreen/LoggingScreen.test.tsx
index b94407b1d..d2d83c4e3 100644
--- a/clients/web/src/components/screens/LoggingScreen/LoggingScreen.test.tsx
+++ b/clients/web/src/components/screens/LoggingScreen/LoggingScreen.test.tsx
@@ -35,7 +35,12 @@ describe("LoggingScreen", () => {
   it("invokes onClear when clear is clicked", async () => {
     const user = userEvent.setup();
     const onClear = vi.fn();
-    renderWithMantine(<LoggingScreen {...baseProps} onClear={onClear} />);
+    const entries = [
+      { receivedAt: new Date(), params: { level: "info" as const, data: "x" } },
+    ];
+    renderWithMantine(
+      <LoggingScreen {...baseProps} entries={entries} onClear={onClear} />,
+    );
     await user.click(screen.getByRole("button", { name: "Clear" }));
     expect(onClear).toHaveBeenCalledTimes(1);
   });
@@ -43,11 +48,23 @@ describe("LoggingScreen", () => {
   it("invokes onCopyAll when Copy All is clicked", async () => {
     const user = userEvent.setup();
     const onCopyAll = vi.fn();
-    renderWithMantine(<LoggingScreen {...baseProps} onCopyAll={onCopyAll} />);
+    const entries = [
+      { receivedAt: new Date(), params: { level: "info" as const, data: "x" } },
+    ];
+    renderWithMantine(
+      <LoggingScreen {...baseProps} entries={entries} onCopyAll={onCopyAll} />,
+    );
     await user.click(screen.getByRole("button", { name: "Copy All" }));
     expect(onCopyAll).toHaveBeenCalledTimes(1);
   });
 
+  it("disables Clear / Export / Copy All when there are no entries", () => {
+    renderWithMantine(<LoggingScreen {...baseProps} />);
+    expect(screen.getByRole("button", { name: "Clear" })).toBeDisabled();
+    expect(screen.getByRole("button", { name: "Export" })).toBeDisabled();
+    expect(screen.getByRole("button", { name: "Copy All" })).toBeDisabled();
+  });
+
   it("toggles a single level on level button click", async () => {
     const user = userEvent.setup();
     const entries = [
diff --git a/clients/web/src/test/core/mcp/node/config.test.ts b/clients/web/src/test/core/mcp/node/config.test.ts
index cad08eb26..8ecab6da0 100644
--- a/clients/web/src/test/core/mcp/node/config.test.ts
+++ b/clients/web/src/test/core/mcp/node/config.test.ts
@@ -146,36 +146,6 @@ describe("resolveServerConfigs — single mode", () => {
     });
   });
 
-  it("attaches headers on remote configs when provided", () => {
-    const [config] = resolveServerConfigs(
-      {
-        target: ["http://example.com/mcp"],
-        headers: { Authorization: "Bearer x" },
-      },
-      "single",
-    );
-    expect(config).toMatchObject({
-      type: "streamable-http",
-      url: "http://example.com/mcp",
-      headers: { Authorization: "Bearer x" },
-    });
-  });
-
-  it("attaches headers on sse configs when provided", () => {
-    const [config] = resolveServerConfigs(
-      {
-        target: ["http://example.com/sse"],
-        headers: { Authorization: "Bearer x" },
-      },
-      "single",
-    );
-    expect(config).toMatchObject({
-      type: "sse",
-      url: "http://example.com/sse",
-      headers: { Authorization: "Bearer x" },
-    });
-  });
-
   it("rejects args passed alongside a URL target", () => {
     expect(() =>
       resolveServerConfigs(
@@ -323,7 +293,7 @@ describe("resolveServerConfigs — single mode", () => {
     ).toThrow(/Server 'bar' not found/);
   });
 
-  it("applies env/cwd/headers overrides when loading from config", () => {
+  it("applies env/cwd overrides when loading from config", () => {
     writeFileSync(
       configPath,
       JSON.stringify({
@@ -350,19 +320,6 @@ describe("resolveServerConfigs — single mode", () => {
       env: { X: "1" },
       cwd: "/tmp",
     });
-
-    const [http] = resolveServerConfigs(
-      {
-        configPath,
-        serverName: "bar",
-        headers: { Authorization: "Bearer x" },
-      },
-      "single",
-    );
-    expect(http).toMatchObject({
-      type: "streamable-http",
-      headers: { Authorization: "Bearer x" },
-    });
   });
 });
 
@@ -460,13 +417,15 @@ describe("getNamedServerConfigs", () => {
     const named = getNamedServerConfigs({
       configPath,
       env: { X: "1" },
-      headers: { Authorization: "Bearer x" },
     });
     expect((named.a as { env: Record<string, string> }).env).toEqual({
       X: "1",
     });
-    expect((named.b as { headers: Record<string, string> }).headers).toEqual({
-      Authorization: "Bearer x",
+    // env override does not apply to non-stdio servers; the streamable-http
+    // entry stays as-is.
+    expect(named.b).toMatchObject({
+      type: "streamable-http",
+      url: "http://example.com/mcp",
     });
   });
 
diff --git a/clients/web/src/test/core/mcp/remote/remoteClientTransport.test.ts b/clients/web/src/test/core/mcp/remote/remoteClientTransport.test.ts
index 17c7a1ff3..a8bde9de1 100644
--- a/clients/web/src/test/core/mcp/remote/remoteClientTransport.test.ts
+++ b/clients/web/src/test/core/mcp/remote/remoteClientTransport.test.ts
@@ -322,4 +322,62 @@ describe("RemoteClientTransport", () => {
       expect((err as Error).message).toMatch(/Remote connect failed \(401\)/);
     }
   });
+
+  it("start() includes settings on the /api/mcp/connect body when provided", async () => {
+    const seenBodies: string[] = [];
+    const fetchFn = vi
+      .fn<typeof fetch>()
+      .mockImplementation(async (_input, init) => {
+        if (init?.method === "POST") {
+          seenBodies.push(init.body as string);
+          return new Response(JSON.stringify({ sessionId: "abc" }), {
+            status: 200,
+          });
+        }
+        return sseStreamResponse();
+      });
+    const settings = {
+      headers: [{ key: "X-Tenant", value: "acme" }],
+      metadata: [],
+      connectionTimeout: 0,
+      requestTimeout: 0,
+    };
+    const transport = new RemoteClientTransport(
+      {
+        baseUrl,
+        fetchFn: fetchFn as unknown as typeof fetch,
+        settings,
+      },
+      config,
+    );
+    await transport.start();
+    await transport.close();
+
+    expect(seenBodies.length).toBeGreaterThan(0);
+    const parsed = JSON.parse(seenBodies[0]!) as { settings?: unknown };
+    expect(parsed.settings).toEqual(settings);
+  });
+
+  it("start() omits the settings field when no settings are provided", async () => {
+    const seenBodies: string[] = [];
+    const fetchFn = vi
+      .fn<typeof fetch>()
+      .mockImplementation(async (_input, init) => {
+        if (init?.method === "POST") {
+          seenBodies.push(init.body as string);
+          return new Response(JSON.stringify({ sessionId: "abc" }), {
+            status: 200,
+          });
+        }
+        return sseStreamResponse();
+      });
+    const transport = new RemoteClientTransport(
+      { baseUrl, fetchFn: fetchFn as unknown as typeof fetch },
+      config,
+    );
+    await transport.start();
+    await transport.close();
+    const parsed = JSON.parse(seenBodies[0]!) as Record<string, unknown>;
+    expect("settings" in parsed).toBe(false);
+  });
 });
diff --git a/clients/web/src/test/core/mcp/serverList.test.ts b/clients/web/src/test/core/mcp/serverList.test.ts
index 82814e7bb..f6ee18f5d 100644
--- a/clients/web/src/test/core/mcp/serverList.test.ts
+++ b/clients/web/src/test/core/mcp/serverList.test.ts
@@ -140,7 +140,6 @@ describe("serverEntriesToMcpConfig", () => {
         beta: {
           type: "sse",
           url: "https://x.test",
-          headers: { Authorization: "Bearer y" },
         },
       },
     };
@@ -148,6 +147,70 @@ describe("serverEntriesToMcpConfig", () => {
     expect(round).toEqual(original);
   });
 
+  it("round-trips a populated settings node through both converters", () => {
+    const original: MCPConfig = {
+      mcpServers: {
+        gamma: {
+          type: "streamable-http",
+          url: "https://x.test/mcp",
+          settings: {
+            headers: [{ key: "Authorization", value: "Bearer xyz" }],
+            metadata: [{ key: "tenant", value: "acme" }],
+            connectionTimeout: 30000,
+            requestTimeout: 60000,
+            oauthClientId: "client-abc",
+            oauthClientSecret: "secret-def",
+            oauthScopes: "read:tools",
+          },
+        },
+      },
+    };
+    const round = serverEntriesToMcpConfig(mcpConfigToServerEntries(original));
+    expect(round).toEqual(original);
+  });
+
+  it("lifts the settings node from the stored entry onto ServerEntry.settings", () => {
+    const cfg: MCPConfig = {
+      mcpServers: {
+        alpha: {
+          type: "streamable-http",
+          url: "https://x.test/mcp",
+          settings: {
+            headers: [{ key: "X-Tenant", value: "acme" }],
+            metadata: [],
+            connectionTimeout: 0,
+            requestTimeout: 0,
+          },
+        },
+      },
+    };
+    const [entry] = mcpConfigToServerEntries(cfg);
+    expect(entry?.settings).toEqual({
+      headers: [{ key: "X-Tenant", value: "acme" }],
+      metadata: [],
+      connectionTimeout: 0,
+      requestTimeout: 0,
+    });
+    // `settings` should not leak back into config — the SDK transport must
+    // see a clean MCPServerConfig.
+    expect(
+      (entry?.config as unknown as Record<string, unknown>).settings,
+    ).toBeUndefined();
+  });
+
+  it("omits the settings key on disk when ServerEntry.settings is undefined", () => {
+    const entries: ServerEntry[] = [
+      {
+        id: "alpha",
+        name: "alpha",
+        config: { type: "stdio", command: "node" },
+        connection: { status: "disconnected" },
+      },
+    ];
+    const cfg = serverEntriesToMcpConfig(entries);
+    expect(cfg.mcpServers.alpha).not.toHaveProperty("settings");
+  });
+
   it("preserves insertion order on serialize", () => {
     const entries: ServerEntry[] = [
       {
diff --git a/clients/web/src/test/core/mcp/state/messageLogState.test.ts b/clients/web/src/test/core/mcp/state/messageLogState.test.ts
index eaf7b17ad..3583cf6d1 100644
--- a/clients/web/src/test/core/mcp/state/messageLogState.test.ts
+++ b/clients/web/src/test/core/mcp/state/messageLogState.test.ts
@@ -156,14 +156,14 @@ describe("MessageLogState", () => {
     expect(keep).toHaveLength(1);
   });
 
-  it("clears on connect", () => {
+  it("does not clear on connect (state managers fire requests synchronously inside their own connect listeners; clearing here would wipe their pendingRequestEntries before responses arrive)", () => {
     client.dispatchTypedEvent("message", notificationEntry());
     expect(state.getMessages()).toHaveLength(1);
     let dispatched = false;
     state.addEventListener("messagesChange", () => (dispatched = true));
     client.dispatchTypedEvent("connect");
-    expect(state.getMessages()).toEqual([]);
-    expect(dispatched).toBe(true);
+    expect(state.getMessages()).toHaveLength(1);
+    expect(dispatched).toBe(false);
   });
 
   it("clears on disconnect (statusChange -> disconnected)", () => {
diff --git a/clients/web/src/test/core/react/useServers.test.tsx b/clients/web/src/test/core/react/useServers.test.tsx
index 185c580d7..0e3f93329 100644
--- a/clients/web/src/test/core/react/useServers.test.tsx
+++ b/clients/web/src/test/core/react/useServers.test.tsx
@@ -281,6 +281,113 @@ describe("useServers", () => {
     expect(seenHeaders[0]?.get("x-mcp-remote-auth")).toBe("Bearer secret");
   });
 
+  it("updateServerSettings persists the new settings node without touching config", async () => {
+    writeFileSync(
+      h.configPath,
+      JSON.stringify({
+        mcpServers: {
+          alpha: { type: "streamable-http", url: "https://x.test/mcp" },
+        },
+      }),
+    );
+
+    const { result } = renderHook(() =>
+      useServers({ baseUrl: "http://test.local", fetchFn: h.fetchFn }),
+    );
+    await waitFor(() => expect(result.current.loading).toBe(false));
+
+    await act(async () => {
+      await result.current.updateServerSettings("alpha", {
+        headers: [{ key: "X-Tenant", value: "acme" }],
+        metadata: [{ key: "trace", value: "abc" }],
+        connectionTimeout: 5000,
+        requestTimeout: 30000,
+      });
+    });
+
+    await waitFor(() => {
+      expect(result.current.servers[0]?.settings).toEqual({
+        headers: [{ key: "X-Tenant", value: "acme" }],
+        metadata: [{ key: "trace", value: "abc" }],
+        connectionTimeout: 5000,
+        requestTimeout: 30000,
+      });
+    });
+    const stored = readConfig(h.configPath).mcpServers.alpha as {
+      type?: string;
+      url?: string;
+      settings?: unknown;
+    };
+    expect(stored.type).toBe("streamable-http");
+    expect(stored.url).toBe("https://x.test/mcp");
+    expect(stored.settings).toBeDefined();
+  });
+
+  it("updateServerSettings throws when the target id does not exist (server-side 404)", async () => {
+    const { result } = renderHook(() =>
+      useServers({ baseUrl: "http://test.local", fetchFn: h.fetchFn }),
+    );
+    await waitFor(() => expect(result.current.loading).toBe(false));
+
+    await expect(
+      act(async () => {
+        await result.current.updateServerSettings("nonexistent", {
+          headers: [],
+          metadata: [],
+          connectionTimeout: 0,
+          requestTimeout: 0,
+        });
+      }),
+    ).rejects.toThrow(/not found/);
+  });
+
+  it("updateServer preserves the existing settings node across a config update", async () => {
+    writeFileSync(
+      h.configPath,
+      JSON.stringify({
+        mcpServers: {
+          alpha: {
+            type: "streamable-http",
+            url: "https://x.test/mcp",
+            settings: {
+              headers: [{ key: "X-Keep", value: "yes" }],
+              metadata: [],
+              connectionTimeout: 0,
+              requestTimeout: 0,
+            },
+          },
+        },
+      }),
+    );
+
+    const { result } = renderHook(() =>
+      useServers({ baseUrl: "http://test.local", fetchFn: h.fetchFn }),
+    );
+    await waitFor(() => expect(result.current.loading).toBe(false));
+
+    await act(async () => {
+      // ServerConfigModal saves do not touch settings; updateServer must not
+      // drop them, otherwise the user loses persisted headers / metadata when
+      // they tweak the URL.
+      await result.current.updateServer("alpha", "alpha", {
+        type: "streamable-http",
+        url: "https://x.test/other",
+      });
+    });
+
+    await waitFor(() => {
+      expect(result.current.servers[0]?.config).toMatchObject({
+        url: "https://x.test/other",
+      });
+    });
+    expect(result.current.servers[0]?.settings).toEqual({
+      headers: [{ key: "X-Keep", value: "yes" }],
+      metadata: [],
+      connectionTimeout: 0,
+      requestTimeout: 0,
+    });
+  });
+
   it("uses DEFAULT_SEED_CONFIG keys on the first load (seed-write contract)", async () => {
     const { result } = renderHook(() =>
       useServers({ baseUrl: "http://test.local", fetchFn: h.fetchFn }),
diff --git a/clients/web/src/test/integration/mcp/inspectorClient.test.ts b/clients/web/src/test/integration/mcp/inspectorClient.test.ts
index 08ed3028d..fa97142ce 100644
--- a/clients/web/src/test/integration/mcp/inspectorClient.test.ts
+++ b/clients/web/src/test/integration/mcp/inspectorClient.test.ts
@@ -255,7 +255,7 @@ describe("InspectorClient", () => {
       pagedPromptsState.destroy();
     });
 
-    it("MessageLogState clears on connect when attached to client", async () => {
+    it("MessageLogState clears across a disconnect → reconnect cycle", async () => {
       client = new InspectorClient(
         {
           type: "stdio",
@@ -289,6 +289,51 @@ describe("InspectorClient", () => {
       }
       messageLogState.destroy();
     });
+
+    it("rejects connect() with a timeout error when serverSettings.connectionTimeout fires", async () => {
+      // Stub transport whose start() never resolves — simulates a slow /
+      // unreachable upstream. InspectorClient.connect() should race against
+      // serverSettings.connectionTimeout and reject with a descriptive error;
+      // status should end up in "error", and the client should have
+      // internally torn down the transport (next connect() must rebuild).
+      const hangingTransport = {
+        start: () => new Promise<void>(() => {}),
+        send: async () => {},
+        close: async () => {},
+        onclose: undefined,
+        onerror: undefined,
+        onmessage: undefined,
+        sessionId: undefined,
+      };
+      const fakeFactory = () => ({
+        transport:
+          hangingTransport as unknown as import("@modelcontextprotocol/sdk/shared/transport.js").Transport,
+      });
+      client = new InspectorClient(
+        { type: "streamable-http", url: "http://localhost:1/never" },
+        {
+          environment: { transport: fakeFactory },
+          serverSettings: {
+            headers: [],
+            metadata: [],
+            connectionTimeout: 50,
+            requestTimeout: 0,
+          },
+        },
+      );
+
+      const before = Date.now();
+      await expect(client.connect()).rejects.toThrow(
+        /Connection timed out after 50 ms/,
+      );
+      const elapsed = Date.now() - before;
+      // Sanity: the race should fire near the configured timeout, not at
+      // some far-future SDK default.
+      expect(elapsed).toBeLessThan(2000);
+      // connect() rejected → the outer catch transitions status to "error"
+      // (the same end state any other handshake failure would produce).
+      expect(client.getStatus()).toBe("error");
+    });
   });
 
   describe("Message Tracking", () => {
@@ -397,6 +442,52 @@ describe("InspectorClient", () => {
       );
       messageLogState.destroy();
     });
+
+    it("matches responses to requests when a sibling listener fires a request inside the same connect event (regression for unmatched */list responses)", async () => {
+      // Reproduces the pre-fix bug where MessageLogState's clear-on-connect
+      // listener ran after sibling state-manager onConnect listeners had
+      // already synchronously tracked their initial list requests. That clear
+      // wiped pendingRequestEntries before the responses arrived, leaving
+      // the history with unmatched "response" entries marked PENDING.
+      client = new InspectorClient(
+        {
+          type: "stdio",
+          command: serverCommand.command,
+          args: serverCommand.args,
+        },
+        { environment: { transport: createTransportNode } },
+      );
+      const messageLogState = new MessageLogState(client);
+
+      // Simulate the App.tsx wiring: ManagedToolsState et al. register their
+      // own connect listeners that synchronously fire `void client.listTools()`.
+      const refreshClient = client;
+      client.addEventListener("connect", () => {
+        void refreshClient.listTools();
+      });
+
+      await client.connect();
+      // Settle: drain pending microtasks so the listTools response can fold.
+      await new Promise((r) => setTimeout(r, 100));
+
+      const requests = messageLogState
+        .getMessages()
+        .filter((m) => m.direction === "request");
+      const orphanResponses = messageLogState
+        .getMessages()
+        .filter((m) => m.direction === "response");
+      const listToolsReq = requests.find(
+        (m) => (m.message as { method?: string }).method === "tools/list",
+      );
+      expect(listToolsReq).toBeDefined();
+      // Its response must be folded into the request entry, not pushed as a
+      // separate "response" entry.
+      expect(listToolsReq?.response).toBeDefined();
+      expect(listToolsReq?.duration).toBeGreaterThanOrEqual(0);
+      expect(orphanResponses).toEqual([]);
+
+      messageLogState.destroy();
+    });
   });
 
   describe("Fetch Request Tracking", () => {
@@ -778,6 +869,115 @@ describe("InspectorClient", () => {
     });
   });
 
+  describe("Default metadata (server-wide _meta)", () => {
+    function metaOf(req: { message: unknown }): Record<string, unknown> {
+      const params = (req.message as { params?: { _meta?: unknown } }).params;
+      return (params?._meta as Record<string, unknown>) ?? {};
+    }
+
+    it("merges defaultMetadata into the _meta of outgoing tools/list and tools/call", async () => {
+      client = new InspectorClient(
+        {
+          type: "stdio",
+          command: serverCommand.command,
+          args: serverCommand.args,
+        },
+        {
+          environment: { transport: createTransportNode },
+          defaultMetadata: { tenant: "acme", env: "prod" },
+        },
+      );
+      const messageLogState = new MessageLogState(client);
+      await client.connect();
+      await client.listTools();
+      const tool = await getTool(client, "echo");
+      await client.callTool(tool, { message: "hi" });
+
+      const requests = messageLogState
+        .getMessages()
+        .filter((m) => m.direction === "request");
+      const listToolsReq = requests.find(
+        (m) => (m.message as { method?: string }).method === "tools/list",
+      );
+      const callToolReq = requests.find(
+        (m) => (m.message as { method?: string }).method === "tools/call",
+      );
+      expect(listToolsReq).toBeDefined();
+      expect(callToolReq).toBeDefined();
+      expect(metaOf(listToolsReq!)).toMatchObject({
+        tenant: "acme",
+        env: "prod",
+      });
+      expect(metaOf(callToolReq!)).toMatchObject({
+        tenant: "acme",
+        env: "prod",
+      });
+      messageLogState.destroy();
+    });
+
+    it("call-time metadata overrides defaultMetadata on key collision", async () => {
+      client = new InspectorClient(
+        {
+          type: "stdio",
+          command: serverCommand.command,
+          args: serverCommand.args,
+        },
+        {
+          environment: { transport: createTransportNode },
+          defaultMetadata: { tenant: "acme" },
+        },
+      );
+      const messageLogState = new MessageLogState(client);
+      await client.connect();
+      const tool = await getTool(client, "echo");
+      await client.callTool(tool, { message: "hi" }, { tenant: "override" });
+
+      const callToolReq = messageLogState
+        .getMessages()
+        .find(
+          (m) =>
+            m.direction === "request" &&
+            (m.message as { method?: string }).method === "tools/call",
+        );
+      expect(callToolReq).toBeDefined();
+      expect(metaOf(callToolReq!).tenant).toBe("override");
+      messageLogState.destroy();
+    });
+
+    it("does not inject defaults into _meta when defaultMetadata is unset", async () => {
+      client = new InspectorClient(
+        {
+          type: "stdio",
+          command: serverCommand.command,
+          args: serverCommand.args,
+        },
+        {
+          environment: { transport: createTransportNode },
+          // defaultMetadata omitted on purpose
+        },
+      );
+      const messageLogState = new MessageLogState(client);
+      await client.connect();
+      await client.listTools();
+
+      const listToolsReq = messageLogState
+        .getMessages()
+        .find(
+          (m) =>
+            m.direction === "request" &&
+            (m.message as { method?: string }).method === "tools/list",
+        );
+      expect(listToolsReq).toBeDefined();
+      // The SDK auto-injects a `progressToken` for progress-tracked requests
+      // — that's an SDK concern, not user metadata. Assert only that none of
+      // our example default keys leak through when defaultMetadata is unset.
+      const meta = metaOf(listToolsReq!);
+      expect(meta.tenant).toBeUndefined();
+      expect(meta.env).toBeUndefined();
+      messageLogState.destroy();
+    });
+  });
+
   describe("Resource Methods", () => {
     beforeEach(async () => {
       client = new InspectorClient(
diff --git a/clients/web/src/test/integration/mcp/node/transport.test.ts b/clients/web/src/test/integration/mcp/node/transport.test.ts
index c2be50859..fb36011c4 100644
--- a/clients/web/src/test/integration/mcp/node/transport.test.ts
+++ b/clients/web/src/test/integration/mcp/node/transport.test.ts
@@ -2,6 +2,7 @@ import { describe, it, expect } from "vitest";
 import { getServerType } from "@inspector/core/mcp/config.js";
 import { createTransportNode } from "@inspector/core/mcp/node/transport.js";
 import type {
+  InspectorServerSettings,
   MCPServerConfig,
   FetchRequestEntryBase,
 } from "@inspector/core/mcp/types.js";
@@ -191,5 +192,127 @@ describe("Transport", () => {
         await server.stop();
       }
     });
+
+    it("applies settings.headers to the outgoing streamable-http request", async () => {
+      const server = createTestServerHttp({
+        serverInfo: createTestServerInfo(),
+        tools: [createEchoTool()],
+        serverType: "streamable-http",
+      });
+
+      try {
+        await server.start();
+
+        const config: MCPServerConfig = {
+          type: "streamable-http",
+          url: server.url,
+        };
+        const settings: InspectorServerSettings = {
+          headers: [
+            { key: "X-Tenant", value: "acme" },
+            { key: "X-Trace", value: "abc123" },
+            { key: "", value: "ignored-empty-key" },
+          ],
+          metadata: [],
+          connectionTimeout: 0,
+          requestTimeout: 0,
+        };
+
+        const fetchRequests: FetchRequestEntryBase[] = [];
+        const result = createTransportNode(config, {
+          settings,
+          onFetchRequest: (entry) => {
+            fetchRequests.push(entry);
+          },
+        });
+
+        const client = new Client(
+          { name: "test-client", version: "1.0.0" },
+          { capabilities: {} },
+        );
+        await client.connect(result.transport);
+        await client.close();
+
+        // The very first outbound request — the initialize handshake — must
+        // already carry settings.headers (acceptance criterion: applied on
+        // *first* outbound request, no settings-form open required).
+        expect(fetchRequests.length).toBeGreaterThan(0);
+        const first = fetchRequests[0];
+        const lowered: Record<string, string> = {};
+        for (const [k, v] of Object.entries(first?.requestHeaders ?? {})) {
+          lowered[k.toLowerCase()] = v;
+        }
+        expect(lowered["x-tenant"]).toBe("acme");
+        expect(lowered["x-trace"]).toBe("abc123");
+        // Rows with an empty key are dropped.
+        expect(Object.keys(lowered)).not.toContain("");
+      } finally {
+        await server.stop();
+      }
+    });
+
+    it("applies settings.headers to the outgoing SSE request", async () => {
+      const server = createTestServerHttp({
+        serverInfo: createTestServerInfo(),
+        tools: [createEchoTool()],
+        serverType: "sse",
+      });
+
+      try {
+        await server.start();
+
+        const config: MCPServerConfig = { type: "sse", url: server.url };
+        const settings: InspectorServerSettings = {
+          headers: [{ key: "X-Tenant", value: "acme" }],
+          metadata: [],
+          connectionTimeout: 0,
+          requestTimeout: 0,
+        };
+
+        const fetchRequests: FetchRequestEntryBase[] = [];
+        const result = createTransportNode(config, {
+          settings,
+          onFetchRequest: (entry) => {
+            fetchRequests.push(entry);
+          },
+        });
+
+        const client = new Client(
+          { name: "test-client", version: "1.0.0" },
+          { capabilities: {} },
+        );
+        await client.connect(result.transport);
+        await client.close();
+
+        // SSE initiates with a GET — that GET must already carry the header.
+        expect(fetchRequests.length).toBeGreaterThan(0);
+        const getRequest = fetchRequests.find((r) => r.method === "GET");
+        expect(getRequest).toBeDefined();
+        const lowered: Record<string, string> = {};
+        for (const [k, v] of Object.entries(getRequest?.requestHeaders ?? {})) {
+          lowered[k.toLowerCase()] = v;
+        }
+        expect(lowered["x-tenant"]).toBe("acme");
+      } finally {
+        await server.stop();
+      }
+    });
+
+    it("omits headers when settings.headers is empty", async () => {
+      const config: MCPServerConfig = {
+        type: "streamable-http",
+        url: "http://localhost:3000/mcp",
+      };
+      const settings: InspectorServerSettings = {
+        headers: [],
+        metadata: [],
+        connectionTimeout: 0,
+        requestTimeout: 0,
+      };
+      const result = createTransportNode(config, { settings });
+      // Just exercise the empty-headers path — no transport construction
+      // should throw and no client connection is necessary.
+      expect(result.transport).toBeDefined();
+    });
   });
 });
diff --git a/clients/web/src/test/integration/mcp/remote/servers-route.test.ts b/clients/web/src/test/integration/mcp/remote/servers-route.test.ts
index c4c4c6066..a2b15dcb4 100644
--- a/clients/web/src/test/integration/mcp/remote/servers-route.test.ts
+++ b/clients/web/src/test/integration/mcp/remote/servers-route.test.ts
@@ -344,13 +344,19 @@ describe("/api/servers routes", () => {
       expect(res.status).toBe(400);
     });
 
-    it("rejects a missing config", async () => {
+    it("accepts a body with neither config nor settings (no-op patch)", async () => {
+      // Both fields are now optional patches. An empty body is a degenerate
+      // but valid request — it preserves both config and settings on disk.
       const res = await fetch(`${h.baseUrl}/api/servers/alpha`, {
         method: "PUT",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ id: "alpha" }),
       });
-      expect(res.status).toBe(400);
+      expect(res.status).toBe(200);
+      expect(readConfig(h.configPath).mcpServers.alpha).toEqual({
+        type: "stdio",
+        command: "old",
+      });
     });
 
     it("rejects malformed JSON body", async () => {
@@ -363,6 +369,429 @@ describe("/api/servers routes", () => {
     });
   });
 
+  describe("settings round-trip", () => {
+    it("persists a settings node on POST", async () => {
+      const res = await fetch(`${h.baseUrl}/api/servers`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          id: "gamma",
+          config: { type: "streamable-http", url: "https://x.test/mcp" },
+          settings: {
+            headers: [{ key: "Authorization", value: "Bearer xyz" }],
+            metadata: [{ key: "tenant", value: "acme" }],
+            connectionTimeout: 30000,
+            requestTimeout: 60000,
+            oauthClientId: "client-abc",
+            oauthScopes: "read:tools",
+          },
+        }),
+      });
+      expect(res.status).toBe(200);
+      const stored = readConfig(h.configPath).mcpServers.gamma as {
+        settings?: unknown;
+      };
+      expect(stored.settings).toEqual({
+        headers: [{ key: "Authorization", value: "Bearer xyz" }],
+        metadata: [{ key: "tenant", value: "acme" }],
+        connectionTimeout: 30000,
+        requestTimeout: 60000,
+        oauthClientId: "client-abc",
+        oauthScopes: "read:tools",
+      });
+    });
+
+    it("updates a settings node on PUT", async () => {
+      writeFileSync(
+        h.configPath,
+        JSON.stringify({
+          mcpServers: {
+            delta: { type: "streamable-http", url: "https://x.test/mcp" },
+          },
+        }),
+      );
+      const res = await fetch(`${h.baseUrl}/api/servers/delta`, {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          config: { type: "streamable-http", url: "https://x.test/mcp" },
+          settings: {
+            headers: [{ key: "X-Tenant", value: "acme" }],
+            metadata: [],
+            connectionTimeout: 0,
+            requestTimeout: 45000,
+          },
+        }),
+      });
+      expect(res.status).toBe(200);
+      const stored = readConfig(h.configPath).mcpServers.delta as {
+        settings?: unknown;
+      };
+      expect(stored.settings).toEqual({
+        headers: [{ key: "X-Tenant", value: "acme" }],
+        metadata: [],
+        connectionTimeout: 0,
+        requestTimeout: 45000,
+      });
+    });
+
+    it("rejects a non-object settings field", async () => {
+      const res = await fetch(`${h.baseUrl}/api/servers`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          id: "bad-settings",
+          config: { type: "stdio", command: "node" },
+          settings: "not-an-object",
+        }),
+      });
+      expect(res.status).toBe(400);
+    });
+
+    it("preserves the settings node when PUT omits it (no clobber on config-only save)", async () => {
+      writeFileSync(
+        h.configPath,
+        JSON.stringify({
+          mcpServers: {
+            epsilon: {
+              type: "streamable-http",
+              url: "https://x.test/mcp",
+              settings: {
+                headers: [{ key: "X-Keep", value: "yes" }],
+                metadata: [],
+                connectionTimeout: 0,
+                requestTimeout: 0,
+              },
+            },
+          },
+        }),
+      );
+      // PUT without a settings field: the existing settings node must
+      // survive. A caller updating only the transport config (e.g. the
+      // server config modal) must not silently wipe persisted headers.
+      const res = await fetch(`${h.baseUrl}/api/servers/epsilon`, {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          config: { type: "streamable-http", url: "https://x.test/other" },
+        }),
+      });
+      expect(res.status).toBe(200);
+      const stored = readConfig(h.configPath).mcpServers.epsilon as {
+        settings?: { headers: { key: string; value: string }[] };
+      };
+      expect(stored.settings).toBeDefined();
+      expect(stored.settings?.headers).toEqual([
+        { key: "X-Keep", value: "yes" },
+      ]);
+    });
+
+    it("clears the settings node when PUT sends settings: null (explicit intent)", async () => {
+      writeFileSync(
+        h.configPath,
+        JSON.stringify({
+          mcpServers: {
+            zeta: {
+              type: "streamable-http",
+              url: "https://x.test/mcp",
+              settings: {
+                headers: [{ key: "X-Tenant", value: "acme" }],
+                metadata: [],
+                connectionTimeout: 0,
+                requestTimeout: 0,
+              },
+            },
+          },
+        }),
+      );
+      const res = await fetch(`${h.baseUrl}/api/servers/zeta`, {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          config: { type: "streamable-http", url: "https://x.test/mcp" },
+          settings: null,
+        }),
+      });
+      expect(res.status).toBe(200);
+      const stored = readConfig(h.configPath).mcpServers.zeta as {
+        settings?: unknown;
+      };
+      expect(stored.settings).toBeUndefined();
+    });
+
+    it("rejects a malformed settings shape with 400", async () => {
+      writeFileSync(
+        h.configPath,
+        JSON.stringify({
+          mcpServers: {
+            eta: { type: "stdio", command: "node" },
+          },
+        }),
+      );
+      const res = await fetch(`${h.baseUrl}/api/servers/eta`, {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          config: { type: "stdio", command: "node" },
+          // headers should be an array of {key, value}; "oops" is a string.
+          settings: {
+            headers: "oops",
+            metadata: [],
+            connectionTimeout: 0,
+            requestTimeout: 0,
+          },
+        }),
+      });
+      expect(res.status).toBe(400);
+      const body = (await res.json()) as { error?: string };
+      expect(body.error).toMatch(/settings\.headers/);
+    });
+
+    it("accepts a settings-only PUT and preserves config from disk", async () => {
+      writeFileSync(
+        h.configPath,
+        JSON.stringify({
+          mcpServers: {
+            theta: {
+              type: "streamable-http",
+              url: "https://x.test/mcp",
+            },
+          },
+        }),
+      );
+      const res = await fetch(`${h.baseUrl}/api/servers/theta`, {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          // No config — server should preserve the existing one inside its
+          // write lock and apply only the settings patch.
+          settings: {
+            headers: [{ key: "X-Tenant", value: "acme" }],
+            metadata: [],
+            connectionTimeout: 0,
+            requestTimeout: 0,
+          },
+        }),
+      });
+      expect(res.status).toBe(200);
+      const stored = readConfig(h.configPath).mcpServers.theta as {
+        type?: string;
+        url?: string;
+        settings?: { headers: { key: string; value: string }[] };
+      };
+      expect(stored.type).toBe("streamable-http");
+      expect(stored.url).toBe("https://x.test/mcp");
+      expect(stored.settings?.headers).toEqual([
+        { key: "X-Tenant", value: "acme" },
+      ]);
+    });
+
+    it("rejects a non-object config on PUT with 400", async () => {
+      writeFileSync(
+        h.configPath,
+        JSON.stringify({
+          mcpServers: {
+            iota: { type: "stdio", command: "node" },
+          },
+        }),
+      );
+      const res = await fetch(`${h.baseUrl}/api/servers/iota`, {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          config: "not-an-object",
+        }),
+      });
+      expect(res.status).toBe(400);
+    });
+
+    it("validateSettings coerces empty-string OAuth fields to absent (cleared inputs don't read as 'configured')", async () => {
+      const res = await fetch(`${h.baseUrl}/api/servers`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          id: "empty-oauth",
+          config: { type: "streamable-http", url: "https://x.test/mcp" },
+          settings: {
+            headers: [],
+            metadata: [],
+            connectionTimeout: 0,
+            requestTimeout: 0,
+            oauthClientId: "",
+            oauthClientSecret: "",
+            oauthScopes: "",
+          },
+        }),
+      });
+      expect(res.status).toBe(200);
+      const stored = readConfig(h.configPath).mcpServers["empty-oauth"] as {
+        settings?: Record<string, unknown>;
+      };
+      expect(stored.settings).toBeDefined();
+      expect(stored.settings).not.toHaveProperty("oauthClientId");
+      expect(stored.settings).not.toHaveProperty("oauthClientSecret");
+      expect(stored.settings).not.toHaveProperty("oauthScopes");
+    });
+
+    it("validateSettings drops unknown keys (explicit pick-and-build, not spread)", async () => {
+      const res = await fetch(`${h.baseUrl}/api/servers`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          id: "unknown-keys",
+          config: { type: "stdio", command: "node" },
+          settings: {
+            headers: [{ key: "X-A", value: "1" }],
+            metadata: [],
+            connectionTimeout: 0,
+            requestTimeout: 0,
+            // Unknown stowaway — must not survive the validator.
+            stowaway: { keep: "me" },
+          },
+        }),
+      });
+      expect(res.status).toBe(200);
+      const stored = readConfig(h.configPath).mcpServers["unknown-keys"] as {
+        settings?: Record<string, unknown>;
+      };
+      expect(stored.settings).toBeDefined();
+      expect(stored.settings).not.toHaveProperty("stowaway");
+      expect(stored.settings).toEqual({
+        headers: [{ key: "X-A", value: "1" }],
+        metadata: [],
+        connectionTimeout: 0,
+        requestTimeout: 0,
+      });
+    });
+
+    it("strips smuggled config.settings on POST (validateSettings is the only write path)", async () => {
+      // `normalizeServerType` spreads unknown keys verbatim. Without the
+      // strip in buildStoredEntry, a body that nests `settings` inside
+      // `config` would land it on the stored entry without ever passing
+      // through `validateSettings`. Pin the strip.
+      const res = await fetch(`${h.baseUrl}/api/servers`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          id: "smuggle-post",
+          config: {
+            type: "stdio",
+            command: "node",
+            settings: { bogus: true },
+          },
+        }),
+      });
+      expect(res.status).toBe(200);
+      const stored = readConfig(h.configPath).mcpServers["smuggle-post"] as {
+        settings?: unknown;
+      };
+      expect(stored.settings).toBeUndefined();
+    });
+
+    it("strips smuggled config.settings on PUT even when settings:null clears the real node", async () => {
+      writeFileSync(
+        h.configPath,
+        JSON.stringify({
+          mcpServers: {
+            smuggle: {
+              type: "stdio",
+              command: "node",
+              settings: {
+                headers: [{ key: "X-Real", value: "yes" }],
+                metadata: [],
+                connectionTimeout: 0,
+                requestTimeout: 0,
+              },
+            },
+          },
+        }),
+      );
+      // settings: null clears the real settings node; the bogus key nested
+      // under config must not re-attach via the spread inside normalizeServerType.
+      const res = await fetch(`${h.baseUrl}/api/servers/smuggle`, {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          config: {
+            type: "stdio",
+            command: "node",
+            settings: { bogus: true },
+          },
+          settings: null,
+        }),
+      });
+      expect(res.status).toBe(200);
+      const stored = readConfig(h.configPath).mcpServers.smuggle as {
+        settings?: unknown;
+      };
+      expect(stored.settings).toBeUndefined();
+    });
+
+    it("rejects a settings array (not an object) with 400", async () => {
+      const res = await fetch(`${h.baseUrl}/api/servers`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          id: "arrays-not-allowed",
+          config: { type: "stdio", command: "node" },
+          settings: [],
+        }),
+      });
+      expect(res.status).toBe(400);
+      const body = (await res.json()) as { error?: string };
+      expect(body.error).toMatch(/object/);
+    });
+
+    it("strips a malformed settings node on read (lenient-on-read; preserve-on-PUT cannot propagate it)", async () => {
+      // Hand-edited mcp.json with a malformed `settings.headers` (string
+      // instead of array). The write-path validator would reject it, but a
+      // user could write it directly. GET should surface the entry with
+      // settings dropped, and a subsequent config-only PUT should not
+      // re-attach the broken node via the preserve branch.
+      writeFileSync(
+        h.configPath,
+        JSON.stringify({
+          mcpServers: {
+            broken: {
+              type: "streamable-http",
+              url: "https://x.test/mcp",
+              settings: {
+                headers: "oops",
+                metadata: [],
+                connectionTimeout: 0,
+                requestTimeout: 0,
+              },
+            },
+          },
+        }),
+      );
+
+      // GET surfaces the entry without the malformed settings.
+      const getRes = await fetch(`${h.baseUrl}/api/servers`);
+      expect(getRes.status).toBe(200);
+      const getBody = (await getRes.json()) as {
+        mcpServers: Record<string, { settings?: unknown }>;
+      };
+      expect(getBody.mcpServers.broken).toBeDefined();
+      expect(getBody.mcpServers.broken!.settings).toBeUndefined();
+
+      // PUT without settings preserves the (now-stripped) absence, not the
+      // original malformed node.
+      const putRes = await fetch(`${h.baseUrl}/api/servers/broken`, {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          config: { type: "streamable-http", url: "https://x.test/other" },
+        }),
+      });
+      expect(putRes.status).toBe(200);
+      const stored = readConfig(h.configPath).mcpServers.broken as {
+        settings?: unknown;
+      };
+      expect(stored.settings).toBeUndefined();
+    });
+  });
+
   describe("concurrent mutations", () => {
     it("does not lose updates when many adds fire in parallel (write-lock)", async () => {
       // Without the in-process mutex, concurrent POSTs would all read the
diff --git a/clients/web/src/test/integration/mcp/remote/transport.test.ts b/clients/web/src/test/integration/mcp/remote/transport.test.ts
index 51797d61c..b4e34f2a2 100644
--- a/clients/web/src/test/integration/mcp/remote/transport.test.ts
+++ b/clients/web/src/test/integration/mcp/remote/transport.test.ts
@@ -386,6 +386,63 @@ describe("Remote transport e2e", () => {
         await client.disconnect();
       }
     });
+
+    it("end-to-end: settings.headers reach the upstream MCP server (browser → backend → upstream)", async () => {
+      mcpHttpServer = createTestServerHttp({
+        serverInfo: createTestServerInfo(),
+        tools: [createEchoTool()],
+        serverType: "streamable-http",
+      });
+      await mcpHttpServer.start();
+
+      const { baseUrl, server, authToken } = await startRemoteServer(0);
+      remoteServer = server;
+
+      const config: MCPServerConfig = {
+        type: "streamable-http",
+        url: mcpHttpServer.url,
+      };
+      const serverSettings = {
+        headers: [
+          { key: "X-Tenant", value: "acme" },
+          { key: "X-Trace", value: "abc123" },
+        ],
+        metadata: [],
+        connectionTimeout: 0,
+        requestTimeout: 0,
+      };
+
+      const createTransport = createRemoteTransport({ baseUrl, authToken });
+      const client = new InspectorClient(config, {
+        environment: { transport: createTransport },
+        serverSettings,
+      });
+      const fetchRequestLogState = new FetchRequestLogState(client);
+
+      try {
+        await client.connect();
+        await client.listTools();
+
+        // Backend-side fetch tracking sees the upstream HTTP request with the
+        // settings.headers applied — this is the e2e contract from
+        // `ServerSettingsForm` → on-disk `settings.headers` → backend
+        // `createTransportNode` → SDK `requestInit.headers` → upstream wire.
+        const fetchRequests = fetchRequestLogState.getFetchRequests();
+        expect(fetchRequests.length).toBeGreaterThan(0);
+        const postRequest = fetchRequests.find((r) => r.method === "POST");
+        expect(postRequest).toBeDefined();
+        const lowered: Record<string, string> = {};
+        for (const [k, v] of Object.entries(
+          postRequest?.requestHeaders ?? {},
+        )) {
+          lowered[k.toLowerCase()] = v;
+        }
+        expect(lowered["x-tenant"]).toBe("acme");
+        expect(lowered["x-trace"]).toBe("abc123");
+      } finally {
+        await client.disconnect();
+      }
+    });
   });
 
   describe("authentication", () => {
diff --git a/clients/web/src/test/integration/server/web-server-config.test.ts b/clients/web/src/test/integration/server/web-server-config.test.ts
index 227955ebd..295d1dabe 100644
--- a/clients/web/src/test/integration/server/web-server-config.test.ts
+++ b/clients/web/src/test/integration/server/web-server-config.test.ts
@@ -233,12 +233,10 @@ describe("webServerConfigToInitialPayload", () => {
     cfg.initialMcpConfig = {
       type: "sse",
       url: "https://srv/sse",
-      headers: { "x-foo": "bar" },
     };
     const payload = webServerConfigToInitialPayload(cfg);
     expect(payload.defaultTransport).toBe("sse");
     expect(payload.defaultServerUrl).toBe("https://srv/sse");
-    expect(payload.defaultHeaders).toEqual({ "x-foo": "bar" });
   });
 
   it("emits streamable-http defaults", () => {
@@ -250,7 +248,6 @@ describe("webServerConfigToInitialPayload", () => {
     const payload = webServerConfigToInitialPayload(cfg);
     expect(payload.defaultTransport).toBe("streamable-http");
     expect(payload.defaultServerUrl).toBe("https://srv/mcp");
-    expect(payload.defaultHeaders).toBeUndefined();
   });
 
   it("falls back to streamable-http when the type discriminator is unknown", () => {
@@ -260,12 +257,10 @@ describe("webServerConfigToInitialPayload", () => {
     cfg.initialMcpConfig = {
       type: "unknown",
       url: "https://srv/other",
-      headers: { auth: "bearer" },
     } as unknown as WebServerConfig["initialMcpConfig"];
     const payload = webServerConfigToInitialPayload(cfg);
     expect(payload.defaultTransport).toBe("streamable-http");
     expect(payload.defaultServerUrl).toBe("https://srv/other");
-    expect(payload.defaultHeaders).toEqual({ auth: "bearer" });
   });
 });
 
diff --git a/core/mcp/inspectorClient.ts b/core/mcp/inspectorClient.ts
index 737638481..f91ea506d 100644
--- a/core/mcp/inspectorClient.ts
+++ b/core/mcp/inspectorClient.ts
@@ -6,6 +6,7 @@ import type {
   MessageEntry,
   FetchRequestEntry,
   FetchRequestEntryBase,
+  InspectorServerSettings,
   ResourceReadInvocation,
   ResourceTemplateReadInvocation,
   PromptGetInvocation,
@@ -142,6 +143,8 @@ export class InspectorClient extends InspectorClientEventTarget {
   private progress: boolean;
   private resetTimeoutOnProgress: boolean;
   private requestTimeout: number | undefined;
+  private defaultMetadata: Record<string, string> | undefined;
+  private serverSettings: InspectorServerSettings | undefined;
   private status: ConnectionStatus = "disconnected";
   // Server data (resources, resourceTemplates, prompts are in state managers)
   private capabilities?: ServerCapabilities;
@@ -197,6 +200,11 @@ export class InspectorClient extends InspectorClientEventTarget {
     this.progress = options.progress ?? true;
     this.resetTimeoutOnProgress = options.resetTimeoutOnProgress ?? true;
     this.requestTimeout = options.timeout;
+    this.defaultMetadata =
+      options.defaultMetadata && Object.keys(options.defaultMetadata).length > 0
+        ? options.defaultMetadata
+        : undefined;
+    this.serverSettings = options.serverSettings;
     // Only set roots if explicitly provided (even if empty array) - this enables roots capability
     this.roots = options.roots;
     // Initialize listChangedNotifications config (default: all enabled)
@@ -368,6 +376,23 @@ export class InspectorClient extends InspectorClientEventTarget {
    * @param progressToken Optional token from request metadata; injected into progressNotification
    * events when provided (not sent to server).
    */
+  /**
+   * Merge per-call metadata with this client's `defaultMetadata` (from
+   * `InspectorClientOptions.defaultMetadata`, set from
+   * `InspectorServerSettings.metadata`). Call-time keys override defaults.
+   * Returns `undefined` when the combined map is empty so callers can skip
+   * injecting an empty `_meta` field.
+   */
+  private mergeMeta(
+    callMetadata?: Record<string, string>,
+  ): Record<string, string> | undefined {
+    const defaults = this.defaultMetadata;
+    const hasDefaults = defaults && Object.keys(defaults).length > 0;
+    const hasCall = callMetadata && Object.keys(callMetadata).length > 0;
+    if (!hasDefaults && !hasCall) return undefined;
+    return { ...(defaults ?? {}), ...(callMetadata ?? {}) };
+  }
+
   private getRequestOptions(progressToken?: ProgressToken): RequestOptions {
     const opts: RequestOptions = {
       resetTimeoutOnProgress: this.resetTimeoutOnProgress,
@@ -544,6 +569,7 @@ export class InspectorClient extends InspectorClientEventTarget {
         onFetchRequest: (entry: FetchRequestEntryBase) => {
           this.dispatchFetchRequest({ ...entry, category: "transport" });
         },
+        ...(this.serverSettings && { settings: this.serverSettings }),
       };
       const oauthManager = this.oauthManager;
       if (this.isHttpOAuthConfig() && oauthManager) {
@@ -571,7 +597,45 @@ export class InspectorClient extends InspectorClientEventTarget {
       this.status = "connecting";
       this.dispatchTypedEvent("statusChange", this.status);
 
-      await this.client.connect(this.transport);
+      // Optional connect-time timeout from per-server settings. The MCP SDK
+      // has no connect-time timeout option, so we wrap the handshake in a
+      // Promise.race. On timeout, tear the transport down so the next
+      // connect() starts clean and the upstream socket isn't left hanging.
+      const connectTimeoutMs = this.serverSettings?.connectionTimeout ?? 0;
+      const connectPromise = this.client.connect(this.transport);
+      if (connectTimeoutMs > 0) {
+        // Absorb any late rejection from `connectPromise` — when the timeout
+        // wins the race and `disconnect()` tears the transport down, real
+        // transports (SSE / streamable-http) reject the in-flight handshake
+        // *after* Promise.race has already settled. Without a handler here
+        // Node emits an unhandledRejection warning (and in test runs vitest
+        // can surface it as a suite failure). Only needed on the race path;
+        // the await-only branch below propagates rejection cleanly through
+        // the outer try/catch.
+        connectPromise.catch(() => {});
+        let timer: ReturnType<typeof setTimeout> | undefined;
+        const timeoutPromise = new Promise<never>((_, reject) => {
+          timer = setTimeout(
+            () =>
+              reject(
+                new Error(
+                  `Connection timed out after ${connectTimeoutMs} ms`,
+                ),
+              ),
+            connectTimeoutMs,
+          );
+        });
+        try {
+          await Promise.race([connectPromise, timeoutPromise]);
+        } catch (err) {
+          await this.disconnect().catch(() => {});
+          throw err;
+        } finally {
+          if (timer) clearTimeout(timer);
+        }
+      } else {
+        await connectPromise;
+      }
       this.status = "connected";
       this.dispatchTypedEvent("statusChange", this.status);
       this.dispatchTypedEvent("connect");
@@ -1189,10 +1253,9 @@ export class InspectorClient extends InspectorClientEventTarget {
     if (!this.client) {
       throw new Error("Client is not connected");
     }
+    const effectiveMeta = this.mergeMeta(metadata);
     const params: ListToolsRequest["params"] = {
-      ...(metadata && Object.keys(metadata).length > 0
-        ? { _meta: metadata }
-        : {}),
+      ...(effectiveMeta ? { _meta: effectiveMeta } : {}),
       ...(cursor ? { cursor } : {}),
     };
     const response = await this.client.listTools(
@@ -1242,20 +1305,16 @@ export class InspectorClient extends InspectorClientEventTarget {
         convertedArgs = { ...args, ...convertedStringArgs };
       }
 
-      // Merge general metadata with tool-specific metadata
-      let mergedMetadata: Record<string, string> | undefined;
-      if (generalMetadata || toolSpecificMetadata) {
-        mergedMetadata = {
-          ...(generalMetadata || {}),
-          ...(toolSpecificMetadata || {}),
-        };
-      }
+      // Merge general metadata with tool-specific metadata; tool-specific wins.
+      const callMetadata: Record<string, string> | undefined =
+        generalMetadata || toolSpecificMetadata
+          ? { ...(generalMetadata || {}), ...(toolSpecificMetadata || {}) }
+          : undefined;
 
       const timestamp = new Date();
-      const metadata =
-        mergedMetadata && Object.keys(mergedMetadata).length > 0
-          ? mergedMetadata
-          : undefined;
+      // Fold in this client's defaultMetadata so server-wide _meta reaches
+      // the wire even when the caller passed nothing.
+      const metadata = this.mergeMeta(callMetadata);
 
       const callParams: {
         name: string;
@@ -1298,19 +1357,13 @@ export class InspectorClient extends InspectorClientEventTarget {
       return invocation;
     } catch (error) {
       // Merge general metadata with tool-specific metadata for error case
-      let mergedMetadata: Record<string, string> | undefined;
-      if (generalMetadata || toolSpecificMetadata) {
-        mergedMetadata = {
-          ...(generalMetadata || {}),
-          ...(toolSpecificMetadata || {}),
-        };
-      }
+      const callMetadata: Record<string, string> | undefined =
+        generalMetadata || toolSpecificMetadata
+          ? { ...(generalMetadata || {}), ...(toolSpecificMetadata || {}) }
+          : undefined;
 
       const timestamp = new Date();
-      const metadata =
-        mergedMetadata && Object.keys(mergedMetadata).length > 0
-          ? mergedMetadata
-          : undefined;
+      const metadata = this.mergeMeta(callMetadata);
 
       const invocation: ToolCallInvocation = {
         toolName: tool.name,
@@ -1369,20 +1422,14 @@ export class InspectorClient extends InspectorClientEventTarget {
         convertedArgs = { ...args, ...convertedStringArgs };
       }
 
-      // Merge general metadata with tool-specific metadata
-      let mergedMetadata: Record<string, string> | undefined;
-      if (generalMetadata || toolSpecificMetadata) {
-        mergedMetadata = {
-          ...(generalMetadata || {}),
-          ...(toolSpecificMetadata || {}),
-        };
-      }
+      // Merge general metadata with tool-specific metadata; tool-specific wins.
+      const callMetadata: Record<string, string> | undefined =
+        generalMetadata || toolSpecificMetadata
+          ? { ...(generalMetadata || {}), ...(toolSpecificMetadata || {}) }
+          : undefined;
 
       const timestamp = new Date();
-      const metadata =
-        mergedMetadata && Object.keys(mergedMetadata).length > 0
-          ? mergedMetadata
-          : undefined;
+      const metadata = this.mergeMeta(callMetadata);
 
       // Call the streaming API
       const streamParams: Record<string, unknown> = {
@@ -1531,19 +1578,13 @@ export class InspectorClient extends InspectorClientEventTarget {
       return invocation;
     } catch (error) {
       // Merge general metadata with tool-specific metadata for error case
-      let mergedMetadata: Record<string, string> | undefined;
-      if (generalMetadata || toolSpecificMetadata) {
-        mergedMetadata = {
-          ...(generalMetadata || {}),
-          ...(toolSpecificMetadata || {}),
-        };
-      }
+      const callMetadata: Record<string, string> | undefined =
+        generalMetadata || toolSpecificMetadata
+          ? { ...(generalMetadata || {}), ...(toolSpecificMetadata || {}) }
+          : undefined;
 
       const timestamp = new Date();
-      const metadata =
-        mergedMetadata && Object.keys(mergedMetadata).length > 0
-          ? mergedMetadata
-          : undefined;
+      const metadata = this.mergeMeta(callMetadata);
 
       this.dispatchTypedEvent("toolCallResultChange", {
         toolName: tool.name,
@@ -1572,10 +1613,9 @@ export class InspectorClient extends InspectorClientEventTarget {
     if (!this.client) {
       throw new Error("Client is not connected");
     }
+    const effectiveMeta = this.mergeMeta(metadata);
     const params: ListResourcesRequest["params"] = {
-      ...(metadata && Object.keys(metadata).length > 0
-        ? { _meta: metadata }
-        : {}),
+      ...(effectiveMeta ? { _meta: effectiveMeta } : {}),
       ...(cursor ? { cursor } : {}),
     };
     const response = await this.client.listResources(
@@ -1601,11 +1641,10 @@ export class InspectorClient extends InspectorClientEventTarget {
     if (!this.client) {
       throw new Error("Client is not connected");
     }
+    const effectiveMeta = this.mergeMeta(metadata);
     const params: ReadResourceRequest["params"] = {
       uri,
-      ...(metadata && Object.keys(metadata).length > 0
-        ? { _meta: metadata }
-        : {}),
+      ...(effectiveMeta ? { _meta: effectiveMeta } : {}),
     };
     const result = await this.client.readResource(
       params,
@@ -1615,7 +1654,7 @@ export class InspectorClient extends InspectorClientEventTarget {
       result,
       timestamp: new Date(),
       uri,
-      metadata,
+      metadata: effectiveMeta,
     };
     this.dispatchTypedEvent("resourceContentChange", {
       uri,
@@ -1660,14 +1699,15 @@ export class InspectorClient extends InspectorClientEventTarget {
     // Always fetch fresh content: Call readResource with expanded URI
     const readInvocation = await this.readResource(expandedUri, metadata);
 
-    // Create the template invocation object
+    // Create the template invocation object. Use the merged metadata recorded
+    // by readResource so the template-level history matches what was sent.
     const invocation: ResourceTemplateReadInvocation = {
       uriTemplate: uriTemplateString,
       expandedUri,
       result: readInvocation.result,
       timestamp: readInvocation.timestamp,
       params,
-      metadata,
+      metadata: readInvocation.metadata,
     };
 
     this.dispatchTypedEvent("resourceTemplateContentChange", {
@@ -1693,10 +1733,9 @@ export class InspectorClient extends InspectorClientEventTarget {
     if (!this.client) {
       throw new Error("Client is not connected");
     }
+    const effectiveMeta = this.mergeMeta(metadata);
     const params: ListResourceTemplatesRequest["params"] = {
-      ...(metadata && Object.keys(metadata).length > 0
-        ? { _meta: metadata }
-        : {}),
+      ...(effectiveMeta ? { _meta: effectiveMeta } : {}),
       ...(cursor ? { cursor } : {}),
     };
     const response = await this.client.listResourceTemplates(
@@ -1722,10 +1761,9 @@ export class InspectorClient extends InspectorClientEventTarget {
     if (!this.client) {
       throw new Error("Client is not connected");
     }
+    const effectiveMeta = this.mergeMeta(metadata);
     const params: ListPromptsRequest["params"] = {
-      ...(metadata && Object.keys(metadata).length > 0
-        ? { _meta: metadata }
-        : {}),
+      ...(effectiveMeta ? { _meta: effectiveMeta } : {}),
       ...(cursor ? { cursor } : {}),
     };
     const response = await this.client.listPrompts(
@@ -1756,12 +1794,11 @@ export class InspectorClient extends InspectorClientEventTarget {
     // Convert all arguments to strings for prompt arguments
     const stringArgs = args ? convertPromptArguments(args) : {};
 
+    const effectiveMeta = this.mergeMeta(metadata);
     const params: GetPromptRequest["params"] = {
       name,
       arguments: stringArgs,
-      ...(metadata && Object.keys(metadata).length > 0
-        ? { _meta: metadata }
-        : {}),
+      ...(effectiveMeta ? { _meta: effectiveMeta } : {}),
     };
 
     const result = await this.client.getPrompt(
@@ -1774,7 +1811,7 @@ export class InspectorClient extends InspectorClientEventTarget {
       timestamp: new Date(),
       name,
       params: Object.keys(stringArgs).length > 0 ? stringArgs : undefined,
-      metadata,
+      metadata: effectiveMeta,
     };
 
     this.dispatchTypedEvent("promptContentChange", {
@@ -1810,6 +1847,7 @@ export class InspectorClient extends InspectorClientEventTarget {
     }
 
     try {
+      const effectiveMeta = this.mergeMeta(metadata);
       const params: CompleteRequest["params"] = {
         ref,
         argument: {
@@ -1817,9 +1855,7 @@ export class InspectorClient extends InspectorClientEventTarget {
           value: argumentValue,
         },
         ...(context ? { context: { arguments: context } } : {}),
-        ...(metadata && Object.keys(metadata).length > 0
-          ? { _meta: metadata }
-          : {}),
+        ...(effectiveMeta ? { _meta: effectiveMeta } : {}),
       };
 
       const response = await this.client.complete(
diff --git a/core/mcp/node/config.ts b/core/mcp/node/config.ts
index 1e9353486..3a0899419 100644
--- a/core/mcp/node/config.ts
+++ b/core/mcp/node/config.ts
@@ -22,7 +22,6 @@ export interface ServerConfigOptions {
   serverUrl?: string;
   cwd?: string;
   env?: Record<string, string>;
-  headers?: Record<string, string>;
 }
 
 /**
@@ -164,15 +163,9 @@ function buildConfigFromOptions(options: ServerConfigOptions): MCPServerConfig {
     }
     if (transportType === "sse") {
       const config: SseServerConfig = { type: "sse", url };
-      if (options.headers && Object.keys(options.headers).length > 0) {
-        config.headers = options.headers;
-      }
       return config;
     }
     const config: StreamableHttpServerConfig = { type: "streamable-http", url };
-    if (options.headers && Object.keys(options.headers).length > 0) {
-      config.headers = options.headers;
-    }
     return config;
   }
 
@@ -194,13 +187,15 @@ function buildConfigFromOptions(options: ServerConfigOptions): MCPServerConfig {
   return config;
 }
 
-/** Apply env/cwd overrides to a stdio config; headers to sse/streamable-http. */
+/** Apply env/cwd overrides to a stdio config. SSE / streamable-http configs
+ * carry no overridable per-request fields here — custom headers live in
+ * `InspectorServerSettings.headers` (the persisted per-server settings node),
+ * not on `MCPServerConfig`. */
 function applyOverrides(
   config: MCPServerConfig,
   overrides: {
     env?: Record<string, string>;
     cwd?: string;
-    headers?: Record<string, string>;
   },
 ): MCPServerConfig {
   if (config.type === "stdio") {
@@ -211,13 +206,6 @@ function applyOverrides(
     if (overrides.cwd) c.cwd = overrides.cwd;
     return c;
   }
-  if (config.type === "sse" || config.type === "streamable-http") {
-    const c = { ...config };
-    if (overrides.headers && Object.keys(overrides.headers).length > 0) {
-      c.headers = { ...(c.headers ?? {}), ...overrides.headers };
-    }
-    return c;
-  }
   return config;
 }
 
@@ -248,7 +236,6 @@ export function resolveServerConfigs(
         applyOverrides(config, {
           env: options.env,
           cwd: options.cwd,
-          headers: options.headers,
         }),
       ];
     }
@@ -270,7 +257,6 @@ export function resolveServerConfigs(
         applyOverrides(config, {
           env: options.env,
           cwd: options.cwd,
-          headers: options.headers,
         }),
       ];
     }
@@ -280,7 +266,7 @@ export function resolveServerConfigs(
   if (mode === "multi") {
     if (hasConfigPath && hasAdHoc) {
       throw new Error(
-        "In multi-server mode with a config file, do not pass --transport, --server-url, or positional command/URL. Use only --config with optional -e, --cwd, --header.",
+        "In multi-server mode with a config file, do not pass --transport, --server-url, or positional command/URL. Use only --config with optional -e, --cwd.",
       );
     }
     if (hasConfigPath && options.configPath) {
@@ -290,7 +276,6 @@ export function resolveServerConfigs(
         applyOverrides({ ...c } as MCPServerConfig, {
           env: options.env,
           cwd: options.cwd,
-          headers: options.headers,
         }),
       );
       return configs;
@@ -320,7 +305,7 @@ export function getNamedServerConfigs(
   }
   if (hasAdHoc) {
     throw new Error(
-      "With a config file, do not pass --transport, --server-url, or positional command/URL. Use only --config with optional -e, --cwd, --header.",
+      "With a config file, do not pass --transport, --server-url, or positional command/URL. Use only --config with optional -e, --cwd.",
     );
   }
 
@@ -332,7 +317,6 @@ export function getNamedServerConfigs(
       {
         env: options.env,
         cwd: options.cwd,
-        headers: options.headers,
       },
     );
   }
diff --git a/core/mcp/node/transport.ts b/core/mcp/node/transport.ts
index 4d894e053..c74936b5c 100644
--- a/core/mcp/node/transport.ts
+++ b/core/mcp/node/transport.ts
@@ -6,12 +6,30 @@ import type {
   StreamableHttpServerConfig,
   CreateTransportOptions,
   CreateTransportResult,
+  InspectorServerSettings,
 } from "../types.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
 import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import { createFetchTracker } from "../fetchTracking.js";
 
+/**
+ * Build the wire `headers` record from `settings.headers`, dropping rows with
+ * empty keys (the form lets users leave new rows blank). Returns `undefined`
+ * when the result is empty so we can omit the field instead of sending `{}`.
+ */
+function headersFromSettings(
+  settings: InspectorServerSettings | undefined,
+): Record<string, string> | undefined {
+  if (!settings || settings.headers.length === 0) return undefined;
+  const out: Record<string, string> = {};
+  for (const { key, value } of settings.headers) {
+    if (key.trim() === "") continue;
+    out[key] = value;
+  }
+  return Object.keys(out).length > 0 ? out : undefined;
+}
+
 /**
  * Creates the appropriate transport for an MCP server configuration.
  */
@@ -26,6 +44,7 @@ export function createTransportNode(
     pipeStderr = false,
     onFetchRequest,
     authProvider,
+    settings,
   } = options;
 
   const baseFetch = optionsFetchFn ?? globalThis.fetch;
@@ -64,15 +83,17 @@ export function createTransportNode(
       ? createFetchTracker(sseFetch, { trackRequest: onFetchRequest })
       : sseFetch;
 
+    const headers = headersFromSettings(settings);
+
     const eventSourceInit: Record<string, unknown> = {
       ...sseConfig.eventSourceInit,
-      ...(sseConfig.headers && { headers: sseConfig.headers }),
+      ...(headers && { headers }),
       fetch: trackedFetch,
     };
 
     const requestInit: RequestInit = {
       ...sseConfig.requestInit,
-      ...(sseConfig.headers && { headers: sseConfig.headers }),
+      ...(headers && { headers }),
     };
 
     const postFetch = onFetchRequest
@@ -92,9 +113,11 @@ export function createTransportNode(
     const httpConfig = config as StreamableHttpServerConfig;
     const url = new URL(httpConfig.url);
 
+    const headers = headersFromSettings(settings);
+
     const requestInit: RequestInit = {
       ...httpConfig.requestInit,
-      ...(httpConfig.headers && { headers: httpConfig.headers }),
+      ...(headers && { headers }),
     };
 
     const transportFetch = onFetchRequest
diff --git a/core/mcp/remote/createRemoteTransport.ts b/core/mcp/remote/createRemoteTransport.ts
index a4842b99f..adcf6c4f9 100644
--- a/core/mcp/remote/createRemoteTransport.ts
+++ b/core/mcp/remote/createRemoteTransport.ts
@@ -58,6 +58,7 @@ export function createRemoteTransport(
         onStderr: transportOptions.onStderr,
         onFetchRequest: transportOptions.onFetchRequest,
         authProvider: transportOptions.authProvider,
+        settings: transportOptions.settings,
       },
       config,
     );
diff --git a/core/mcp/remote/node/server.ts b/core/mcp/remote/node/server.ts
index a2c161d0c..cf90aba97 100644
--- a/core/mcp/remote/node/server.ts
+++ b/core/mcp/remote/node/server.ts
@@ -23,7 +23,12 @@ import type { Context, Env, Next } from "hono";
 import { streamSSE } from "hono/streaming";
 import { createTransportNode } from "../../node/transport.js";
 import type { RemoteConnectRequest, RemoteSendRequest } from "../types.js";
-import type { MCPConfig, MCPServerConfig } from "../../types.js";
+import type {
+  InspectorServerSettings,
+  MCPConfig,
+  MCPServerConfig,
+  StoredMCPServer,
+} from "../../types.js";
 import {
   DEFAULT_SEED_CONFIG,
   normalizeServerType,
@@ -40,7 +45,6 @@ export interface InitialConfigPayload {
   defaultArgs?: string[];
   defaultTransport?: string;
   defaultServerUrl?: string;
-  defaultHeaders?: Record<string, string>;
   defaultCwd?: string;
   defaultEnvironment: Record<string, string>;
 }
@@ -295,6 +299,7 @@ export function createRemoteApp(
         onStderr: (entry) => session.onStderr(entry),
         onFetchRequest: (entry) => session.onFetchRequest(entry),
         authProvider,
+        settings: body.settings,
       });
       transport = result.transport;
     } catch (err) {
@@ -630,19 +635,162 @@ export function createRemoteApp(
   // --- /api/servers (server list backed by mcp.json) ---
 
   // Defensive normalize so editor-edited files with type:"http" or missing
-  // type round-trip into the canonical form on every read.
-  const normalizeMcpServers = (raw: unknown): Record<string, MCPServerConfig> => {
+  // type round-trip into the canonical form on every read. Settings that
+  // fail `validateSettings` are silently stripped (lenient-on-read pattern
+  // matching `normalizeServerType`'s unknown→stdio fallback) so a malformed
+  // hand-edit can't propagate through preserve-on-PUT.
+  const normalizeMcpServers = (raw: unknown): Record<string, StoredMCPServer> => {
     if (!raw || typeof raw !== "object") return {};
-    const out: Record<string, MCPServerConfig> = {};
+    const out: Record<string, StoredMCPServer> = {};
     for (const [id, val] of Object.entries(raw as Record<string, unknown>)) {
       if (!val || typeof val !== "object") continue;
-      out[id] = normalizeServerType(
+      const normalized = normalizeServerType(
         val as Record<string, unknown> & { type?: string },
-      );
+      ) as StoredMCPServer;
+      if (normalized.settings !== undefined) {
+        const checked = validateSettings(normalized.settings);
+        if (checked.ok) {
+          normalized.settings = checked.value;
+        } else {
+          delete normalized.settings;
+        }
+      }
+      out[id] = normalized;
     }
     return out;
   };
 
+  // Build a single on-disk entry from `{ config, settings }`, normalizing the
+  // type discriminator and attaching settings only when defined.
+  //
+  // `normalizeServerType` spreads unknown keys from the incoming config
+  // through verbatim, so a caller that included `config.settings` on the
+  // wire would smuggle a `settings` field straight onto the stored entry —
+  // bypassing `validateSettings`. Strip it here so `validateSettings`
+  // remains the single write path for the settings node. Log a warning if
+  // we observe this — it indicates a client bug (settings should travel
+  // through the body's top-level `settings` field, not nested in config).
+  //
+  // `id` is threaded through purely so the warning correlates to a
+  // specific entry; the route ultimately reaches here via POST or PUT and
+  // both know the target id at call time.
+  const buildStoredEntry = (
+    id: string,
+    config: unknown,
+    settings: InspectorServerSettings | undefined,
+  ): StoredMCPServer => {
+    // `unknown` parameter contract: be honest about the shape rather than
+    // assuming the route layer's pre-checks. The route handlers do reject
+    // non-object config before reaching here, but this helper should stay
+    // safe to call from anywhere.
+    const configObj: Record<string, unknown> =
+      config !== null && typeof config === "object"
+        ? (config as Record<string, unknown>)
+        : {};
+    if ("settings" in configObj) {
+      fileLogger?.warn(
+        { route: "/api/servers", id, smuggledKey: "settings" },
+        "Stripping `settings` key from request body's `config` — settings must travel through the top-level `settings` field, not nested inside `config`.",
+      );
+    }
+    const { settings: _smuggled, ...configOnly } = configObj;
+    const normalized = normalizeServerType(
+      configOnly as Record<string, unknown> & { type?: string },
+    ) as StoredMCPServer;
+    if (settings !== undefined) {
+      normalized.settings = settings;
+    }
+    return normalized;
+  };
+
+  // Structurally validates an InspectorServerSettings payload off the wire so
+  // a malformed body can't persist to disk and crash the UI later (e.g.
+  // `settings: []` or `settings: { headers: "oops" }`). Mirrors the lenient
+  // read on `normalizeMcpServers` so the only fully-trusted invariant is
+  // "what we accept on the write path."
+  const validateSettings = (
+    raw: unknown,
+  ):
+    | { ok: true; value: InspectorServerSettings }
+    | { ok: false; error: string } => {
+    if (raw === null || typeof raw !== "object" || Array.isArray(raw)) {
+      return { ok: false, error: "settings must be an object" };
+    }
+    const obj = raw as Record<string, unknown>;
+    const isKvArray = (v: unknown): v is { key: string; value: string }[] => {
+      if (!Array.isArray(v)) return false;
+      return v.every(
+        (e) =>
+          e !== null &&
+          typeof e === "object" &&
+          typeof (e as Record<string, unknown>).key === "string" &&
+          typeof (e as Record<string, unknown>).value === "string",
+      );
+    };
+    if (!isKvArray(obj.headers)) {
+      return {
+        ok: false,
+        error: "settings.headers must be an array of { key, value }",
+      };
+    }
+    if (!isKvArray(obj.metadata)) {
+      return {
+        ok: false,
+        error: "settings.metadata must be an array of { key, value }",
+      };
+    }
+    if (
+      typeof obj.connectionTimeout !== "number" ||
+      obj.connectionTimeout < 0
+    ) {
+      return {
+        ok: false,
+        error: "settings.connectionTimeout must be a non-negative number",
+      };
+    }
+    if (typeof obj.requestTimeout !== "number" || obj.requestTimeout < 0) {
+      return {
+        ok: false,
+        error: "settings.requestTimeout must be a non-negative number",
+      };
+    }
+    for (const optional of [
+      "oauthClientId",
+      "oauthClientSecret",
+      "oauthScopes",
+    ] as const) {
+      if (obj[optional] !== undefined && typeof obj[optional] !== "string") {
+        return { ok: false, error: `settings.${optional} must be a string` };
+      }
+    }
+    // Build the validated value from explicitly named fields rather than
+    // casting the raw object through. Unknown keys silently drop so a
+    // misconfigured client can't smuggle stowaways onto disk, and consumers
+    // can rely on the validated shape being exactly InspectorServerSettings.
+    // Empty-string OAuth fields coerce to absent — the form emits `""` when
+    // the user clears an input, and an empty `oauthClientId` on disk would
+    // later be misread as "OAuth configured."
+    const value: InspectorServerSettings = {
+      headers: obj.headers as { key: string; value: string }[],
+      metadata: obj.metadata as { key: string; value: string }[],
+      connectionTimeout: obj.connectionTimeout as number,
+      requestTimeout: obj.requestTimeout as number,
+    };
+    if (typeof obj.oauthClientId === "string" && obj.oauthClientId !== "") {
+      value.oauthClientId = obj.oauthClientId;
+    }
+    if (
+      typeof obj.oauthClientSecret === "string" &&
+      obj.oauthClientSecret !== ""
+    ) {
+      value.oauthClientSecret = obj.oauthClientSecret;
+    }
+    if (typeof obj.oauthScopes === "string" && obj.oauthScopes !== "") {
+      value.oauthScopes = obj.oauthScopes;
+    }
+    return { ok: true, value };
+  };
+
   // In-process serialization for the read-modify-write flow on the
   // mutating routes (POST/PUT/DELETE). `atomically` guarantees torn-write
   // safety on the file itself, but two concurrent requests can both read the
@@ -695,9 +843,13 @@ export function createRemoteApp(
   });
 
   app.post("/api/servers", async (c) => {
-    let body: { id?: unknown; config?: unknown };
+    let body: { id?: unknown; config?: unknown; settings?: unknown };
     try {
-      body = (await c.req.json()) as { id?: unknown; config?: unknown };
+      body = (await c.req.json()) as {
+        id?: unknown;
+        config?: unknown;
+        settings?: unknown;
+      };
     } catch {
       return c.json({ error: "Invalid JSON body" }, 400);
     }
@@ -713,6 +865,14 @@ export function createRemoteApp(
     if (!body.config || typeof body.config !== "object") {
       return c.json({ error: "Missing or invalid config" }, 400);
     }
+    // Settings on POST: optional. `undefined` → no settings node persisted.
+    // Any provided value must structurally match InspectorServerSettings.
+    let postSettings: InspectorServerSettings | undefined;
+    if (body.settings !== undefined && body.settings !== null) {
+      const validated = validateSettings(body.settings);
+      if (!validated.ok) return c.json({ error: validated.error }, 400);
+      postSettings = validated.value;
+    }
     const id = body.id;
 
     try {
@@ -721,8 +881,10 @@ export function createRemoteApp(
         if (id in current.mcpServers) {
           return c.json({ error: `Server '${id}' already exists` }, 409);
         }
-        current.mcpServers[id] = normalizeServerType(
-          body.config as Record<string, unknown> & { type?: string },
+        current.mcpServers[id] = buildStoredEntry(
+          id,
+          body.config,
+          postSettings,
         );
         await writeStoreFile(mcpConfigPath, serializeStore(current));
         return c.json({ ok: true });
@@ -738,14 +900,48 @@ export function createRemoteApp(
     if (!originalId || !validateStoreId(originalId)) {
       return c.json({ error: "Invalid id" }, 400);
     }
-    let body: { id?: unknown; config?: unknown };
+    let body: { id?: unknown; config?: unknown; settings?: unknown };
     try {
-      body = (await c.req.json()) as { id?: unknown; config?: unknown };
+      body = (await c.req.json()) as {
+        id?: unknown;
+        config?: unknown;
+        settings?: unknown;
+      };
     } catch {
       return c.json({ error: "Invalid JSON body" }, 400);
     }
-    if (!body.config || typeof body.config !== "object") {
-      return c.json({ error: "Missing or invalid config" }, 400);
+    // Config on PUT: optional. If the field is omitted, preserve the
+    // existing transport config from disk. This makes "patch only settings"
+    // a first-class shape — callers like updateServerSettings don't have to
+    // snapshot the current config off in-memory state (which could race
+    // against a concurrent refresh and silently revert a separate edit).
+    // A provided config must structurally be an object; we let
+    // `normalizeServerType` do the lenient type coercion downstream.
+    if (
+      body.config !== undefined &&
+      (body.config === null || typeof body.config !== "object")
+    ) {
+      return c.json({ error: "Invalid config" }, 400);
+    }
+    // Settings on PUT have three intents:
+    //   - field omitted (`undefined`)  → preserve the existing settings node
+    //   - explicit `null`              → clear the settings node
+    //   - a settings object            → validate and apply
+    // Preserving on omission means callers that only want to update config
+    // (e.g. ServerConfigModal save) don't silently wipe persisted settings.
+    type SettingsIntent =
+      | { kind: "preserve" }
+      | { kind: "clear" }
+      | { kind: "apply"; value: InspectorServerSettings };
+    let settingsIntent: SettingsIntent;
+    if (body.settings === undefined) {
+      settingsIntent = { kind: "preserve" };
+    } else if (body.settings === null) {
+      settingsIntent = { kind: "clear" };
+    } else {
+      const validated = validateSettings(body.settings);
+      if (!validated.ok) return c.json({ error: validated.error }, 400);
+      settingsIntent = { kind: "apply", value: validated.value };
     }
     const newId = typeof body.id === "string" ? body.id : originalId;
     if (!validateStoreId(newId)) {
@@ -761,13 +957,38 @@ export function createRemoteApp(
         if (newId !== originalId && newId in current.mcpServers) {
           return c.json({ error: `Server '${newId}' already exists` }, 409);
         }
-        // Rebuild preserving insertion order; replace the original key in place
-        // so the file diff stays minimal when not renaming.
+        // Rebuild preserving insertion order; replace the original key in
+        // place so the file diff stays minimal when not renaming. Writing
+        // the full map back also means normalize-on-read self-heals any
+        // malformed settings node on *other* servers in the file — a
+        // deliberate side-effect of using `readMcpConfig` + full rewrite
+        // here.
+        const existing = current.mcpServers[originalId]!;
+        // Split the existing entry into its config (everything except
+        // settings) and its settings, then apply patch semantics from the
+        // body to each.
+        const { settings: _existingSettings, ...existingConfig } = existing;
+        const nextConfig =
+          body.config !== undefined ? body.config : existingConfig;
+        let nextSettings: InspectorServerSettings | undefined;
+        switch (settingsIntent.kind) {
+          case "preserve":
+            nextSettings = existing.settings;
+            break;
+          case "clear":
+            nextSettings = undefined;
+            break;
+          case "apply":
+            nextSettings = settingsIntent.value;
+            break;
+        }
         const next: MCPConfig = { mcpServers: {} };
         for (const [key, val] of Object.entries(current.mcpServers)) {
           if (key === originalId) {
-            next.mcpServers[newId] = normalizeServerType(
-              body.config as Record<string, unknown> & { type?: string },
+            next.mcpServers[newId] = buildStoredEntry(
+              newId,
+              nextConfig,
+              nextSettings,
             );
           } else {
             next.mcpServers[key] = val;
diff --git a/core/mcp/remote/remoteClientTransport.ts b/core/mcp/remote/remoteClientTransport.ts
index dcec6e448..08329bbca 100644
--- a/core/mcp/remote/remoteClientTransport.ts
+++ b/core/mcp/remote/remoteClientTransport.ts
@@ -11,7 +11,7 @@ import type {
   JSONRPCMessage,
   MessageExtraInfo,
 } from "@modelcontextprotocol/sdk/types.js";
-import type { StderrLogEntry } from "../types.js";
+import type { InspectorServerSettings, StderrLogEntry } from "../types.js";
 import type { FetchRequestEntryBase } from "../types.js";
 import type {
   RemoteConnectRequest,
@@ -37,6 +37,13 @@ export interface RemoteTransportOptions {
 
   /** Optional OAuth client provider for Bearer authentication */
   authProvider?: import("@modelcontextprotocol/sdk/client/auth.js").OAuthClientProvider;
+
+  /**
+   * Optional per-server settings forwarded in the /api/mcp/connect body.
+   * The backend uses settings.headers as the source of truth for transport
+   * custom headers (SSE / streamable-http).
+   */
+  settings?: InspectorServerSettings;
 }
 
 /**
@@ -160,6 +167,7 @@ export class RemoteClientTransport implements Transport {
     const body: RemoteConnectRequest = {
       config: this.config,
       oauthTokens,
+      ...(this.options.settings && { settings: this.options.settings }),
     };
 
     const res = await this.fetchFn(`${this.baseUrl}/api/mcp/connect`, {
diff --git a/core/mcp/remote/types.ts b/core/mcp/remote/types.ts
index 34331e232..0ec823ed4 100644
--- a/core/mcp/remote/types.ts
+++ b/core/mcp/remote/types.ts
@@ -2,12 +2,22 @@
  * Types for the remote transport protocol.
  */
 
-import type { MCPServerConfig, FetchRequestEntryBase } from "../types.js";
+import type {
+  MCPServerConfig,
+  FetchRequestEntryBase,
+  InspectorServerSettings,
+} from "../types.js";
 import type { JSONRPCMessage } from "@modelcontextprotocol/sdk/types.js";
 
 export interface RemoteConnectRequest {
   /** MCP server config (stdio, sse, or streamable-http) */
   config: MCPServerConfig;
+  /**
+   * Optional per-server runtime settings (headers, etc.). When supplied the
+   * backend sources transport-level headers from settings.headers rather than
+   * from the legacy `config.headers` field (which has been removed).
+   */
+  settings?: InspectorServerSettings;
   /** Optional OAuth tokens for Bearer authentication (for HTTP transports) */
   oauthTokens?: {
     access_token: string;
diff --git a/core/mcp/serverList.ts b/core/mcp/serverList.ts
index afd162d75..84f893691 100644
--- a/core/mcp/serverList.ts
+++ b/core/mcp/serverList.ts
@@ -10,6 +10,7 @@ import type {
   MCPServerConfig,
   ServerEntry,
   ServerType,
+  StoredMCPServer,
 } from "./types.js";
 
 // The full set of valid `type` discriminator values, used to reject anything
@@ -52,28 +53,39 @@ export function normalizeServerType(
 /**
  * Convert the on-disk `MCPConfig` into the `ServerEntry[]` the Servers screen
  * consumes. Map key becomes both `id` and `name`. Connection state initializes
- * to `disconnected` — the React layer drives it from there.
+ * to `disconnected` — the React layer drives it from there. The optional
+ * `settings` node is lifted from the stored entry into `ServerEntry.settings`
+ * so the rest of the app sees `config` as the pure SDK shape.
  */
 export function mcpConfigToServerEntries(config: MCPConfig): ServerEntry[] {
-  return Object.entries(config.mcpServers).map(([id, raw]) => ({
-    id,
-    name: id,
-    config: normalizeServerType(
-      raw as unknown as Record<string, unknown> & { type?: string },
-    ),
-    connection: { status: "disconnected" },
-  }));
+  return Object.entries(config.mcpServers).map(([id, raw]) => {
+    const { settings, ...rest } = raw as StoredMCPServer;
+    const normalizedConfig = normalizeServerType(
+      rest as unknown as Record<string, unknown> & { type?: string },
+    );
+    const entry: ServerEntry = {
+      id,
+      name: id,
+      config: normalizedConfig,
+      connection: { status: "disconnected" },
+    };
+    if (settings !== undefined) entry.settings = settings;
+    return entry;
+  });
 }
 
 /**
  * Convert `ServerEntry[]` back into `MCPConfig` for serialization. Strips
- * runtime-only fields (connection, info, name) — only id and config make it
- * to disk so the file stays a clean canonical `mcp.json`.
+ * runtime-only fields (connection, info, name); persists `config` and the
+ * optional `settings` node so the file remains a clean canonical `mcp.json`
+ * plus the Inspector-specific extension.
  */
 export function serverEntriesToMcpConfig(entries: ServerEntry[]): MCPConfig {
-  const mcpServers: Record<string, MCPServerConfig> = {};
+  const mcpServers: Record<string, StoredMCPServer> = {};
   for (const entry of entries) {
-    mcpServers[entry.id] = entry.config;
+    const stored: StoredMCPServer = { ...entry.config } as StoredMCPServer;
+    if (entry.settings !== undefined) stored.settings = entry.settings;
+    mcpServers[entry.id] = stored;
   }
   return { mcpServers };
 }
diff --git a/core/mcp/state/messageLogState.ts b/core/mcp/state/messageLogState.ts
index a60e05af9..28a5d366e 100644
--- a/core/mcp/state/messageLogState.ts
+++ b/core/mcp/state/messageLogState.ts
@@ -2,8 +2,13 @@
  * MessageLogState: holds the message log, subscribes to the protocol "message"
  * event. Protocol emits per-entry; this manager owns the list and emits both
  * `message` (single entry) and `messagesChange` (full list) on append/update,
- * and `messagesChange` on clear. Clears on connect (new session) and on
- * disconnect.
+ * and `messagesChange` on clear. Clears on disconnect — the disconnect handler
+ * is the canonical session boundary. We do NOT clear on the subsequent
+ * `connect` event because state managers (Tools/Prompts/Resources/Templates)
+ * fire their initial list requests *synchronously* inside their own connect
+ * listeners; clearing here too would wipe `pendingRequestEntries` after those
+ * requests were tracked but before their responses came back, leaving the
+ * history with unmatched responses.
  *
  * Ported from v1.5/main. v2 substitutes `InspectorClientProtocol` for the
  * concrete `InspectorClient` since the runtime class is not yet ported.
@@ -99,19 +104,12 @@ export class MessageLogState extends TypedEventTarget<MessageLogStateEventMap> {
         this.dispatchTypedEvent("messagesChange", []);
       }
     };
-    const onConnect = (): void => {
-      this.messages = [];
-      this.pendingRequestEntries.clear();
-      this.dispatchTypedEvent("messagesChange", []);
-    };
     this.client.addEventListener("message", onMessage);
     this.client.addEventListener("statusChange", onStatusChange);
-    this.client.addEventListener("connect", onConnect);
     this.unsubscribe = () => {
       if (this.client) {
         this.client.removeEventListener("message", onMessage);
         this.client.removeEventListener("statusChange", onStatusChange);
-        this.client.removeEventListener("connect", onConnect);
       }
       this.client = null;
     };
diff --git a/core/mcp/types.ts b/core/mcp/types.ts
index c0d3f1bd1..445dbd6da 100644
--- a/core/mcp/types.ts
+++ b/core/mcp/types.ts
@@ -45,7 +45,6 @@ export interface StdioServerConfig {
 export interface SseServerConfig {
   type: "sse";
   url: string;
-  headers?: Record<string, string>;
   eventSourceInit?: Record<string, unknown>;
   requestInit?: Record<string, unknown>;
 }
@@ -54,7 +53,6 @@ export interface SseServerConfig {
 export interface StreamableHttpServerConfig {
   type: "streamable-http";
   url: string;
-  headers?: Record<string, string>;
   requestInit?: Record<string, unknown>;
 }
 
@@ -65,8 +63,17 @@ export type MCPServerConfig =
 
 export type ServerType = "stdio" | "sse" | "streamable-http";
 
+/**
+ * On-disk shape for a single `mcp.json` server entry. The base is the
+ * SDK-compatible `MCPServerConfig`; the optional `settings` node is an
+ * Inspector-specific extension that other MCP tools simply ignore.
+ */
+export type StoredMCPServer = MCPServerConfig & {
+  settings?: InspectorServerSettings;
+};
+
 export interface MCPConfig {
-  mcpServers: Record<string, MCPServerConfig>;
+  mcpServers: Record<string, StoredMCPServer>;
 }
 
 export type ConnectionStatus =
@@ -91,6 +98,13 @@ export interface ServerEntry {
   /** Display label shown in the card header. May or may not equal id. */
   name: string;
   config: MCPServerConfig;
+  /**
+   * Optional per-server runtime settings (headers, metadata, timeouts, OAuth
+   * credentials). Lives alongside `config` on disk under the `settings` key.
+   * Edited via ServerSettingsForm; consumed by the transport / InspectorClient
+   * at connect time.
+   */
+  settings?: InspectorServerSettings;
   info?: Implementation;
   connection: ConnectionState;
 }
@@ -339,6 +353,13 @@ export interface CreateTransportOptions {
    * When set, the SDK injects tokens and handles 401 via the provider.
    */
   authProvider?: OAuthClientProvider;
+
+  /**
+   * Optional per-server runtime settings. Currently used to source custom
+   * HTTP headers (settings.headers) for SSE / streamable-http transports.
+   * Stdio ignores this — headers are not applicable.
+   */
+  settings?: InspectorServerSettings;
 }
 
 export interface CreateTransportResult {
@@ -495,6 +516,23 @@ export interface InspectorClientOptions {
    */
   timeout?: number;
 
+  /**
+   * Default `_meta` payload merged into every outgoing request the client
+   * issues (tools/list, tools/call, prompts/get, resources/read, etc.). Call-
+   * site metadata wins on key collision. Set this from `InspectorServerSettings.metadata`
+   * so persisted server-wide metadata reaches the wire on the first request.
+   */
+  defaultMetadata?: Record<string, string>;
+
+  /**
+   * Optional per-server runtime settings forwarded to the transport factory
+   * (for HTTP transports, settings.headers becomes the wire headers). The
+   * other fields on `InspectorServerSettings` are unpacked by the caller
+   * into `timeout`, `defaultMetadata`, and `oauth` on this options object —
+   * `serverSettings` itself is only consumed by the transport.
+   */
+  serverSettings?: InspectorServerSettings;
+
   /**
    * OAuth configuration (client credentials, scope, etc.)
    * Note: OAuth environment components (storage, navigation, redirectUrlProvider)
diff --git a/core/react/useServers.ts b/core/react/useServers.ts
index f2bee4c70..c44124730 100644
--- a/core/react/useServers.ts
+++ b/core/react/useServers.ts
@@ -8,6 +8,7 @@
 import { useCallback, useEffect, useState } from "react";
 import { mcpConfigToServerEntries } from "../mcp/serverList.js";
 import type {
+  InspectorServerSettings,
   MCPConfig,
   MCPServerConfig,
   ServerEntry,
@@ -33,6 +34,15 @@ export interface UseServersResult {
     newId: string,
     config: MCPServerConfig,
   ) => Promise<void>;
+  /**
+   * Patch only the `settings` node on an existing server entry, leaving the
+   * transport config and id untouched. Routes through `PUT /api/servers/:id`
+   * with the current `config` plus the new settings.
+   */
+  updateServerSettings: (
+    id: string,
+    settings: InspectorServerSettings,
+  ) => Promise<void>;
   removeServer: (id: string) => Promise<void>;
 }
 
@@ -111,6 +121,11 @@ export function useServers(opts: UseServersOptions): UseServersResult {
       newId: string,
       config: MCPServerConfig,
     ): Promise<void> => {
+      // `settings` is intentionally omitted from the body. The backend route
+      // treats omission as "preserve the existing settings node on disk", so
+      // a config-only save (e.g. ServerConfigModal) cannot silently wipe
+      // persisted headers / metadata / OAuth credentials. To explicitly
+      // clear settings, send `settings: null`.
       const res = await doFetch(
         `${base}/api/servers/${encodeURIComponent(originalId)}`,
         {
@@ -127,6 +142,31 @@ export function useServers(opts: UseServersOptions): UseServersResult {
     [base, authToken, doFetch, refresh],
   );
 
+  const updateServerSettings = useCallback(
+    async (id: string, settings: InspectorServerSettings): Promise<void> => {
+      // Settings-only PUT — we deliberately omit `config` so the route
+      // preserves the on-disk transport config inside its write lock.
+      // Reading `existing.config` from in-memory `servers` here would pin a
+      // stale snapshot at scheduling time and could silently revert a
+      // separate concurrent edit (e.g. a future file-watcher refreshing
+      // `servers` between debounce schedule and flush). The server is the
+      // single source of truth for config.
+      const res = await doFetch(
+        `${base}/api/servers/${encodeURIComponent(id)}`,
+        {
+          method: "PUT",
+          headers: buildHeaders(authToken, true),
+          body: JSON.stringify({ id, settings }),
+        },
+      );
+      if (!res.ok) {
+        throw new Error(await readErrorMessage(res));
+      }
+      await refresh();
+    },
+    [base, authToken, doFetch, refresh],
+  );
+
   const removeServer = useCallback(
     async (id: string): Promise<void> => {
       const res = await doFetch(
@@ -151,6 +191,7 @@ export function useServers(opts: UseServersOptions): UseServersResult {
     refresh,
     addServer,
     updateServer,
+    updateServerSettings,
     removeServer,
   };
 }
diff --git a/specification/v2_servers_file.md b/specification/v2_servers_file.md
index 1ecd818c6..324da3442 100644
--- a/specification/v2_servers_file.md
+++ b/specification/v2_servers_file.md
@@ -7,7 +7,7 @@
 
 ## Summary
 
-Replaces the hardcoded `SEED_SERVERS` in `clients/web/src/App.tsx:47` with a file-backed list at `~/.mcp-inspector/mcp.json`, read at startup, mutated via REST endpoints, surfaced through a `useServers` hook.
+Replaces the hardcoded `SEED_SERVERS` in `clients/web/src/App.tsx:47` with a file-backed list at `~/.mcp-inspector/mcp.json`, read at startup, mutated via REST endpoints, surfaced through a `useServers` hook. The file also stores the per-server **settings** (custom headers, request metadata, timeouts, pre-configured OAuth credentials) edited by `ServerSettingsForm` — see [Per-server settings](#per-server-settings-1352) below for the on-disk shape, UI rationale, and write/read invariants.
 
 ## Goals
 
@@ -44,6 +44,22 @@ Replaces the hardcoded `SEED_SERVERS` in `clients/web/src/App.tsx:47` with a fil
       "type": "stdio",
       "command": "npx",
       "args": ["-y", "@modelcontextprotocol/server-everything"]
+    },
+    "acme-api": {
+      "type": "streamable-http",
+      "url": "https://api.acme.example/mcp",
+      // Optional Inspector-specific extension. Other MCP tools
+      // (Claude Desktop, Cursor, Cline) ignore unknown keys. See
+      // [Per-server settings](#per-server-settings-1352) for the
+      // full contract.
+      "settings": {
+        "headers":  [{ "key": "X-Tenant", "value": "acme" }],
+        "metadata": [{ "key": "trace",    "value": "abc" }],
+        "connectionTimeout": 30000,
+        "requestTimeout":    60000,
+        "oauthClientId":     "client-abc",
+        "oauthScopes":       "read:tools write:tools"
+      }
     }
   }
 }
@@ -52,7 +68,8 @@ Replaces the hardcoded `SEED_SERVERS` in `clients/web/src/App.tsx:47` with a fil
 - Matches `MCPConfig` in `core/mcp/types.ts:68`.
 - `type` omitted → normalized to `"stdio"`; `type: "http"` → `"streamable-http"` (`normalizeServerType` in `core/mcp/node/config.ts:81`).
 - The map key is the **server `id`**. `ServerEntry.id` already documents itself this way (`core/mcp/types.ts:89`: "The MCPConfig.mcpServers map key").
-- Display name: derived from the map key. The Inspector adds **no extension fields** to keep `mcp.json` clean and tool-interoperable. The edit dialog therefore treats id and display name as the same field; renaming = key-rotate + carry config across.
+- Display name: derived from the map key. The edit dialog treats id and display name as the same field; renaming = key-rotate + carry config across.
+- Each entry may optionally carry a `settings` node alongside the transport keys (`headers`, `metadata`, timeouts, OAuth credentials — see [Per-server settings](#per-server-settings-1352) below). It is an Inspector-specific extension; other MCP tools (Claude Desktop, Cursor, Cline) treat it as an unknown key and ignore it.
 
 ## First-run behavior
 
@@ -185,10 +202,56 @@ Per `AGENTS.md`'s "test new or modified code" rule plus the UI-changes guidance:
 - **Schema drift with Claude Desktop / Cursor.** They occasionally add fields (e.g. Claude Desktop's `disabled`). `loadMcpServersConfig` currently does `JSON.parse(...) as MCPConfig` — extra fields survive the round-trip as long as we don't filter them. The converters in `serverList.ts` should preserve unknown fields on `MCPServerConfig` rather than copying a fixed allow-list.
 - **Migration from `SEED_SERVERS`.** Existing dev users have no file. First boot writes one — they won't notice. No code path persists the in-memory `useState` list today, so nothing to migrate.
 
+## Per-server settings (#1352)
+
+Our new UI design separates the basic server configuration (transport, URL or command + args + env) from settings (custom headers, connect/request timeout, global request metadata, client id/secret) into two dialogs. The latter is stored in an optional `settings` node of the server config. The reason they're separated in the UI is that custom settings are less likely to be needed than basic config, so a simpler, friendlier form greets most users.
+
+Each server entry may carry an optional `settings` node alongside the transport config:
+
+```jsonc
+{
+  "mcpServers": {
+    "my-server": {
+      "type": "streamable-http",
+      "url": "https://example.com/mcp",
+      "settings": {
+        "headers":  [{ "key": "Authorization", "value": "Bearer xxx" }],
+        "metadata": [{ "key": "tenant",        "value": "acme" }],
+        "connectionTimeout": 30000,
+        "requestTimeout":    60000,
+        "oauthClientId":     "...",
+        "oauthClientSecret": "...",
+        "oauthScopes":       "read:tools write:tools"
+      }
+    }
+  }
+}
+```
+
+- **Shape**: `InspectorServerSettings` in `core/mcp/types.ts`. The `settings` field on `StoredMCPServer` (also in `types.ts`) is the on-disk extension; other MCP tools (Claude Desktop, Cursor, Cline) ignore unknown fields.
+- **Where it takes effect**:
+  - `settings.headers` → wire headers on every SSE / streamable-http request (`core/mcp/node/transport.ts`).
+  - `settings.metadata` → default `_meta` payload merged into every outgoing MCP request (`core/mcp/inspectorClient.ts`'s `mergeMeta` helper). Per-call metadata wins on key collision.
+  - `settings.requestTimeout` → `InspectorClientOptions.timeout`.
+  - `settings.connectionTimeout` → `Promise.race` wrapper around `InspectorClient.connect()` in the web client.
+  - `settings.oauthClientId` / `oauthClientSecret` / `oauthScopes` → pre-seeded OAuth client credentials via `InspectorClientOptions.oauth`.
+- **First-connect contract**: settings apply on the *first* outbound request after the entry loads from disk — no need to open the settings form. The browser sends `settings` to the backend in the `/api/mcp/connect` body; the backend reads it from `RemoteConnectRequest` and threads it into `createTransportNode`.
+- **Secret storage**: `oauthClientSecret` is persisted in `mcp.json` alongside stdio `env` values, both protected by the file's `0o600` permission. OS-keychain integration is tracked separately in #1356 — when that lands, the secret will be lifted out of the file and replaced with a keychain reference.
+- **Removed**: `MCPServerConfig.headers` (previously on `SseServerConfig` / `StreamableHttpServerConfig`) has been deleted. The headers textarea in `ServerConfigModal` is gone; HTTP headers are entered only in `ServerSettingsForm`. v2 has not shipped a stable release with the old shape, so no on-read migration is included.
+- **UI**: `ServerSettingsModal` is opened from the server card's settings affordance. Saving routes through `useServers.updateServerSettings(id, settings)` which issues a settings-only `PUT /api/servers/:id` with `{ id, settings }` — the route preserves the on-disk transport config inside its write lock. Conversely, `useServers.updateServer` (driven by the basic-config modal) issues a config-only PUT with `{ id, config }` and the route preserves the on-disk settings node. Edits in either modal cannot silently wipe the other half.
+- **Save cadence**: the form fires `onSettingsChange` on every keystroke. `App.tsx` debounces 300 ms and flushes on modal close so a burst of edits coalesces into a single PUT. If the close-flush PUT fails (network hiccup, server 500), a red `@mantine/notifications` toast surfaces the failure — the modal has already closed so a silent failure would leave the user thinking the last edits saved.
+- **`PUT /api/servers/:id` patch semantics**: both `config` and `settings` are independent patches.
+  - Field omitted → preserve the on-disk value.
+  - Explicit `null` on `settings` → clear the settings node. (`config` may not be `null`; a body that wants to update only settings should omit `config` entirely.)
+  - Field present and well-formed → validate and apply.
+  - A bare `PUT { id: "renamed" }` is a pure rename preserving both halves.
+- **Write-path gates**: `validateSettings` rejects malformed shapes (non-object, wrong-typed `headers` / `metadata`, non-numeric timeouts) with `400` + descriptive message and picks-and-builds the validated value so unknown stowaway keys silently drop. `buildStoredEntry` strips any `settings` key nested inside the incoming `config` (and logs a `warn` with the server id) so `validateSettings` remains the only path settings reach disk on the write side.
+- **Read-path gates**: `normalizeMcpServers` re-runs `validateSettings` on the on-disk settings node when loading; a malformed hand-edited `settings` node is silently dropped (lenient-on-read pattern matching `normalizeServerType`'s unknown→stdio fallback). A subsequent preserve-on-PUT cannot propagate the broken node, and `mcp.json` files written by future versions with unknown stowaway keys won't poison the in-memory shape.
+
 ## Out of scope (follow-ups)
 
 - Import-from-Claude-Desktop button (read `~/Library/Application Support/Claude/claude_desktop_config.json` or the Windows/Linux equivalent, merge into our file).
 - File watching for hot reload of external edits.
 - Per-server tags / folders / groups.
 - Export current list as JSON.
-- CLI/TUI: switch their default `--config` to `getDefaultMcpConfigPath()` when no `--config` flag is given. Touch when those clients are wired up to v2.
+- CLI/TUI: switch their default `--config` to `getDefaultMcpConfigPath()` when no `--config` flag is given. Touch when those clients are wired up to v2. While porting, re-add a `--header` flag that writes to `settings.headers` rather than to `MCPServerConfig`.