From 51af0c4edd6b15ada64964331bf92daa9b3f9032 Mon Sep 17 00:00:00 2001 From: Arya Rizky Date: Wed, 13 May 2026 15:34:57 +0700 Subject: [PATCH] docs(plugin-mcp): clarify Bearer-only auth on /api/mcp endpoint Unlike other Payload API-key-based endpoints that accept the API-Key convention, the MCP endpoint only supports Authorization: Bearer . Add Banner clarifying this. Fixes #16572 --- docs/plugins/mcp.mdx | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/plugins/mcp.mdx b/docs/plugins/mcp.mdx index 7fd5080c44a..a1f9f2e9e66 100644 --- a/docs/plugins/mcp.mdx +++ b/docs/plugins/mcp.mdx @@ -150,7 +150,17 @@ toggle the individual capabilities on for each collection, global, tool, prompt, resource you want that key to be able to use. All MCP requests must include a valid API key as a Bearer token — requests without -one are rejected immediately. Here is a complete example of an MCP `tools/list` request +one are rejected immediately. + + + Unlike other Payload API-key-based endpoints that accept the + ` API-Key ` convention, the MCP endpoint + **only** supports `Authorization: Bearer `. Using + `payload-mcp-api-keys API-Key ` or any other auth scheme will + be rejected. + + +Here is a complete example of an MCP `tools/list` request showing the correct headers: ```bash