Document header injection for remote MCP servers (#473)

jhrozek · web-flow · commit 41a54c82b207 · 2026-01-28T23:30:27.000+01:00
* Document header injection for remote MCP servers

Add "Inject custom headers" section to the remote server configuration
guide covering the new --remote-forward-headers and
--remote-forward-headers-secret flags.

* Remove tip about thv proxy command

The thv proxy command lacks narrative documentation explaining when
to use it vs thv run, so referencing it here would confuse readers.
diff --git a/docs/toolhive/guides-cli/run-mcp-servers.mdx b/docs/toolhive/guides-cli/run-mcp-servers.mdx
@@ -769,6 +769,56 @@ thv run https://api.example.com/mcp \
   --remote-auth-skip-browser
 ```
 
+#### Inject custom headers
+
+Some remote MCP servers require custom headers for tenant identification, API
+keys, or other purposes. ToolHive can inject headers into every request
+forwarded to the remote server.
+
+To add plaintext headers, use the `--remote-forward-headers` flag:
+
+```bash
+thv run https://api.example.com/mcp \
+  --name my-server \
+  --remote-forward-headers "X-Tenant-ID=tenant123" \
+  --remote-forward-headers "X-Custom-Header=value"
+```
+
+For sensitive values like API keys, use the `--remote-forward-headers-secret`
+flag to reference values stored in ToolHive's secrets manager:
+
+```bash
+# First, store the secret (enter the value when prompted)
+thv secret set my-api-key
+
+# Then reference it by name
+thv run https://api.example.com/mcp \
+  --name my-server \
+  --remote-forward-headers-secret "X-Api-Key=my-api-key"
+```
+
+You can combine plaintext and secret-backed headers in a single command:
+
+```bash
+thv run https://api.example.com/mcp \
+  --name my-server \
+  --remote-forward-headers "X-Tenant-ID=tenant123" \
+  --remote-forward-headers-secret "X-Api-Key=my-api-key"
+```
+
+:::warning[Security considerations]
+
+- Plaintext header values are stored in the server's configuration file. For
+  sensitive values (API keys, tokens), always use
+  `--remote-forward-headers-secret`.
+- Secret-backed header values are resolved at runtime and never stored in
+  configuration files.
+- Certain headers cannot be configured for security reasons, including `Host`,
+  `Connection`, `Transfer-Encoding`, and proxy-related headers like
+  `X-Forwarded-For`.
+
+:::
+
 ### Remote server management
 
 Remote MCP servers are managed like any other ToolHive workload:
