Spanly Docs
Gateway

Auth behind the gateway

How OAuth passthrough, static header injection, and gateway-managed client keys work.

OAuth passthrough

If your MCP server uses OAuth 2.1, it keeps working behind the gateway. The gateway forwards Authorization verbatim and rewrites your server's protected resource metadata so the client sees the gateway origin as the resource server.

One thing to check on your side: your server must accept the gateway origin as a valid resource and audience value. Set your server's canonical resource to the gateway URL. Audience checks must tolerate the trailing-slash variant of the resource URL, because clients send it both with and without the trailing slash.

Static header injection

If your upstream requires an internal secret (a shared key, a service token), add it under static headers on the Gateway tab. The gateway sets these headers on every request to your server, overriding anything the client sent, and they are never visible to your end users or stored in your captured telemetry.

Gateway-managed client keys

If your MCP server has no auth of its own, the gateway can add one. Switch the access mode to require a gateway client key, then create keys for the clients or teams that should have access. Each key is shown once.

Clients send the key as Authorization: Bearer spanlygw_.... The gateway validates it at the edge and strips it before the request reaches your server, so your server never sees the key. Revoking a key takes effect within about 30 seconds.

On this page