From d8864cb74c2553553b83894b22bb6905a7889bd2 Mon Sep 17 00:00:00 2001 From: Simon Strandgaard Date: Sat, 28 Feb 2026 23:28:16 +0100 Subject: [PATCH] Fix Smithery 502: preserve query params in redirect and accept API key from query string Smithery passes the API key as ?X-API-Key=... query parameter and does not follow 307 redirects for authenticated POST requests. Two fixes: - Redirect handler now forwards query string from /mcp to /mcp/ - _extract_api_key() now checks query params as fallback after headers Co-Authored-By: Claude Opus 4.6 --- mcp_cloud/http_server.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/mcp_cloud/http_server.py b/mcp_cloud/http_server.py index 99a4eac0..c22fe0f7 100644 --- a/mcp_cloud/http_server.py +++ b/mcp_cloud/http_server.py @@ -394,6 +394,12 @@ def _extract_api_key(request: Request) -> Optional[str]: if value: return value + # Fall back to query parameter (e.g. Smithery passes ?X-API-Key=...). + for param_name in ("X-API-Key", "api_key", "api-key"): + value = _normalize_api_key_value(request.query_params.get(param_name)) + if value: + return value + return None @@ -919,9 +925,11 @@ async def head_mcp_trailing_slash() -> Response: @app.api_route("/mcp", methods=["GET", "HEAD", "POST", "PUT", "PATCH", "DELETE"]) -async def redirect_mcp_no_trailing_slash() -> RedirectResponse: +async def redirect_mcp_no_trailing_slash(request: Request) -> RedirectResponse: """Normalize '/mcp' to '/mcp/' so streamable HTTP requests avoid 405 mismatches.""" - return RedirectResponse(url="/mcp/", status_code=307) + qs = request.url.query + target = f"/mcp/?{qs}" if qs else "/mcp/" + return RedirectResponse(url=target, status_code=307) @app.post("/mcp/tools/call", response_model=MCPToolCallResponse)