Propagate Headers to Tool Servers

This guide shows you how to forward specific HTTP headers from incoming A2A requests to MCP tool servers, enabling per-tool authentication and authorization.

Prerequisites

Agent Runtime Operator installed — see Install the Agent Runtime Operator.
An existing Agent with at least one tool configured.

Header propagation is only supported for MCP tool servers (spec.tools), not for sub-agents.

Configure propagatedHeaders on a tool

Add propagatedHeaders to any tool entry under spec.tools. List the header names you want forwarded. Header matching is case-insensitive.

apiVersion: runtime.agentic-layer.ai/v1alpha1
kind: Agent
metadata:
  name: my-agent
spec:
  framework: google-adk
  tools:
    - name: github_api
      upstream:
        external:
          url: "https://github-mcp.example.com/mcp"
      propagatedHeaders:
        - Authorization      # Forward the Authorization header
        - X-GitHub-Token     # Forward a custom header

    - name: public_tool
      upstream:
        external:
          url: "https://public-mcp.example.com/mcp"
      # No propagatedHeaders — no headers forwarded to this server

  protocols:
    - type: A2A
  replicas: 1

When an A2A request arrives carrying an Authorization header, only the github_api tool server receives it. The public_tool server receives no additional headers.

Apply and verify

kubectl apply -f my-agent.yaml

# Check the Agent resource status
kubectl get agent my-agent

To confirm header forwarding at runtime, inspect your MCP server logs for the expected headers on incoming requests.

Propagate Headers to Tool Servers

Prerequisites

Configure propagatedHeaders on a tool

Apply and verify

Related