When to Use
Your agent includes headers with context that the MCP server needs. Maybe a trace ID for distributed tracing. Maybe a tenant ID for multi-tenant servers. Maybe custom metadata your server expects. Without header forwarding, these headers stop at Portkey. With it, they pass through to the MCP server. Common scenarios:- Distributed tracing. Forward
x-request-id,x-trace-id,x-correlation-idto correlate logs across services. - Multi-tenancy. Forward
x-tenant-id,x-org-idfor tenant-scoped operations. - User context. Forward
x-user-id,x-user-rolefor upstream authorization. - Custom metadata. Forward application-specific headers your MCP server expects.
Configuration
Configureforward_headers when adding or editing an MCP server in the MCP Registry.
Shorthand (string array)
Forward only the headers you specify. No renaming support in this form:Allowlist mode
The same behavior with explicit configuration. Entries in theheaders array can be:
- A string — forwards the header as-is.
- An object
{ "from": "<client_header>", "to": "<upstream_header>" }— forwards the header with its name changed.
x-trace-id is forwarded as-is, x-tenant-id arrives at the upstream as X-Organization-Id, and x-env arrives as X-Deploy-Environment.
All-except mode
Forward everything except headers you exclude. String entries are excluded; object entries rename forwarded headers:host and connection are excluded. All other headers are forwarded. Additionally, x-tenant-id is renamed to X-Org-Id before reaching the upstream server.
Security
Protected Headers
These headers are never forwarded regardless of your configuration:
In
all-except mode, these are automatically added to the blocklist. You cannot override this behavior.
Header mapping validation
When using object entries for header renaming, both the source (from) and target (to) header names are validated against the protected headers blocklist. If either name is protected, the mapping is rejected and the header is not forwarded.
Header matching on the source name is case-insensitive.
Identity Headers Are Protected
If you use Identity Forwarding, identity headers are also protected:X-User-ClaimsX-User-JWT
Header Priority
When multiple sources provide headers, they merge in this order (later values override earlier ones):
Why this order matters:
- Authentication headers configured on the server cannot be overridden by agents
- Static passthrough headers take precedence over agent headers
- Identity headers always win—agents cannot spoof user identity
X-Custom: server-value (server config wins).
Agent Configuration
Include headers in your MCP client configuration:- Python
- TypeScript
Example: Distributed Tracing
You want to correlate MCP requests with your application’s traces. Server configuration:Example: Multi-Tenant Server
Your internal MCP server needs tenant context to scope data access. Server configuration:Example: Header renaming
Your agent sendsx-tenant-id but your upstream MCP server expects X-Organization-Id.
Server configuration:
x-tenant-id header is renamed to X-Organization-Id before reaching the upstream server.
Combining with Identity Forwarding
Header forwarding and identity forwarding serve different purposes:
Use both together:
x-request-idandx-trace-idfrom the agent (for tracing)X-User-Claimsfrom Portkey (for user identity)

