Misc. bug: WebUI CORS proxy requests don't include API key for MCP connections

[hmblair]

Name and Version

$ llama-server --version
version: 8577 (2405d59cb)
built with GNU 13.3.0 for Linux x86_64

Operating systems

Linux

Which llama.cpp modules do you know to be affected?

llama-server

Command line

llama-server --metrics -np 1 --jinja --cache-prompt --host 127.0.0.1 --offline -ctk q8_0 -ctv q8_0 -c 0 --webui-mcp-proxy --port 11435 --api-key-file /path/to/api.key --models-max 2

Problem description & steps to reproduce

When llama-server is started with both --api-key-file and --webui-mcp-proxy, the /cors-proxy endpoint is subject to the global API key validation middleware. The web UI does not automatically include the API key in its requests to /cors-proxy, so MCP server connections fail with 401.

Steps to reproduce:

1. Start llama-server with --api-key-file <file> --webui-mcp-proxy
2. Authenticate with the web UI using the API key
3. Add an MCP server (e.g. http://127.0.0.1:8581/mcp) with "Use Proxy" enabled
4. Attempt to connect — connection fails with:
   Streamable HTTP error: Error POSTing to endpoint: {"error":{"message":"Invalid API Key","type":"authentication_error","code":401}}

Expected behavior: The web UI already has the API key (the user authenticated to use the UI), so CORS proxy requests should automatically include it.

Workaround: Manually add Authorization: Bearer <api-key> as a custom header on each MCP server entry.

First Bad Commit

No response

Relevant log output

Logs

Connection failed: NetworkError when attempting to fetch resource.
Streamable HTTP error: Error POSTing to endpoint: {"error":{"message":"Invalid API Key","type":"authentication_error","code":401}}

[hmblair]

Note: commit abf9a62 (#21072, merged today) also broke the manual workaround of adding Authorization: Bearer <key> as a custom header on each MCP server entry. Previously that header served double duty — authenticating with llama-server's /cors-proxy endpoint and being forwarded to the MCP target. After #21072, all custom headers are wrapped as X-Proxy-Header-*, so the Authorization header no longer reaches llama-server's auth middleware.

This means there is currently no workaround when using --api-key with --webui-mcp-proxy — PR #21193 is needed to fix this.

[x5nder]

Is this still not integrated into the downloadable builds? I installed b9119 for Windows today and I'm running into this exact issue :-(