fix: case-insensitive Bearer token parsing in auth header #1

2026-05-30T12:55:23Z

williams commented

2026-05-30 12:55:23 +00:00

Problem

The MCP authentication header only matches uppercase Bearer. Some HTTP clients (e.g. certain Go libraries, Python urllib with certain helpers, misconfigured proxies) send authorization: bearer <token> (lowercase). This causes a 401 rejection even though the token is valid.

Fix

Changed the regex from ^Bearer to ^[Bb]earer to accept both Bearer and bearer as valid auth schemes.

This was tested locally on the hertz production server — all four header case combinations (authorization/Authorization × Bearer/bearer) now return HTTP 200.

Closes #21

## Problem The MCP authentication header only matches uppercase `Bearer`. Some HTTP clients (e.g. certain Go libraries, Python urllib with certain helpers, misconfigured proxies) send `authorization: bearer <token>` (lowercase). This causes a 401 rejection even though the token is valid. ## Fix Changed the regex from `^Bearer` to `^[Bb]earer` to accept both `Bearer` and `bearer` as valid auth schemes. This was tested locally on the hertz production server — all four header case combinations (`authorization`/`Authorization` × `Bearer`/`bearer`) now return HTTP 200. Closes #21

williams added 1 commit 2026-05-30 12:55:24 +00:00

fix: case-insensitive Bearer token parsing in auth header d2c2962ad1

williams closed this pull request

2026-05-30 14:56:08 +00:00

williams deleted branch fix/case-insensitive-bearer-auth

2026-05-30 14:56:08 +00:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: williams/lmcp#1