Auth Passthrough
Forward your agent's own credentials directly to an upstream MCP server so ShieldAgent never stores or proxies a shared secret.
What is auth passthrough?
By default ShieldAgent manages credentials centrally (None, Static header, or OAuth managed modes). Auth passthrough is an alternative: the agent sends its own Authorization header and the proxy forwards it verbatim to the upstream server. ShieldAgent still inspects and logs every call — it just does not inject its own credentials.
When to use it
Agent-scoped tokens
The upstream server issues per-agent tokens and you want each agent to authenticate independently.
Short-lived JWTs
The agent already manages token refresh; you do not want ShieldAgent to hold a copy.
Zero-trust architectures
Your policy requires no shared secrets at rest in any intermediary.
Enable auth passthrough
- 1.Go to
MCP Servers → [your server] → Authin the dashboard. - 2.Set authentication mode to
Auth passthrough. - 3.Save. The proxy will now forward whatever
Authorizationheader the agent sends. - 4.Configure your agent to include its own token in requests to the proxy endpoint.
Visibility preserved
Auth passthrough does not reduce ShieldAgent's inspection scope. Every tool call is still scanned for prompt injection, DLP findings, and policy violations. The passthrough only affects credential management — not enforcement.