Feature Request: Add credentials: 'include' toggle to connection settings
Summary
Add a UI toggle (e.g., a checkbox in the connection settings panel) that sets credentials: 'include' on the fetch calls made by the Streamable HTTP (direct) transport. When enabled, the browser will automatically attach cookies stored for the target domain to every MCP request.
Problem
The browser treats Cookie as a forbidden header — JavaScript cannot set it manually. The only standards-compliant way to have the browser send cookies on a cross-origin request is to use credentials: 'include' in the fetch call.
The stock MCP Inspector does not set this option, so any MCP server that relies on cookie-based authentication or session routing (e.g., a server that reads a session cookie to resolve the correct backend environment) is unreachable from the inspector UI without a post-build patch to the browser bundle.
Workaround (current state)
Users and operators must patch the compiled browser bundle after installation to inject credentials: 'include' into the two fetch call sites used by the direct Streamable HTTP transport:
// Before patch
fetch(url2, {
...init,
headers: requestHeaders
});
// After patch
fetch(url2, {
...init,
credentials: "include",
headers: requestHeaders
});This is a fragile, build-time workaround that breaks whenever the inspector is updated, requires custom Docker image tooling to maintain, and is invisible to end users.
Proposed Solution
Add a "Send cookies (credentials: include)" checkbox to the connection settings UI, alongside existing transport options.
- Default: off (preserves current behaviour; no breaking change)
- When enabled: passes
credentials: 'include' in the fetch options for direct Streamable HTTP requests
- Scope: applies only to the direct transport; the proxy transport is unaffected (it forwards cookies server-side via its own mechanism)
Server-side requirements (informational)
For credentials: 'include' to work end-to-end, the target server must respond with:
Access-Control-Allow-Origin: <exact origin> — wildcards (*) cause credentials to be silently ignored by the browserAccess-Control-Allow-Credentials: true
Additionally, because the inspector and the MCP server run on different origins, any cookies the server expects to receive must be set with SameSite=None; Secure. Browsers silently block cross-site cookies that use the default SameSite=Lax (or Strict) policy, regardless of the credentials: 'include' setting.
These are server responsibilities, but a note in the UI tooltip or docs would help users diagnose misconfigured servers.
Why this belongs in the inspector
Cookie-based auth is a common, legitimate pattern for internal tools, dev environments, and enterprise MCP deployments. The Fetch API provides credentials: 'include' specifically for this use case, and the browser enforces it correctly when paired with proper CORS headers on the server. Exposing this as a UI option is a small, non-breaking change that eliminates the need for downstream consumers to patch the inspector bundle.
Acceptance Criteria
Feature Request: Add
credentials: 'include'toggle to connection settingsSummary
Add a UI toggle (e.g., a checkbox in the connection settings panel) that sets
credentials: 'include'on the fetch calls made by the Streamable HTTP (direct) transport. When enabled, the browser will automatically attach cookies stored for the target domain to every MCP request.Problem
The browser treats
Cookieas a forbidden header — JavaScript cannot set it manually. The only standards-compliant way to have the browser send cookies on a cross-origin request is to usecredentials: 'include'in thefetchcall.The stock MCP Inspector does not set this option, so any MCP server that relies on cookie-based authentication or session routing (e.g., a server that reads a session cookie to resolve the correct backend environment) is unreachable from the inspector UI without a post-build patch to the browser bundle.
Workaround (current state)
Users and operators must patch the compiled browser bundle after installation to inject
credentials: 'include'into the two fetch call sites used by the direct Streamable HTTP transport:This is a fragile, build-time workaround that breaks whenever the inspector is updated, requires custom Docker image tooling to maintain, and is invisible to end users.
Proposed Solution
Add a "Send cookies (credentials: include)" checkbox to the connection settings UI, alongside existing transport options.
credentials: 'include'in the fetch options for direct Streamable HTTP requestsServer-side requirements (informational)
For
credentials: 'include'to work end-to-end, the target server must respond with:Access-Control-Allow-Origin: <exact origin>— wildcards (*) cause credentials to be silently ignored by the browserAccess-Control-Allow-Credentials: trueAdditionally, because the inspector and the MCP server run on different origins, any cookies the server expects to receive must be set with
SameSite=None; Secure. Browsers silently block cross-site cookies that use the defaultSameSite=Lax(orStrict) policy, regardless of thecredentials: 'include'setting.These are server responsibilities, but a note in the UI tooltip or docs would help users diagnose misconfigured servers.
Why this belongs in the inspector
Cookie-based auth is a common, legitimate pattern for internal tools, dev environments, and enterprise MCP deployments. The Fetch API provides
credentials: 'include'specifically for this use case, and the browser enforces it correctly when paired with proper CORS headers on the server. Exposing this as a UI option is a small, non-breaking change that eliminates the need for downstream consumers to patch the inspector bundle.Acceptance Criteria
credentials: 'include'is passed to both direct-connection fetch call siteslocalStorage) consistent with how other connection settings are persistedAccess-Control-Allow-Credentials: trueand a non-wildcardAccess-Control-Allow-Origin