Write tools & Bearer
Catalog entries with "safety": "write" (or any non-read safety) require NENE_MCP_BEARER_TOKEN in the MCP server environment.
Fail-closed default
Without Bearer, tools/call returns a JSON-RPC error and does not send HTTP:
text
Write tool "myTool" requires bearer authentication. Set NENE_MCP_BEARER_TOKEN in the MCP server environment.This prevents silent anonymous writes when an operator forgets to configure auth.
Where to put the token
| OK | Not OK |
|---|---|
MCP host env block (Cursor, Claude Desktop) | tools.json |
| OS environment for the MCP process | Git commits |
| Secret manager → env at runtime | nene_mcp_about output |
Obtaining a token
Use whatever your OpenAPI security scheme defines:
- Bearer / JWT APIs: issue or copy the token from your auth flow
- NeNe sample TODO module: OpenAPI uses
sessionCookie, not Bearer — see NeNe catalog patterns (authenticated TODO over MCP needs host-side Bearer support or a different API) - Login tools marked
write: nene-mcp requires env Bearer even when the HTTP login route is public — you may use a placeholder value for fail-closed bootstrap on cookie-based hosts
nene-mcp forwards the token as Authorization: Bearer … on HTTP calls when the env var is set.
Credentials in MCP arguments
Login or write tools that take passwords in tools/call arguments expose those values to MCP host logs and agent transcripts. Use dev-only accounts; never commit secrets to catalog JSON or git.
Read tools
safety: read tools do not require Bearer in nene-mcp unless you set the env var (Bearer is then sent on GET as well).
Bearer-protected GET: If the API returns 401 on a read tool, set NENE_MCP_BEARER_TOKEN anyway — nene-mcp will not fail-closed before HTTP, but the host API still enforces auth. See Bearer-native bridge example.
Safety label vs HTTP method
nene-mcp fail-closes only when catalog safety is not read. It does not infer auth from OpenAPI — the label is operator-defined.
| Mistake | MCP behavior | Symptom |
|---|---|---|
POST / PUT / PATCH / DELETE marked "safety": "read" but API requires Bearer | HTTP sent without env Bearer | HTTP 401, isError: true — no JSON-RPC fail-closed |
Same route marked "safety": "write" | Blocked before HTTP without env Bearer | JSON-RPC error: requires bearer |
Rule: Match safety to how the API enforces auth, not to “read-only” business semantics. Mutating routes that require Bearer should use "safety": "write" (or set NENE_MCP_BEARER_TOKEN even when labeled read — same as protected GET).
Observed in FT262+ adversarial probes (F-7).
Hosts that require session cookies on GET are not covered by Bearer alone — see NeNe catalog patterns.