Skip to content

Allow CLI server profiles to send env-backed HTTP headers for Cloudflare Access #1322

Description

@ramarivera

Cloudflare is one of Executor's documented self-host/deployment paths, and the Cloudflare host docs already cover Access-gated /mcp usage with service-token headers for headless clients.

That works for direct MCP clients, but the executor CLI cannot currently use the same Access-protected instance because commands like:

executor login --base-url https://executor.example.com

must first call /api/auth/cli-login, and there does not appear to be a way for the CLI/server profile to attach required Cloudflare Access headers:

  • CF-Access-Client-Id
  • CF-Access-Client-Secret

This means a Cloudflare Access-protected self-hosted Executor can be used by MCP clients that support custom headers, but not cleanly by the Executor CLI itself.

Requested shape:

  • Let executor server add / server profiles define HTTP headers.
  • Prefer env-backed values, not plaintext persistence, for example:
    • CF-Access-Client-Id=$EXECUTOR_CF_ACCESS_CLIENT_ID
    • CF-Access-Client-Secret=$EXECUTOR_CF_ACCESS_CLIENT_SECRET
  • Apply those headers consistently to CLI discovery/login and later API calls:
    • /api/auth/cli-login
    • whoami
    • call
    • generate
    • other remote server commands

This would make the blessed Cloudflare path usable end-to-end from both MCP clients and the official CLI, without requiring users to weaken Access or run a local header-injecting proxy.

🤖 This content was generated with AI assistance using gpt-5.5.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions