.NET: Feature Request: Support for Per-Run MCP Authentication Headers

[jianxu-alleypin]

Feature Request: Support for Per-Run MCP Authentication Headers

Summary

We would like to request support for dynamically refreshing MCP (Model Context Protocol) authentication headers on a per-run basis, rather than binding them to the Agent or Thread level.

Context

We are the creators of issue #1477 and want to express our sincere gratitude for the team's timely resolution and release. However, while that fix addressed static authentication scenarios, it does not fully address our need for per-run authentication in scenarios where credentials expire during the agent's lifetime.

Use Case

Our application uses Azure AI Agents with MCP tool resources that require IAM-based authentication (Google Cloud Run with identity tokens). These tokens expire after 1 hour, which creates a challenge for long-lived agents:

• Current limitation: MCP headers are set at Agent or Thread creation time and cannot be refreshed
• Token expiration: IAM tokens expire after ~1 hour, causing MCP tool calls to fail in long-running sessions

Proposed Solution

We propose adding a new optional parameter to the agent.run() method (we suggest the name per_run_mcp_headers, though the team may prefer a different name) that would allow passing MCP authentication headers at runtime.

How it should work:

• Accept a dictionary mapping MCP server names to their authentication headers
• These runtime headers should override any headers defined at Agent/Thread creation time
• The parameter should be optional to maintain backward compatibility
• Headers should be applied only to the current run, not persisted to the Agent/Thread

Example usage:

per_run_mcp_headers = {
    "my_mcp_server": {
        "Authorization": "Bearer <fresh-token>"
    }
}

response = agent.run(
    "What information do you have?",
    per_run_mcp_headers=per_run_mcp_headers
)

This would allow applications to:

1. Generate fresh IAM tokens before each run
2. Reuse agents across sessions without token expiration issues
3. Support multiple users with different authentication contexts

Expected Behavior

• MCP headers provided at run-time should take precedence over Agent/Thread level headers
• This should be backward compatible - existing code without per_run_mcp_headers should continue working
• The feature should work with agent reuse scenarios

Additional Context

We've investigated the Azure AI Agents REST API documentation and confirmed that the /runs endpoint supports tool_resources.mcp with headers. However, we've also discovered some unexpected behavior:

Documentation vs. Actual Behavior:

• Documentation states: Run-level tool_resources should override Thread/Agent level (highest precedence) - see Azure AI Agents REST API documentation
• Actual behavior: Run-level tool_resources are incompatible and cause internal errors if Agent/Thread level tool_resources are already in place
• Additional constraint: Azure rejects requests with both tools and tool_resources.mcp parameters during agent reuse (specifically when using the streaming API, not the polling method)

We have a tentative PR (in the folk. I hope this is not a surprise) that demonstrates a working implementation of these changes in the framework code. Please note this PR is for illustration purposes and serves as a concrete example of one possible approach - we understand the team may have different architectural concerns and may choose to implement this differently or not at all.

Questions

1. Is there a timeline for official support of per-run MCP authentication?
2. Are there any architectural concerns when implementing this pattern?

---

Thank you for considering this feature request.