🔐 feat: Add API key authentication support for MCP servers (#10936)

* 🔐 feat: Add API key authentication support for MCP servers

* Chore: Copilot comments fixes

---------

Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com>

packages/api/src/utils/env.ts

@@ -205,6 +205,38 @@ export function processMCPEnv(params: {
 
   const newObj: MCPOptions = structuredClone(options);
 
+  // Apply admin-provided API key to headers at runtime
+  // Note: User-provided keys use {{MCP_API_KEY}} placeholder in headers,
+  // which is processed later via customUserVars replacement
+  if ('apiKey' in newObj && newObj.apiKey) {
+    const apiKeyConfig = newObj.apiKey as {
+      key?: string;
+      source: 'admin' | 'user';
+      authorization_type: 'basic' | 'bearer' | 'custom';
+      custom_header?: string;
+    };
+
+    if (apiKeyConfig.source === 'admin' && apiKeyConfig.key) {
+      const { key, authorization_type, custom_header } = apiKeyConfig;
+      const headerName =
+        authorization_type === 'custom' ? custom_header || 'X-Api-Key' : 'Authorization';
+
+      let headerValue = key;
+      if (authorization_type === 'basic') {
+        headerValue = `Basic ${key}`;
+      } else if (authorization_type === 'bearer') {
+        headerValue = `Bearer ${key}`;
+      }
+
+      // Initialize headers if needed and add the API key header (overwrites if header already exists)
+      const objWithHeaders = newObj as { headers?: Record<string, string> };
+      if (!objWithHeaders.headers) {
+        objWithHeaders.headers = {};
+      }
+      objWithHeaders.headers[headerName] = headerValue;
+    }
+  }
+
   if ('env' in newObj && newObj.env) {
     const processedEnv: Record<string, string> = {};
     for (const [key, originalValue] of Object.entries(newObj.env)) {