Pass user identity to MCP servers
MCP servers behind MintMCP sometimes need to know who is calling: to return user-specific data, enforce row-level access, or log the caller for audit purposes. MintMCP can forward the authenticated user's email address to upstream servers so they can make those decisions.
How the email reaches your server depends on the connector type:
| Connector type | Mechanism | Default |
|---|---|---|
| Remote MCP | X-MintMCP-User-Email HTTP header | Off (opt-in per connector) |
| Hosted connector (stdio) | MINTMCP_USER_EMAIL environment variable | Always on |
Remote MCP servers
For remote connectors, MintMCP injects an X-MintMCP-User-Email header into every proxied request when the connector admin enables it. The header contains the authenticated user's email address.
Because remote servers may be operated by third parties, this is off by default.
Enable the header
- Open the connector's Connection settings
- Check Include user identity in requests to this server
- Save
Once enabled, your remote MCP server can read the header from incoming requests:
# Python (Flask / FastAPI)
user_email = request.headers.get("X-MintMCP-User-Email")
// Node.js (Express)
const userEmail = req.headers["x-mintmcp-user-email"];
Hosted connectors
Hosted connectors run inside MintMCP's managed infrastructure for your organization.
For stdio-based MCPs, MintMCP automatically sets the MINTMCP_USER_EMAIL environment variable for every request from a user principal.
Read it like any other environment variable:
import os
user_email = os.environ.get("MINTMCP_USER_EMAIL")
const userEmail = process.env.MINTMCP_USER_EMAIL;
Related
- Add a remote MCP: Set up a remote connector
- Add a hosted connector: Run an MCP server in MintMCP's infrastructure
- Authentication models: How MintMCP handles credentials