<![CDATA[Matomo MCP Server plugin: Bearer token auth fails because Authorization header is not available as HTTP

<![CDATA[Matomo MCP Server plugin: Bearer token auth fails because Authorization header is not available as HTTP_AUTHORIZATION]]>Hi Cloudron team,

I tested the official Matomo MCP Server plugin with the Cloudron Matomo app and ran into what looks like an Apache/PHP auth header issue.

Environment

Cloudron: 9.1.7
App: Matomo
App package: org.piwik.cloudronapp@1.57.0
Matomo: 5.10.0
MCP plugin: McpServer 5.0.3
Plugin source: https://github.com/matomo-org/plugin-McpServer
Plugin requirement: Matomo >=5.8.0-rc1,<6.0.0-b1, PHP >=8.1.0

What I did

I installed the plugin into:

/app/data/plugins/McpServer
Then ran:

php /app/code/console plugin:install-or-update McpServer --no-interaction
php /app/code/console plugin:activate McpServer --no-interaction
php /app/code/console core:clear-caches
Matomo now sees the plugin:

McpServer | Optional | Activated
MCP is enabled in the plugin settings:

enable_mcp=1
maximum_mcp_access_level=view
raw_api_access_scope=none
Expected behavior
According to the Matomo plugin documentation, MCP clients authenticate by sending:

Authorization: Bearer <token_auth>
to:

/index.php?module=API&method=McpServer.mcp&format=mcp
A valid Matomo token_auth should therefore not be rejected with 401 by the MCP endpoint.

Actual behavior
Unauthenticated request:

401 Authentication required
This is expected and confirms that the MCP endpoint exists.

Authenticated request with a valid Matomo token_auth as Bearer token:

401 Authentication required
The same token works with the normal Matomo Reporting API, so the token itself is valid.

Likely cause
It looks like Apache/PHP inside the Cloudron Matomo app does not pass:

Authorization: Bearer ...
through as:

$_SERVER["HTTP_AUTHORIZATION"]
Matomo core supports Bearer token extraction from HTTP_AUTHORIZATION, and the MCP plugin seems to depend on that.

A common Apache fix would be something like:

SetEnvIf Authorization "^(.*)$" HTTP_AUTHORIZATION=$1
CGIPassAuth On
But in the Cloudron app container, /app/code and /etc/apache2/conf-enabled are read-only, so this cannot be patched persistently from inside the running app.

Request
Could the Cloudron Matomo package include the required Apache/PHP configuration so Authorization is passed through to PHP as HTTP_AUTHORIZATION?

That would make the official Matomo MCP Server plugin usable on Cloudron with Bearer token authentication.

Thanks!

]]>https://forum.cloudron.io/topic/15486/matomo-mcp-server-plugin-bearer-token-auth-fails-because-authorization-header-is-not-available-as-http_authorizationRSS for NodeTue, 05 May 2026 16:48:39 GMTTue, 05 May 2026 08:19:43 GMT60