Matomo MCP Server plugin: Bearer token auth fails because Authorization header is not available as HTTP_AUTHORIZATION
-
Hi Cloudron team,
I tested the official Matomo MCP Server plugin with the Cloudron Matomo app and ran into what looks like an Apache/PHP auth header issue.
Environment
- Cloudron:
9.1.7 - App: Matomo
- App package:
org.piwik.cloudronapp@1.57.0 - Matomo:
5.10.0 - MCP plugin:
McpServer5.0.3 - Plugin source: https://github.com/matomo-org/plugin-McpServer
- Plugin requirement: Matomo
>=5.8.0-rc1,<6.0.0-b1, PHP>=8.1.0
What I did
I installed the plugin into:
/app/data/plugins/McpServer Then ran: php /app/code/console plugin:install-or-update McpServer --no-interaction php /app/code/console plugin:activate McpServer --no-interaction php /app/code/console core:clear-caches Matomo now sees the plugin: McpServer | Optional | Activated MCP is enabled in the plugin settings: enable_mcp=1 maximum_mcp_access_level=view raw_api_access_scope=none Expected behavior According to the Matomo plugin documentation, MCP clients authenticate by sending: Authorization: Bearer <token_auth> to: /index.php?module=API&method=McpServer.mcp&format=mcp A valid Matomo token_auth should therefore not be rejected with 401 by the MCP endpoint. Actual behavior Unauthenticated request: 401 Authentication required This is expected and confirms that the MCP endpoint exists. Authenticated request with a valid Matomo token_auth as Bearer token: 401 Authentication required The same token works with the normal Matomo Reporting API, so the token itself is valid. Likely cause It looks like Apache/PHP inside the Cloudron Matomo app does not pass: Authorization: Bearer ... through as: $_SERVER["HTTP_AUTHORIZATION"] Matomo core supports Bearer token extraction from HTTP_AUTHORIZATION, and the MCP plugin seems to depend on that. A common Apache fix would be something like: SetEnvIf Authorization "^(.*)$" HTTP_AUTHORIZATION=$1 CGIPassAuth On But in the Cloudron app container, /app/code and /etc/apache2/conf-enabled are read-only, so this cannot be patched persistently from inside the running app. Request Could the Cloudron Matomo package include the required Apache/PHP configuration so Authorization is passed through to PHP as HTTP_AUTHORIZATION? That would make the official Matomo MCP Server plugin usable on Cloudron with Bearer token authentication. Thanks! - Cloudron:
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login