WWW-Authenticate headers should be passed through

[localden]

Without this, you don't have the means to respond to specific HTTP 401 errors. Right now, on any token validation error that the server responds with 401 Unauthorized the client will just act as if it needs to re-authenticate with no context as to why.

[cliffhall]

@localden you're right, but can you provide an example with steps to repro? I'm not sure if this is a failing of the Inspector or the SDK.

[cliffhall]

Without this, you don't have the means to respond to specific HTTP 401 errors. Right now, on any token validation error that the server responds with 401 Unauthorized the client will just act as if it needs to re-authenticate with no context as to why.

Are you saying that WWW-Authenticate response headers are not making it to the client from the MCP Inspector's backing server?