How to CORRECTLY pass in user-specific jwt token to a tool of an API that needs a user token?

[thongnbui]

I currently have a set up like this to pass a jwt token to my API

but I believe it's not correct because it requires save this API in your SqlLite DB, which means that all the subsequent tool calls are using the SAME token, correct? And that is not good, because each user should have their own jwt token. How do set up this tool so that for each call, a user should be able to pass in a user-specific jwt token?

[crivetimihai]

Hi,

I believe this depends on https://ibm.github.io/mcp-context-forge/architecture/roadmap/#epic-role-based-access-control-userteamglobal-scopes where we plan on 'scoping' each of the catalogs (Servers, Tools, Resources, Prompts, Gateways) to each of the users.

This would that the gateway would generate a complete catalog of everything for each user. Would love to get your thoughts on the Epic described above.