Feature Request: Authorization: Bearer header middleware for hosted MCP endpoint

[mishaal-cloud]

Hi Hindsight team,

We're running Hindsight at hindsight.ascendgtm.net via Cloudflare Tunnel and would like to expose the MCP endpoint to external agents securely.

Currently the MCP server doesn't appear to support Authorization: Bearer <token> header validation middleware. This would allow us to:

1. Gate access to the MCP endpoint with a static bearer token
2. Pass the token through Cloudflare Workers or a proxy layer
3. Use it as a Wrangler secret (wrangler secret put HINDSIGHT_BEARER_TOKEN) for CI/CD workflows

Request: Please add optional Authorization: Bearer middleware to the Hindsight MCP server — either as an env var (e.g., HINDSIGHT_BEARER_TOKEN) or via config.

We're happy to contribute a PR if you can point us to the right place in the codebase. Once shipped, we'd like to set the bearer token and validate the secured endpoint.

Thanks!

[benfrank241]

@mishaal-cloud this is already supported. the MCP endpoint at mcp.py:387-416 reads the Authorization header, strips Bearer (or accepts the raw token), and validates against whatever tenant extension is configured. it returns 401 if missing or invalid.