how do I pass cookies into custom tool call?
# supportv
vincemeshed
06/07/2025, 12:06 PMI want to be able to identify user from cookies token to make sure I'm only retrieving data for a particular user when custom tool is called
v
Vapi Support Bot
06/07/2025, 12:07 PMTo securely identify users in your custom tool call, pass the user token as an argument in the tool call payload or as a custom header. On your server, extract the token from the request and use it for user validation. For example, in your Express endpoint:
Copy code
js
app.post("/chat/completions/custom-tool", (req, res) => {
const userToken = req.headers['authorization']; // or req.body.message.userToken
// Use userToken to identify and authorize the user
});v
vincemeshed
06/07/2025, 12:37 PM@Vapi Support Bot how do I pass custom header in from react typescript
v
Vapi Support Bot
06/07/2025, 12:39 PMYou cannot set custom headers (like Authorization) dynamically from React/TypeScript using the Vapi Web SDK.
Custom headers for tool calls must be configured in your assistant or tool's server config, for example:
Copy code
json
{
"server": {
"url": "https://your-server.com/webhook",
"headers": {
"Authorization": "Bearer your-api-key"
}
}
}v
vincemeshed
06/07/2025, 3:06 PM@Vapi Support Bot I've tried using assistantOverride.variableValues to pass user token in but its not replacing the value in header field?
{
"variableValues": {
"usertoken": "super_secret_token"
}
}
This is the value of header in the tool setup config
Bearer {{usertoken}}
v
Vapi Support Bot
06/07/2025, 3:08 PMDynamic header value replacement using
assistantOverride.variableValues Copy code
js
// Example Express endpoint
app.post("/chat/completions/custom-tool", (req, res) => {
const userToken = req.body.message.toolCallList[0].function.arguments.usertoken;
// Use userToken to identify and authorize the user
});v
vincemeshed
06/07/2025, 3:19 PM@Kings_bigđź’« any idea?
k
Kings_bigđź’«
06/07/2025, 4:05 PMPass the user’s token from cookies into assistantOverrides.toolOverrides as an Authorization header when starting a session, so your custom tool can securely identify and return data only for that authenticated user..
v
vincemeshed
06/07/2025, 4:41 PMis there documentation/example for this?
I'm getting 400 on assistantOverrides.property toolOverrides should not exist
a
Aniah
06/08/2025, 6:06 AMYou can pass the user’s token as an Authorization header via assistantOverrides.credentials not toolOverrides, since toolOverrides isn’t valid. Use assistantOverrides: { credentials: { Authorization: "Bearer <token>" } } when starting a session..
v
vincemeshed
06/08/2025, 11:44 AMare u sure? this isn't valid either
a
Aniah
06/10/2025, 6:25 AMCould you provide an overview of the implementation and specifically how you are going to pass these cookies to the request? With this context it will give us a better understanding of the data flow and possible solutions
v
vincemeshed
06/11/2025, 11:49 AMI'm using the nextjs an starting the session with vapi.start. I'm getting the cookies from browser session and trying to pass that into vapi session so every tool call(specifically our own MCP server) would use this token to identify user and apply row level access
u
utvara
08/11/2025, 8:39 PMDo you have an example somewhere how this can be achived? I also need to sign the MCP requests with Bearer token
a
Aniah
09/04/2025, 11:07 PM1. Client-Side Setup (Next.js)
Copy code
// Get user's OAuth token from browser session
const userOAuthToken = getCookieValue('oauth_token'); // Your method to get the token
const userId = getCookieValue('user_id');
// Start Vapi session with user credentials
vapi.start({
assistant: {
// Your assistant configuration
server: {
url: "https://your-mcp-server.com/mcp-endpoint",
// Pass user-specific data in server headers or body
headers: {
"X-User-ID": userId,
"X-Session-Token": userOAuthToken
}
},
// Alternative: Pass via webhookCredential for OAuth2 flow
credentials: [{
provider: "webhook",
authenticationPlan: {
type: "oauth2",
url: "https://your-mcp-server.com/oauth/token",
clientId: "your-client-id",
clientSecret: "your-client-secret",
scope: "user:read user:write"
},
name: "mcp-oauth-credential"
}]
}
});Aniah
09/04/2025, 11:07 PM2. API Call Example for Creating a Call
Copy code
const createCall = async () => {
const response = await fetch('https://api.vapi.ai/call', {
method: 'POST',
headers: {
'Authorization': 'Bearer YOUR_VAPI_API_KEY',
'Content-Type': 'application/json'
},
body: JSON.stringify({
type: 'webCall',
assistantId: 'your-assistant-id',
assistantOverrides: {
server: {
url: "https://your-mcp-server.com/mcp-endpoint",
headers: {
"X-User-ID": userId,
"X-Session-Token": userOAuthToken
}
},
// Configure OAuth2 credential for MCP server
credentials: [{
provider: "webhook",
authenticationPlan: {
type: "oauth2",
url: "https://your-mcp-server.com/oauth/token",
clientId: process.env.MCP_CLIENT_ID,
clientSecret: process.env.MCP_CLIENT_SECRET,
scope: "mcp:tools:execute user:identify",
// Additional parameters for user context
additionalBodyParameters: {
user_id: userId,
session_token: userOAuthToken
}
},
name: "mcp-user-credential"
}],
// Pass user context via variable values
variableValues: {
userId: userId,
userToken: userOAuthToken,
orgId: userOrgId
}
}
})
});
return response.json();
};Aniah
09/04/2025, 11:08 PMYour MCP server should be configured to handle OAuth2 authentication and user identification:
Copy code
// MCP Server (Node.js/Express example)
app.post('/oauth/token', (req, res) => {
const { client_id, client_secret, user_id, session_token } = req.body;
// Validate client credentials
if (client_id !== process.env.EXPECTED_CLIENT_ID ||
client_secret !== process.env.EXPECTED_CLIENT_SECRET) {
return res.status(401).json({ error: 'Invalid client credentials' });
}
// Validate user session token
const userContext = validateUserSession(session_token, user_id);
if (!userContext) {
return res.status(401).json({ error: 'Invalid user session' });
}
// Generate access token with user context
const accessToken = jwt.sign({
client_id,
user_id,
org_id: userContext.orgId,
permissions: userContext.permissions
}, process.env.JWT_SECRET, { expiresIn: '1h' });
res.json({
access_token: accessToken,
token_type: 'Bearer',
expires_in: 3600
});
});
// MCP tool endpoint with user access control
app.post('/mcp-endpoint', authenticateToken, (req, res) => {
const { user_id, org_id, permissions } = req.user; // From JWT token
// Apply row-level security based on user context
const toolCall = req.body;
// Example: Filter data based on user's organization
if (toolCall.function.name === 'get_user_data') {
const userData = getUserData({
userId: user_id,
orgId: org_id,
permissions: permissions
});
res.json({
result: userData,
user_context: {
user_id,
org_id
}
});
}
});
function authenticateToken(req, res, next) {
const authHeader = req.headers['authorization'];
const token = authHeader && authHeader.split(' ')[1];
if (!token) {
return res.sendStatus(401);
}
jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
if (err) return res.sendStatus(403);
req.user = user;
next();
});
}Aniah
09/04/2025, 11:08 PMKey Points:
1. **OAuth2 Flow**: Use webhookCredential with oauth2 type for proper authentication flow
2. **User Context**: Pass user identifiers through headers, body parameters, or variable values
3. **Row-Level Security**: Implement access control in your MCP server based on the authenticated user
4. **Token Validation**: Always validate tokens and user permissions on your MCP server
5. **Dynamic Headers**: Use variable substitution for dynamic user-specific values
This setup ensures that every tool call to your MCP server includes the necessary user context for proper identification and access control.