From 17c56d8814aaac6d2fb4c3b5e66bbd74d9cb41d5 Mon Sep 17 00:00:00 2001
From: YeonGyu-Kim <code.yeon.gyu@gmail.com>
Date: Wed, 11 Feb 2026 00:44:04 +0900
Subject: [PATCH] fix(mcp): restore x-api-key header for EXA websearch
 alongside query param

The header-based auth was removed during refactoring; some MCP server
implementations require it. Now sends both query param and header.
---
 src/mcp/websearch.test.ts | 9 +++++----
 src/mcp/websearch.ts      | 1 +
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/mcp/websearch.test.ts b/src/mcp/websearch.test.ts
index 2b09e395d..572ebae33 100644
--- a/src/mcp/websearch.test.ts
+++ b/src/mcp/websearch.test.ts
@@ -65,15 +65,16 @@ describe("websearch MCP provider configuration", () => {
     expect(result.url).toContain(`exaApiKey=${encodeURIComponent(apiKey)}`)
   })
 
-  test("does not set x-api-key header when EXA_API_KEY is set", () => {
+  test("sets x-api-key header when EXA_API_KEY is set", () => {
     //#given
-    process.env.EXA_API_KEY = "test-exa-key-12345"
+    const apiKey = "test-exa-key-12345"
+    process.env.EXA_API_KEY = apiKey
 
     //#when
     const result = createWebsearchConfig()
 
     //#then
-    expect(result.headers).toBeUndefined()
+    expect(result.headers).toEqual({ "x-api-key": apiKey })
   })
 
   test("URL-encodes EXA_API_KEY when it contains special characters", () => {
@@ -126,7 +127,7 @@ describe("websearch MCP provider configuration", () => {
     //#then
     expect(result.url).toContain("mcp.exa.ai")
     expect(result.url).toContain(`exaApiKey=${encodeURIComponent(exaKey)}`)
-    expect(result.headers).toBeUndefined()
+    expect(result.headers).toEqual({ "x-api-key": exaKey })
   })
 
   test("Tavily config uses Authorization Bearer header format", () => {
diff --git a/src/mcp/websearch.ts b/src/mcp/websearch.ts
index a306ac49b..74301d033 100644
--- a/src/mcp/websearch.ts
+++ b/src/mcp/websearch.ts
@@ -35,6 +35,7 @@ export function createWebsearchConfig(config?: WebsearchConfig): RemoteMcpConfig
       ? `https://mcp.exa.ai/mcp?tools=web_search_exa&exaApiKey=${encodeURIComponent(process.env.EXA_API_KEY)}`
       : "https://mcp.exa.ai/mcp?tools=web_search_exa",
     enabled: true,
+    ...(process.env.EXA_API_KEY ? { headers: { "x-api-key": process.env.EXA_API_KEY } } : {}),
     oauth: false as const,
   }
 }