The 2025.10.0 release of sgcWebSockets elevates Model Context Protocol (MCP) connectivity with a hardened authentication layer for both client and server components. This article highlights how the new capabilities combine enterprise-grade access control with the rapid development workflow Delphi teams expect from sgcWebSockets.
What is new
- Dual enforcement: client libraries automatically include the headers the server verifies, closing gaps between discovery and enforcement.
- Transport awareness: authentication works regardless of whether requests use classic HTTP or streamable transports such as SSE, so you can adopt streaming with confidence.
- Commercial readiness: ready-made properties, validation hooks, and telemetry events reduce the cost of auditing regulated workloads.
MCP Client
The MCP client exposes all security knobs through the MCPOptions.AuthenticationOptions property. Enable API key or custom header flows independently to satisfy zero-trust or tenant-based policies, and the component injects the required headers during each HTTP POST and SSE upgrade.
- Custom Header authentication lets you set a proprietary header/value pair (for example,
X-TenantorX-Region). - API Key/Bearer token support automatically formats the standard
Authorization: Bearerheader, ensuring compatibility with gateways and API management layers. - Session propagation keeps the MCP session identifier synchronized across requests, simplifying observability.
- Streaming ready: as soon as the transport switches to
aimcptrHttpStreamable, the client spins up an SSE thread that preserves the same authenticated headers.
Together with heartbeats, client metadata, and HTTP/TLS customization, you can align MCP conversations with your organization's compliance checklist without sacrificing developer velocity.
MCP Server
The server mirrors the client controls with dedicated endpoint, transport, and MCP configuration objects. As requests arrive, the component validates every incoming header and raises a descriptive error when a credential is missing or incorrect. Because validation happens before the request enters your business logic, you stop misuse early and keep your code focused on domain value.
- Centralized header validation rejects requests immediately when the required header/value pair is absent or mismatched.
- Bearer token verification checks that the server-side API key matches the
Authorizationheader used by the client. - Unified events: initialization, session lifecycle, and prompt/resource/tool handlers remain available so you can react to authenticated sessions in real time.
Business and technical advantages
- Security you can sell: customers demand authenticated AI automations, and MCP Authentication provides a turnkey answer when responding to RFPs or compliance questionnaires.
- Operational efficiency: administrators manage credentials through simple component properties rather than scattered code changes.
- Scalable governance: per-tenant headers make it easy to route sessions to specific back-ends or apply rate limits while maintaining a single binary.
- Future proofing: because the authentication code is part of the core MCP transport, new protocol additions inherit the same guardrails automatically.
Delphi Example
The following snippet shows how a single configuration routine can enable MCP Authentication for both a client and a server in Delphi. Adapt the credential values to your environment.