litellm - 💡(How to fix) Fix [Bug]: BYOK for non-OpenAPI spec MCP missing in UI

1. Create form: Show BYOK block when transportType is http, sse, or openapi (exclude stdio).
2. Edit form: Add is_byok, byok_description, byok_api_key_help_url to mcp_server_edit.tsx for existing servers (read-only hint if toggling off after users have credentials).
3. Docs: Clarify BYOK applies to OpenAPI-generated MCP and native HTTP MCP servers. Optional: add GET /v1/mcp/server/{server_id}/user-credential/status symmetric to oauth-user-credential/status for BYOK (today only has_user_credential on list endpoint).

Workaround (today)

Register via API:

curl -X POST "$LITELLM_BASE/v1/mcp/server" \
  -H "Authorization: Bearer $ADMIN_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "server_name": "my_mcp_server",
    "url": "https://my-mcp.example.com/mcp",
    "transport": "http",
    "auth_type": "bearer_token",
    "is_byok": true,
    "allow_all_keys": true,
    "byok_description": ["Describe access for users"],
    "byok_api_key_help_url": "https://docs.example.com/api-keys"
  }'

Users store PAT via playground Connect or POST /v1/mcp/server/{server_id}/user-credential.

Impact

• Enterprise deployments with FastMCP / Streamable HTTP servers (not OpenAPI specs) cannot self-serve BYOK registration in UI
• Forces API/script registration and confuses operators who assume BYOK is OpenAPI-only because the UI implies it
• Edit flow cannot enable BYOK on existing HTTP servers without delete/recreate via API

Environment

• LiteLLM proxy with DB (store_model_in_db, MCP in supported_db_objects)
• MCP server type: FastMCP, transport: http, auth_type: bearer_token, per-user PAT
• Reproduced on LiteLLM dashboard “Add New MCP Server” modal (version aligned with BerriAI/litellm main as of 2026-05)

Version / fork note

Observed in downstream fork wdpr-ra-litellm; same UI code path exists upstream in ui/litellm-dashboard/src/components/mcp_tools/create_mcp_server.tsx.

Fix / Workaround

1. Create form: Show BYOK block when transportType is http, sse, or openapi (exclude stdio).
2. Edit form: Add is_byok, byok_description, byok_api_key_help_url to mcp_server_edit.tsx for existing servers (read-only hint if toggling off after users have credentials).
3. Docs: Clarify BYOK applies to OpenAPI-generated MCP and native HTTP MCP servers. Optional: add GET /v1/mcp/server/{server_id}/user-credential/status symmetric to oauth-user-credential/status for BYOK (today only has_user_credential on list endpoint).

Workaround (today)

Register via API:

curl -X POST "$LITELLM_BASE/v1/mcp/server" \
  -H "Authorization: Bearer $ADMIN_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "server_name": "my_mcp_server",
    "url": "https://my-mcp.example.com/mcp",
    "transport": "http",
    "auth_type": "bearer_token",
    "is_byok": true,
    "allow_all_keys": true,
    "byok_description": ["Describe access for users"],
    "byok_api_key_help_url": "https://docs.example.com/api-keys"
  }'

Users store PAT via playground Connect or POST /v1/mcp/server/{server_id}/user-credential.

Impact

• Enterprise deployments with FastMCP / Streamable HTTP servers (not OpenAPI specs) cannot self-serve BYOK registration in UI
• Forces API/script registration and confuses operators who assume BYOK is OpenAPI-only because the UI implies it
• Edit flow cannot enable BYOK on existing HTTP servers without delete/recreate via API

Environment

• LiteLLM proxy with DB (store_model_in_db, MCP in supported_db_objects)
• MCP server type: FastMCP, transport: http, auth_type: bearer_token, per-user PAT
• Reproduced on LiteLLM dashboard “Add New MCP Server” modal (version aligned with BerriAI/litellm main as of 2026-05)

Version / fork note

Observed in downstream fork wdpr-ra-litellm; same UI code path exists upstream in ui/litellm-dashboard/src/components/mcp_tools/create_mcp_server.tsx.