like-gold
like-goldā€¢3mo ago

how do I pass cookies into custom tool call?

I want to be able to identify user from cookies token to make sure I'm only retrieving data for a particular user when custom tool is called
14 Replies
Vapi
Vapiā€¢3mo ago
To securely identify users in your custom tool call, pass the user token as an argument in the tool call payload or as a custom header. On your server, extract the token from the request and use it for user validation. For example, in your Express endpoint: 
app.post("/chat/completions/custom-tool", (req, res) => {
  const userToken = req.headers['authorization']; // or req.body.message.userToken
  // Use userToken to identify and authorize the user
});
app.post("/chat/completions/custom-tool", (req, res) => {
  const userToken = req.headers['authorization']; // or req.body.message.userToken
  // Use userToken to identify and authorize the user
});
Set the header in your tool's server config as shown in the Vapi docs. Sources: - Server Authentication - Custom Tool Calling Integration
ā¤µļø Mention @Vapi Support Bot for follow-ups šŸ„
like-gold
like-goldOPā€¢3mo ago
@Duckie how do I pass custom header in from react typescript
Vapi
Vapiā€¢3mo ago
You cannot set custom headers (like Authorization) dynamically from React/TypeScript using the Vapi Web SDK.
Custom headers for tool calls must be configured in your assistant or tool's server config, for example: 
{
  "server": {
    "url": "https://your-server.com/webhook",
    "headers": {
      "Authorization": "Bearer your-api-key"
    }
  }
}
{
  "server": {
    "url": "https://your-server.com/webhook",
    "headers": {
      "Authorization": "Bearer your-api-key"
    }
  }
}
If you need to identify the user, pass the token as an argument in the tool call payload instead, and extract it on your backend.
See Vapi docs for details. Sources: - Server Authentication - Custom Tool Calling Integration
like-gold
like-goldOPā€¢3mo ago
@Duckie I've tried using assistantOverride.variableValues to pass user token in but its not replacing the value in header field? { "variableValues": { "usertoken": "super_secret_token" } } This is the value of header in the tool setup config Bearer {{usertoken}}
Vapi
Vapiā€¢3mo ago
Dynamic header value replacement using assistantOverride.variableValues is not supported in Vapi.
Instead, pass the user token as an argument in your tool call payload and extract it on your backend: 
// Example Express endpoint
app.post("/chat/completions/custom-tool", (req, res) => {
  const userToken = req.body.message.toolCallList[0].function.arguments.usertoken;
  // Use userToken to identify and authorize the user
});
// Example Express endpoint
app.post("/chat/completions/custom-tool", (req, res) => {
  const userToken = req.body.message.toolCallList[0].function.arguments.usertoken;
  // Use userToken to identify and authorize the user
});
Set static headers in your tool config, but use payload arguments for dynamic user data.
See Vapi docs for details. Sources: - Server Authentication - Custom Tool Calling Integration
like-gold
like-goldOPā€¢3mo ago
@Kings_bigšŸ’« any idea?
equal-aqua
equal-aquaā€¢3mo ago
Pass the userā€™s token from cookies into assistantOverrides.toolOverrides as an Authorization header when starting a session, so your custom tool can securely identify and return data only for that authenticated user..
like-gold
like-goldOPā€¢3mo ago
is there documentation/example for this? I'm getting 400 on assistantOverrides.property toolOverrides should not exist
Shubham Bajaj
Shubham Bajajā€¢3mo ago
You can pass the userā€™s token as an Authorization header via assistantOverrides.credentials not toolOverrides, since toolOverrides isnā€™t valid. Use assistantOverrides: { credentials: { Authorization: "Bearer <token>" } } when starting a session..
like-gold
like-goldOPā€¢3mo ago
are u sure? this isn't valid either
Shubham Bajaj
Shubham Bajajā€¢3mo ago
Could you provide an overview of the implementation and specifically how you are going to pass these cookies to the request? With this context it will give us a better understanding of the data flow and possible solutions
like-gold
like-goldOPā€¢3mo ago
I'm using the nextjs an starting the session with vapi.start. I'm getting the cookies from browser session and trying to pass that into vapi session so every tool call(specifically our own MCP server) would use this token to identify user and apply row level access
Shubham Bajaj
Shubham Bajajā€¢3mo ago
If your MCP server uses OAuth2, you could potentially use the webhook integration with assistantOverrides.credentials and pass the dynamic variable into there: https://docs.vapi.ai/api-reference/calls/create#request.body.assistantOverrides.credentials.WebhookCredential
sunny-green
sunny-greenā€¢3w ago
Do you have an example somewhere how this can be achived? I also need to sign the MCP requests with Bearer token

Did you find this page helpful?