feat(mcp): Add HTTP header bearer token authentication support

.github/pr-welcome-community.md

@@ -27,6 +27,7 @@ As needed or by request, Airbyte Maintainers can execute the following slash com
 - `/fix-pr` - Fixes most formatting and linting issues
 - `/poetry-lock` - Updates poetry.lock file
 - `/test-pr` - Runs tests with the updated PyAirbyte
+- `/prerelease` - Builds and publishes a prerelease version to PyPI
 
 ### Community Support
 

.github/pr-welcome-internal.md

@@ -26,6 +26,7 @@ Airbyte Maintainers can execute the following slash commands on your PR:
 - `/fix-pr` - Fixes most formatting and linting issues
 - `/poetry-lock` - Updates poetry.lock file
 - `/test-pr` - Runs tests with the updated PyAirbyte
+- `/prerelease` - Builds and publishes a prerelease version to PyPI
 
 ### Community Support
 

.github/workflows/prerelease-command.yml

@@ -0,0 +1,136 @@
+name: On-Demand Prerelease
+
+on:
+  workflow_dispatch:
+    inputs:
+      pr:
+        description: 'PR Number'
+        type: string
+        required: true
+      comment-id:
+        description: 'Comment ID (Optional)'
+        type: string
+        required: false
+
+env:
+  AIRBYTE_ANALYTICS_ID: ${{ vars.AIRBYTE_ANALYTICS_ID }}
+
+permissions:
+  contents: write
+  id-token: write
+  pull-requests: write
+  issues: write
+
+jobs:
+  resolve-pr:
+    name: Set up Workflow
+    runs-on: ubuntu-latest
+    steps:
+    - name: Resolve workflow variables
+      id: vars
+      uses: aaronsteers/resolve-ci-vars-action@2e56afab0344bbe03c047dfa39bae559d0291472 # v0.1.6
+
+    - name: Append comment with job run link
+      id: first-comment-action
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+      with:
+        comment-id: ${{ github.event.inputs.comment-id }}
+        issue-number: ${{ github.event.inputs.pr }}
+        body: |
+          > **Prerelease Build Started**
+          >
+          > Building and publishing prerelease package from this PR...
+          > [Check job output.](${{ steps.vars.outputs.run-url }})
+
+    - name: Checkout to get latest tag
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        fetch-depth: 0
+
+    - name: Compute prerelease version
+      id: version
+      run: |
+        # Get the latest tag version (strip 'v' prefix if present)
+        LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
+        BASE_VERSION=${LATEST_TAG#v}
+        # Create a unique prerelease version using PR number and run ID
+        # Format: {base}.dev{pr_number}{run_id} (e.g., 0.34.0.dev825123456789)
+        PRERELEASE_VERSION="${BASE_VERSION}.dev${{ github.event.inputs.pr }}${{ github.run_id }}"
+        echo "version=$PRERELEASE_VERSION" >> $GITHUB_OUTPUT
+        echo "Computed prerelease version: $PRERELEASE_VERSION"
+    outputs:
+      source-repo: ${{ steps.vars.outputs.pr-source-repo-name-full }}
+      source-branch: ${{ steps.vars.outputs.pr-source-git-branch }}
+      commit-sha: ${{ steps.vars.outputs.pr-source-git-sha }}
+      pr-number: ${{ steps.vars.outputs.pr-number }}
+      job-run-url: ${{ steps.vars.outputs.run-url }}
+      first-comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
+      prerelease-version: ${{ steps.version.outputs.version }}
+
+  build-and-publish:
+    name: Trigger Publish Workflow
+    needs: [resolve-pr]
+    runs-on: ubuntu-latest
+    steps:
+    - name: Authenticate as GitHub App
+      uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+      id: get-app-token
+      with:
+        owner: "airbytehq"
+        repositories: "PyAirbyte"
+        app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+        private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
+    - name: Trigger pypi_publish workflow
+      id: dispatch
+      uses: the-actions-org/workflow-dispatch@v4
+      with:
+        workflow: pypi_publish.yml
+        token: ${{ steps.get-app-token.outputs.token }}
+        ref: main  # Run from main so OIDC attestation matches trusted publisher
+        inputs: '{"git_ref": "refs/pull/${{ github.event.inputs.pr }}/head", "version_override": "${{ needs.resolve-pr.outputs.prerelease-version }}", "publish": "true"}'
+        wait-for-completion: true
+        wait-for-completion-timeout: 30m
+    outputs:
+      workflow-conclusion: ${{ steps.dispatch.outputs.workflow-conclusion }}
+      workflow-url: ${{ steps.dispatch.outputs.workflow-url }}
+
+  post-result-comment:
+    name: Write Status to PR
+    needs: [resolve-pr, build-and-publish]
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+    - name: Post success comment
+      if: needs.build-and-publish.result == 'success'
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+      with:
+        comment-id: ${{ needs.resolve-pr.outputs.first-comment-id }}
+        issue-number: ${{ github.event.inputs.pr }}
+        reactions: rocket
+        body: |
+          > **Prerelease Published to PyPI**
+          >
+          > Version: `${{ needs.resolve-pr.outputs.prerelease-version }}`
+          > [View publish workflow](${{ needs.build-and-publish.outputs.workflow-url }})
+          >
+          > Install with:
+          > ```bash
+          > pip install airbyte==${{ needs.resolve-pr.outputs.prerelease-version }}
+          > ```
+    - name: Post failure comment
+      if: needs.build-and-publish.result == 'failure'
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+      with:
+        comment-id: ${{ needs.resolve-pr.outputs.first-comment-id }}
+        issue-number: ${{ github.event.inputs.pr }}
+        reactions: confused
+        body: |
+          > **Prerelease Build/Publish Failed**
+          >
+          > The prerelease encountered an error.
+          > [Check publish workflow output](${{ needs.build-and-publish.outputs.workflow-url }}) for details.
+          >
+          > You can still install directly from this PR branch:
+          > ```bash
+          > pip install 'git+https://github.com/${{ needs.resolve-pr.outputs.source-repo }}.git@${{ needs.resolve-pr.outputs.source-branch }}'
+          > ```

.github/workflows/pypi_publish.yml

@@ -4,6 +4,36 @@ on:
   push:
 
   workflow_dispatch:
+    inputs:
+      git_ref:
+        description: 'Git ref (SHA or branch) to checkout and build'
+        required: false
+        type: string
+      version_override:
+        description: 'Version to use (overrides dynamic versioning)'
+        required: false
+        type: string
+      publish:
+        description: 'Whether to publish to PyPI (true/false)'
+        required: false
+        type: string
+        default: 'false'
+
+  workflow_call:
+    inputs:
+      git_ref:
+        description: 'Git ref (SHA or branch) to checkout and build'
+        required: true
+        type: string
+      version_override:
+        description: 'Version to use (overrides dynamic versioning)'
+        required: false
+        type: string
+      publish:
+        description: 'Whether to publish to PyPI'
+        required: false
+        type: boolean
+        default: false
 
 env:
   AIRBYTE_ANALYTICS_ID: ${{ vars.AIRBYTE_ANALYTICS_ID }}
@@ -14,8 +44,21 @@ jobs:
     steps:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
+        ref: ${{ inputs.git_ref || github.ref }}
         fetch-depth: 0
-    - uses: hynek/build-and-inspect-python-package@efb823f52190ad02594531168b7a2d5790e66516 # v2.14.0
+    - name: Prepare version override
+      id: version
+      run: |
+        echo "override=${{ inputs.version_override }}" >> $GITHUB_OUTPUT
+        echo "has_override=${{ inputs.version_override != '' }}" >> $GITHUB_OUTPUT
+    - name: Build package (with version override)
+      if: steps.version.outputs.has_override == 'true'
+      uses: hynek/build-and-inspect-python-package@efb823f52190ad02594531168b7a2d5790e66516 # v2.14.0
+      env:
+        POETRY_DYNAMIC_VERSIONING_BYPASS: ${{ steps.version.outputs.override }}
+    - name: Build package (dynamic version)
+      if: steps.version.outputs.has_override != 'true'
+      uses: hynek/build-and-inspect-python-package@efb823f52190ad02594531168b7a2d5790e66516 # v2.14.0
 
   publish:
     name: Publish to PyPI
@@ -27,13 +70,16 @@ jobs:
     environment:
       name: PyPi
       url: https://pypi.org/p/airbyte
-    if: startsWith(github.ref, 'refs/tags/')
+    # Publish when: (1) triggered by a tag push, OR (2) called with publish=true (handles both boolean and string)
+    if: startsWith(github.ref, 'refs/tags/') || inputs.publish == true || inputs.publish == 'true'
     steps:
     - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: Packages
         path: dist
     - name: Upload wheel to release
+      # Only upload to GitHub release when triggered by a tag
+      if: startsWith(github.ref, 'refs/tags/')
       uses: svenstaro/upload-release-action@81c65b7cd4de9b2570615ce3aad67a41de5b1a13 # latest
       with:
         repo_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/slash_command_dispatch.yml

@@ -34,6 +34,7 @@ jobs:
             fix-pr
             test-pr
             poetry-lock
+            prerelease
           static-args: |
             pr=${{ github.event.issue.number }}
             comment-id=${{ github.event.comment.id }}

airbyte/_util/api_util.py

@@ -1249,9 +1249,9 @@ def _make_config_api_request(
     api_root: str,
     path: str,
     json: dict[str, Any],
-    client_id: SecretString,
-    client_secret: SecretString,
-    bearer_token: SecretString,
+    client_id: SecretString | None,
+    client_secret: SecretString | None,
+    bearer_token: SecretString | None,
 ) -> dict[str, Any]:
     config_api_root = get_config_api_root(api_root)
     if client_id and client_secret and not bearer_token:
@@ -1260,6 +1260,11 @@ def _make_config_api_request(
             client_secret=client_secret,
             api_root=api_root,
         )
+    if not bearer_token:
+        raise PyAirbyteInputError(
+            message="No authentication provided. Either bearer_token or both client_id and "
+            "client_secret must be provided.",
+        )
     headers: dict[str, Any] = {
         "Content-Type": "application/json",
         "Authorization": f"Bearer {bearer_token}",

airbyte/cloud/auth.py

@@ -2,6 +2,7 @@
 """Authentication-related constants and utilities for the Airbyte Cloud."""
 
 from airbyte import constants
+from airbyte.mcp._util import get_bearer_token_from_headers
 from airbyte.secrets import SecretString
 from airbyte.secrets.util import get_secret, try_get_secret
 
@@ -26,8 +27,23 @@ def resolve_cloud_bearer_token(
     input_value: str | SecretString | None = None,
     /,
 ) -> SecretString | None:
-    """Get the Airbyte Cloud bearer token from the environment."""
-    return try_get_secret(constants.CLOUD_BEARER_TOKEN_ENV_VAR, default=input_value)
+    """Get the Airbyte Cloud bearer token.
+
+    Resolution order:
+    1. Explicit input_value parameter
+    2. HTTP Authorization header (when running as MCP HTTP server)
+    3. AIRBYTE_CLOUD_BEARER_TOKEN environment variable
+    """
+    if input_value:
+        return SecretString(input_value)
+
+    # Try HTTP header first (for MCP HTTP transport)
+    header_token = get_bearer_token_from_headers()
+    if header_token:
+        return SecretString(header_token)
+
+    # Fall back to environment variable
+    return try_get_secret(constants.CLOUD_BEARER_TOKEN_ENV_VAR, default=None)
 
 
 def resolve_cloud_api_url(

airbyte/cloud/connections.py

@@ -301,6 +301,7 @@ def get_state_artifacts(self) -> list[dict[str, Any]] | None:
             api_root=self.workspace.api_root,
             client_id=self.workspace.client_id,
             client_secret=self.workspace.client_secret,
+            bearer_token=self.workspace.bearer_token,
         )
         if state_response.get("stateType") == "not_set":
             return None
@@ -322,6 +323,7 @@ def get_catalog_artifact(self) -> dict[str, Any] | None:
             api_root=self.workspace.api_root,
             client_id=self.workspace.client_id,
             client_secret=self.workspace.client_secret,
+            bearer_token=self.workspace.bearer_token,
         )
         return connection_response.get("syncCatalog")
 

airbyte/cloud/connectors.py

@@ -766,6 +766,7 @@ def set_testing_values(
             api_root=self.workspace.api_root,
             client_id=self.workspace.client_id,
             client_secret=self.workspace.client_secret,
+            bearer_token=self.workspace.bearer_token,
         )
 
         return self

airbyte/cloud/workspaces.py

@@ -76,6 +76,12 @@
 from airbyte import exceptions as exc
 from airbyte._util import api_util, text_util
 from airbyte._util.api_util import get_web_url_root
+from airbyte.cloud.auth import (
+    resolve_cloud_api_url,
+    resolve_cloud_client_id,
+    resolve_cloud_client_secret,
+    resolve_cloud_workspace_id,
+)
 from airbyte.cloud.connections import CloudConnection
 from airbyte.cloud.connectors import (
     CloudDestination,
@@ -148,6 +154,55 @@ def __post_init__(self) -> None:
         if self.bearer_token is not None:
             self.bearer_token = SecretString(self.bearer_token)
 
+    @classmethod
+    def from_env(
+        cls,
+        workspace_id: str | None = None,
+        *,
+        api_root: str | None = None,
+    ) -> CloudWorkspace:
+        """Create a CloudWorkspace using credentials from environment variables.
+
+        This factory method resolves credentials from environment variables,
+        providing a convenient way to create a workspace without explicitly
+        passing credentials.
+
+        Environment variables used:
+            - `AIRBYTE_CLOUD_CLIENT_ID`: Required. The OAuth client ID.
+            - `AIRBYTE_CLOUD_CLIENT_SECRET`: Required. The OAuth client secret.
+            - `AIRBYTE_CLOUD_WORKSPACE_ID`: The workspace ID (if not passed as argument).
+            - `AIRBYTE_CLOUD_API_URL`: Optional. The API root URL (defaults to Airbyte Cloud).
+
+        Args:
+            workspace_id: The workspace ID. If not provided, will be resolved from
+                the `AIRBYTE_CLOUD_WORKSPACE_ID` environment variable.
+            api_root: The API root URL. If not provided, will be resolved from
+                the `AIRBYTE_CLOUD_API_URL` environment variable, or default to
+                the Airbyte Cloud API.
+
+        Returns:
+            A CloudWorkspace instance configured with credentials from the environment.
+
+        Raises:
+            PyAirbyteSecretNotFoundError: If required credentials are not found in
+                the environment.
+
+        Example:
+            ```python
+            # With workspace_id from environment
+            workspace = CloudWorkspace.from_env()
+
+            # With explicit workspace_id
+            workspace = CloudWorkspace.from_env(workspace_id="your-workspace-id")
+            ```
+        """
+        return cls(
+            workspace_id=resolve_cloud_workspace_id(workspace_id),
+            client_id=resolve_cloud_client_id(),
+            client_secret=resolve_cloud_client_secret(),
+            api_root=resolve_cloud_api_url(api_root),
+        )
+
     @property
     def workspace_url(self) -> str | None:
         """The web URL of the workspace."""
@@ -165,6 +220,7 @@ def _organization_info(self) -> dict[str, Any]:
             api_root=self.api_root,
             client_id=self.client_id,
             client_secret=self.client_secret,
+            bearer_token=self.bearer_token,
         )
 
     @overload