Bug: Docker image ENTRYPOINT does not expand $NEON_API_KEY - causes 401 auth error

[jasonbeauxjames]

The official Docker image (mcp/neon) fails with a 401 Authentication Error because the ENTRYPOINT instruction in the Dockerfile is written in a way that prevents shell environment variable expansion.

Root Cause

Line 164 of the Dockerfile uses the exec form of ENTRYPOINT:

ENTRYPOINT ["node", "dist/index.js", "start", "$NEON_API_KEY"]

When ENTRYPOINT is in exec form (a JSON array), it does not invoke a command shell, so variable substitution does not happen. The container passes the literal string "$NEON_API_KEY" as an argument to the node process instead of the actual API key value stored in the environment variable.

Dockerfile Form	Variable Expansion	Result
ENTRYPOINT ["cmd", "$VAR"]	❌ No	Passes the literal string "$VAR"
ENTRYPOINT cmd $VAR	✅ Yes	The shell expands $VAR to its value

Steps to Reproduce

1. Set up the mcp/neon Docker image via Docker MCP Gateway or directly with docker run.
2. Configure the NEON_API_KEY environment variable with a valid API key.
3. Attempt to use any tool (e.g., list_projects).
4. Observe the 401 Unauthorized error from the server, as it is receiving an invalid API key.

Expected Behavior

The API key from the NEON_API_KEY environment variable should be correctly passed to the server process, allowing for successful authentication.

Actual Behavior

The server receives the literal string "$NEON_API_KEY" as the API key, causing authentication to fail with a 401 error.

Workaround

The only current workaround is to bypass the broken Docker image and use npx directly, which correctly reads the environment variable from process.env.

{
  "mcpServers": {
    "neon": {
      "command": "npx",
      "args": ["-y", "@neondatabase/mcp-server-neon"],
      "env": {
        "NEON_API_KEY": "your-api-key-here"
      }
    }
  }
}

Suggested Fix

The ENTRYPOINT needs to be modified to correctly expand the environment variable.

Option 1: Use Shell Wrapper (Recommended)
This is the most robust and common solution for this problem. It ensures that a shell is invoked to handle the variable expansion.

# FROM:
ENTRYPOINT ["node", "dist/index.js", "start", "$NEON_API_KEY"]

# TO:
ENTRYPOINT ["/bin/sh", "-c", "exec node dist/index.js start \"$NEON_API_KEY\""]

Option 2: Modify the Application Code
A cleaner, more idiomatic solution would be to modify the application code in dist/index.js to read the API key from process.env.NEON_API_KEY instead of requiring it as a command-line argument. This is standard practice for passing secrets to containerized applications.

Environment

• Docker MCP Gateway (beta) via Docker Desktop
• macOS (Mac Mini M4 Pro)
• December 2025