Skip to content
Documentation
Concepts
Tool sessions

Tool sessions

The MCP handler correlates calls into tool sessions so Cedar policies can reason about prior tool use and policy hit counts (server/utils/mcp-authz.ts, buildSessionEntity).

External session id resolution (server/routes/mcp/[...].ts) prefers, in order: vendor headers (x-claude-code-session-id, mcp-session-id, openai-conversation-id, x-mcp-session-id), optional JSON-RPC metadata, otherwise a short deterministic fingerprint from client IP, User-Agent, and proxy key (so unrelated tenants do not share a synthetic id). Values are sanitized before echoing in response headers.

Idle sessions are expired on a timer and on startup (see server/plugins/init.ts and the inactivity env documented there).

Members and proxy keys