Automic Vault icon Automic Vault

Model Context Protocol security

MCP secrets management without handing secrets to the model

MCP makes tools easier for agents to use. Automic Vault keeps the credential boundary clear: the tool can get approved access, while the model never needs the raw value.

Last updated: June 4, 2026

MCP secrets management should give tools approved credential access without placing raw secrets in prompts or plaintext server config. Automic Vault injects secrets when the local MCP server or CLI starts, then keeps the value outside model context.

Automic Vault MCP secret protection console

The MCP secret risk

Tool access should not mean prompt access.

MCP servers often need credentials for GitHub, cloud APIs, databases, and internal systems. Those values should not live in config files that an agent can inspect.

Server config

Avoid plaintext setup files

Do not make JSON config, dotenv files, or shell profiles the secret store for agent tools.

Launch boundary

Inject at server start

Start sensitive servers or helpers through approved injection so only that process receives the keys.

Action boundary

Gate mutating commands

When a tool can change real systems, route the run through an approval path.

Capability thinking

Track what got access

The useful question is which tool got which capability for which run.

Pattern

Keep MCP useful, but do not make secrets ambient.

Save

Store API tokens with av save instead of writing them into MCP server config.

Launch

Start the server or helper with av inject so it receives only the named keys.

Contain

Use av contain when the agent can call tools that mutate real systems.

Before / after

Start MCP servers with scoped runtime credentials.

MCP does not remove the need for local secret hygiene. If server config contains raw tokens, the agent can still inspect or request files that reveal them. Keep server definitions stable, but move the secret value to a runtime boundary.

Before

A local MCP server config stores GITHUB_TOKEN or database credentials inline, so troubleshooting the config can expose the value to the model.

After

The config names the server and command, while Automic Vault injects the credential only when the approved server or helper process starts.

Command example

Save the key with av save GITHUB_TOKEN, remove it from MCP JSON, then launch the server through av inject -- ./mcp-server.

Related protections

Keep MCP useful without ambient secrets.

FAQ

Common questions

What is MCP secrets management?

It is the practice of giving local MCP servers credential access without placing raw secrets in prompts, transcripts, or plaintext server config.

Where does Automic Vault sit in an MCP setup?

Automic Vault controls the local startup and tool-execution boundary, injecting approved secrets when the MCP server or CLI starts.

Does MCP make secrets safe by itself?

No. MCP defines tool access patterns, but local credential files and environment variables still need runtime controls.