Avoid plaintext setup files
Do not make JSON config, dotenv files, or shell profiles the secret store for agent tools.
Model Context Protocol security
MCP secrets management without handing secrets to the model
MCP makes tools easier for agents to use. Automic Vault keeps the credential boundary clear: the tool can get approved access, while the model never needs the raw value.
Last updated: May 15, 2026
MCP secrets management should give tools approved credential access without placing raw secrets in prompts or plaintext server config. Automic Vault injects secrets when the local MCP server or CLI starts, then keeps the value outside model context.
The MCP secret risk
Tool access should not mean prompt access.
MCP servers often need credentials for GitHub, cloud APIs, databases, and internal systems. Those values should not live in config files that an agent can inspect.
Inject at server start
Start sensitive servers or helpers through approved injection so only that process receives the keys.
Gate mutating commands
When a tool can change real systems, route the run through an approval path.
Track what got access
The useful question is which tool got which capability for which run.
Pattern
Keep MCP useful, but do not make secrets ambient.
Store API tokens with av save instead of writing them into MCP server config.
Start the server or helper with av inject so it receives only the named keys.
Use av contain when the agent can call tools that mutate real systems.
Related protections