Avoid plaintext setup files
Do not make JSON config, dotenv files, or shell profiles the secret store for agent tools.
Model Context Protocol security
MCP makes tools easier for agents to use. Automic Vault keeps the credential boundary clear: the tool can get approved access, while the model never needs the raw value.
Last updated: June 4, 2026
MCP secrets management should give tools approved credential access without placing raw secrets in prompts or plaintext server config. Automic Vault injects secrets when the local MCP server or CLI starts, then keeps the value outside model context.
The MCP secret risk
MCP servers often need credentials for GitHub, cloud APIs, databases, and internal systems. Those values should not live in config files that an agent can inspect.
Do not make JSON config, dotenv files, or shell profiles the secret store for agent tools.
Start sensitive servers or helpers through approved injection so only that process receives the keys.
When a tool can change real systems, route the run through an approval path.
The useful question is which tool got which capability for which run.
Pattern
Store API tokens with av save instead of writing them into MCP server config.
Start the server or helper with av inject so it receives only the named keys.
Use av contain when the agent can call tools that mutate real systems.
Before / after
MCP does not remove the need for local secret hygiene. If server config contains raw tokens, the agent can still inspect or request files that reveal them. Keep server definitions stable, but move the secret value to a runtime boundary.
A local MCP server config stores GITHUB_TOKEN or database credentials inline, so troubleshooting the config can expose the value to the model.
The config names the server and command, while Automic Vault injects the credential only when the approved server or helper process starts.
Save the key with av save GITHUB_TOKEN, remove it from MCP JSON, then launch the server through av inject -- ./mcp-server.
Related protections
FAQ
It is the practice of giving local MCP servers credential access without placing raw secrets in prompts, transcripts, or plaintext server config.
Automic Vault controls the local startup and tool-execution boundary, injecting approved secrets when the MCP server or CLI starts.
No. MCP defines tool access patterns, but local credential files and environment variables still need runtime controls.