MCP.json pass secrets securely

krzysztofkorozej · March 31, 2025, 10:07am

Hello,
I would like to inquire if it’s possible to securely pass sensitive secrets in the cursor/mcp.json file. In my opinion, it is quite insecure to store a plain text secret directly in a configuration file. I’m wondering if there’s a way to retrieve secrets from a vault, for example:

{
    "mcpServers": {
      "github": {
        "command": "npx",
        "args": [
          "@acme/example",
          "-y"
        ],
        "env": {
          "SECRET": "$(vault kv get foo/whatever)"
        }
      }
    }
}

condor · March 31, 2025, 10:09am

Would be a very good Feature Request, agreed!

Though I thought i saw it in the past as well in the forum.

jzyinq · May 27, 2025, 7:07pm

Some workaround is to use docker with --env-file flag to pass required envs through file without any more gimmicks:

{
    "mcpServers": {
        "github": {
            "command": "docker",
            "args": [
                "run",
                "--rm",
                "-i",
                "--env-file",
                "~/.env.mcp",
                "ghcr.io/github/github-mcp-server:latest"
            ]
        }
    }
}

AuspiciousSolitude · June 13, 2025, 12:36pm

Doing it inline with plain text now is not secure enough, and is too risky.

This was discussed here before: MCP.json pass secrets securely
These users were in favour of it: @krzysztofkorozej @mfittko @emmanuelnk

I suspect other users would be if they knew the risk.

It’s surprising to me that a security audit is taking place on the new ‘background agents’ feature, but this security issue on the existing ‘MCP’ feature has not yet been resolved.

condor · June 13, 2025, 12:55pm

Agreed, the MCP field is advancing and this was a known limitation of MCPs.

Background Agent and MCP are two independent features, each of which needs more work done. One doesnt exclude another.

While I’m not aware of the security audit, logically it has nothing to do with MCPs as you have to be careful with any software you add to Background Agent.

AuspiciousSolitude · June 13, 2025, 3:45pm

Thanks.

Yes, I know it has nothing to do with background agent!

I was saying that it’s surprising that a new feature (background agent) is being security audited (or it was during beta I believe?), but a feature that has been out longer (MCP) seems to still have security issues.

codekiln · August 5, 2025, 8:57am

@krzysztofkorozej

Here are my personal knowledge garden entries which mention workarounds that use the 1Password CLI op to wrap invocation of various MCPs:

GitHub/MCP/How To/Set up in Cursor with 1Password GH token

Anthropic/App/Claude Code/How To/Set Up Github MCP with 1Password GH token and mise

Topic		Replies	Views
Secure Input Support for MCP Server Configuration (e.g., API Keys) Feature Requests	1	460	September 3, 2025
How to use environment variables in mcp.json How To	11	4991	August 5, 2025
Resolve local environment variables in MCP server definitions Feature Requests	16	3692	October 1, 2025
How to use the MCP servers the SSE URL How To	8	6974	March 5, 2025
cursor mcp env not work and how solve it Bug Reports	2	136	June 18, 2025

MCP.json pass secrets securely

Related topics