Skip to main content

What are secrets?

Secrets are encrypted key-value pairs stored on your MCPCore server. They let you use sensitive credentials in tool code without hardcoding them. Instead of writing: 
// ❌ Never do this
const res = await sdk.http({
  headers: { Authorization: "Bearer ghp_myActualTokenHere" },
  ...
});
You store the token as a secret and reference it as: 
// ✅ Correct
const res = await sdk.http({
  headers: { Authorization: `Bearer ${env.GITHUB_TOKEN}` },
  ...
});
Secrets are:
  • Encrypted at rest with AES-256
  • Never logged — MCPCore redacts env.* values from all log output
  • Per-server — secrets on one server are not accessible from another
  • Not version-controlled — they live in the dashboard, not in your code

Adding a secret

1

Open the Secrets tab

On the server detail page, click the Secrets tab.
Secrets tab showing existing secrets
2

Click Add secret

Click Add secret.
3

Enter the key and value

FieldDescription
KeyThe name you’ll reference in code as env.KEY. Use UPPER_SNAKE_CASE by convention.
ValueThe secret value. Encrypted immediately on save.
Add secret form with key and value fields
4

Save

Click Save secret. The value is encrypted and stored. You can update or delete the secret later, but you cannot view the value after saving.

Referencing secrets in code

Access secrets through the env object using the key name you defined: 
// Single API key
const apiKey = env.OPENAI_API_KEY;

// Database credentials
const db = await sdk.db({
  type: "pg",
  connection: {
    host:     env.DB_HOST,
    port:     env.DB_PORT,
    database: env.DB_NAME,
    user:     env.DB_USER,
    password: env.DB_PASSWORD,
  },
});

// OAuth token (injected after OAuth flow)
const res = await sdk.http({
  method:  "GET",
  url:     "https://api.github.com/user/repos",
  headers: { Authorization: `Bearer ${env.OAUTH_ACCESS_TOKEN}` },
});

Naming conventions

MCPCore has no enforced naming convention, but UPPER_SNAKE_CASE is standard and makes secrets easy to distinguish from regular variables:
Example keyWhat it stores
GITHUB_TOKENGitHub personal access token or app token
OPENAI_API_KEYOpenAI API key
DB_PASSWORDDatabase password
STRIPE_SECRET_KEYStripe secret key
SLACK_BOT_TOKENSlack bot token
SENDGRID_API_KEYSendGrid API key
WEBHOOK_SECRETHMAC signing secret for webhook verification

Updating a secret

To rotate a credential:
  1. Open the Secrets tab
  2. Click the edit icon next to the secret
  3. Enter the new value
  4. Click Save
The new value takes effect immediately — no redeploy needed. Running tool invocations will use the new value on their next execution.

Deleting a secret

Click the delete icon next to the secret and confirm. Any tool code that references the deleted key will receive undefined for env.DELETED_KEY. Update the tool code to remove the reference, or add a new secret with the same key name.

Secret visibility

Who can see secretsAccess level
Tool codeenv.KEY_NAME (value only, not key list)
Dashboard — Secrets tabKey names only; values are masked
Logs (Traffic, Error)Never — values are redacted automatically
MCPCore supportNever — we cannot decrypt your secrets