Secure credential management for MCP servers leveraging system-native keychain storage across macOS, Windows, and Linux platforms
secrets_manager.py
is a Python utility that enables MCP servers to securely store and retrieve sensitive information using the system's native keychain/credential manager instead of relying on .env
files. This approach significantly improves security by leveraging the operating system's built-in secure storage mechanisms.
The script uses the keyring
library to store secrets in the system's native credential manager:
get_secret(service_name, secret_key)
: Retrieves a secret from the system keyringset_secret(service_name, secret_key, secret_value)
: Stores a secret in the system keyringsetup_secrets()
: Interactive function to collect and store initial secretstest_get_secret()
: Tests the retrieval of stored secretsget_keyring_name()
: Returns the name of the current keyring backend based on the platformThe script can be run directly with the following options:
--store
: Initiates the interactive secret storage process--test
: Tests retrieving stored secrets--info
: Displays information about the current keyring backendInstead of storing API keys in .env
files:
# Old approach with .env files
API_KEY = os.getenv("API_KEY") # Insecure, stored in plaintext
# New approach with secrets_manager
from secrets_manager import get_secret
API_KEY = get_secret("MyMCPServer", "api_key") # Secure, stored in system keychain
.env
files or worry about them being accidentally committed to version controlThe script includes a commented example of how to access the stored secret directly from the macOS terminal:
security find-generic-password -l "MyMCPServer" -a "api_key" -g
No configuration available
Related projects feature coming soon
Will recommend related projects based on sub-categories