Secret Launcher
A lightweight Rust CLI that retrieves secrets from the OS keyring and launches MCP servers with those secrets injected as environment variables. No more plaintext API tokens in mcp.json.
Ask AI about Secret Launcher
Powered by Claude Β· Grounded in docs
I know everything about Secret Launcher. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
π‘οΈ mcp-secret-launcher
Stop leaking API tokens! Secure your MCP servers by fetching secrets from your OS keyring instead of storing them in plaintext mcp.json.
π Why Use This?
MCP server configurations typically require sensitive tokens in plaintext env blocks. This makes them visible to anyone with file access and easy to accidentally commit. mcp-secret-launcher solves this by:
- π Keyring Integration: Uses GNOME Keyring (Linux), Keychain (macOS), or Credential Manager (Windows).
- π AWS SSO Support: Automatically handles AWS SSO login and injects temporary credentials.
- π¨ Zero overhead: Replaces itself with the target process via
execvpon Unix. - π οΈ Seamless Integration: Works with any MCP client (Kiro, VS Code, etc.) with a simple one-line change.
β‘ Quick Start
1. Install
cargo build --release
cp target/release/mcp-secret-launcher ~/.local/bin/
2. Store a Secret
mcp-secret-launcher set --profile my-server --key API_KEY
# Enter secret value: [secure input]
3. Update mcp.json
Update your server configuration to use the launcher:
{
"mcpServers": {
"my-server": {
- "command": "uvx",
- "args": ["my-server-command"],
- "env": { "API_KEY": "YOUR_SECRET_IN_PLAINTEXT" }
+ "command": "mcp-secret-launcher",
+ "args": ["run", "--profile", "my-server", "--", "uvx", "my-server-command"],
+ "env": { "NON_SECRET_VAR": "public-value" }
}
}
}
π Key Features
π Platform Native Security
No new databases or config files. We use what's already on your machine:
- Linux: Secret Service API (via DBus)
- macOS: Apple Keychain
- Windows: Windows Credential Manager
βοΈ AWS SSO Magic
Launching an AWS-based MCP server? Tired of manual aws sso login?
mcp-secret-launcher aws-auth \
--sso-url https://my-sso.awsapps.com/start \
--region us-east-1 \
--account-id 123456789012 \
--role-name DeveloperRole \
-- uvx mcp-server-aws
The launcher will handle the browser-based auth flow and inject AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc., directly into the server's memory.
π‘οΈ Defense in Depth
For maximum security, combine mcp-secret-launcher with mcp-guard:
- mcp-secret-launcher (Layer 3/4): Protects your credentials by keeping them in the OS keyring.
- mcp-guard (Layer 7): Protects your resources by intercepting tool calls and enforcing Human-In-The-Loop (HITL) approval.
Complete Security Stack:
"my-server": {
"command": "mcp-guard",
"args": [
"--policy", "guard-policy.toml",
"--",
"mcp-secret-launcher", "run", "--profile", "my-server",
"--",
"uvx", "my-server-command"
]
}
In this setup, mcp-guard acts as the primary proxy, and mcp-secret-launcher initializes the environment before the server starts.
π Learn More
| Guide | Description |
|---|---|
| π Usage Guide | Detailed CLI commands and mcp.json examples. |
| ποΈ Architecture | How the secret injection and process replacement works. |
| π©βπ» Development | Setup instructions for contributors. |
βοΈ License
Distributed under the MIT License. See LICENSE for more information.