MCP Credentials

MCP servers often need passwords, API tokens, personal access tokens, database URLs, or bearer headers. Facio's credential model keeps those values out of mcp.json and out of agent-visible text whenever possible.

Placeholder flow

1. A password field or credential API call stores a secret under a key such as GITHUB_TOKEN.
2. The agent and config use ${credentials.GITHUB_TOKEN} as a placeholder.
3. Facio resolves placeholders only when connecting the MCP server or writing a file that intentionally needs the secret.
4. The raw value is redacted from logs and not returned by the API.

Example:

{
  "servers": {
    "postgres": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@some/postgres-mcp"],
      "env": {
        "DATABASE_URL": "${credentials.POSTGRES_URL}"
      }
    }
  }
}

Where placeholders work

Password fields from the agent

When the agent needs a user secret, it can request a form with a password field. Facio stores the submitted value in the credential store and the agent receives only the placeholder, such as ${credentials.GITHUB_TOKEN}. This is why an agent can create an MCP server without ever seeing the raw token.

Provider-like password fields can also be routed into provider configuration when the key matches a known provider credential.

Shell exposure is separate

Credential placeholders for MCP do not automatically expose the same values to shell commands. Shell env injection is controlled by tools.exec.exposedCredentials and runtime commands such as:

/credentials expose GITHUB_TOKEN
/credentials unexpose GITHUB_TOKEN

Keep shell exposure empty unless a CLI genuinely needs the secret. MCP server envs and shell command envs are separate boundaries.

API reference

Credential values are never returned in clear text.