Most useful MCP servers need credentials — a database password, a GitHub token, an OAuth refresh token. How those get into the server matters: get it wrong and you've put a long-lived secret somewhere it shouldn't be.
Environment variables
The default pattern: pass secrets through the env block of the server's config entry. The client sets them on the child process, the server reads them once at startup, and they never touch disk in plaintext if you avoid committing the config file.
OAuth flows
Newer servers can perform OAuth on first run — they open a browser, accept a callback on a local port, and store the resulting refresh token in the OS keychain. This is the right model for any human-grade service (Google, Slack, Notion).
Per-session tokens
For shared HTTP servers, prefer short-lived per-session tokens over long-lived API keys. The client mints a token at the start of a session, hands it to the server, and discards it on exit.
Things to avoid
- Committing config files with credentials. Use a template instead.
- Long-lived tokens with broader scope than the server actually needs.
- Sharing a single API key across users in a team setup.