MCP Credential Management for AI Agents
Central credential store with MCP interface. Agents request scoped, rotated credentials. No more scattered .env files across agent configs.
MCP credential management solves the scattered API key problem by providing a central credential store that agents access through a standard MCP interface. Instead of each agent config maintaining its own .env file with duplicated keys, a single credential server issues scoped, rotated tokens on demand. This is the OpenPass-style pattern adapted for the multi-agent era.
The problem: keys everywhere
A typical multi-agent setup in 2026 has 5-15 agents, each needing access to different APIs. The naive approach puts keys in each agent config. This creates: duplicate credentials across configs, no rotation (keys live forever), no audit trail (who used what when), and blast radius issues (one compromised agent exposes all its keys). When you rotate a Scavio API key, you update it in one place, not twelve.
Architecture: credential MCP server
The pattern has three layers. Layer 1: a local credential store (encrypted SQLite or OS keychain). Layer 2: an MCP server exposing get_credential and rotate_credential tools. Layer 3: agents that request credentials by name and scope, never storing them locally.
# credential_mcp_server.py - simplified MCP credential provider
import json, os, time
from cryptography.fernet import Fernet
STORE_PATH = os.path.expanduser("~/.agent-creds/store.enc")
KEY_PATH = os.path.expanduser("~/.agent-creds/master.key")
def load_store() -> dict:
key = open(KEY_PATH, "rb").read()
f = Fernet(key)
encrypted = open(STORE_PATH, "rb").read()
return json.loads(f.decrypt(encrypted))
def get_credential(name: str, scope: str, agent_id: str) -> dict:
store = load_store()
cred = store.get(name)
if not cred:
return {"error": f"credential {name} not found"}
if scope not in cred.get("allowed_scopes", []):
return {"error": f"scope {scope} not permitted for {name}"}
# Log access for audit
log_access(agent_id, name, scope)
return {"value": cred["value"], "expires_in": cred.get("ttl", 3600)}Scoping and rotation
Each credential in the store has allowed_scopes and allowed_agents. A research agent can request read-only search credentials but not write-access publishing keys. Rotation happens at the store level: update once, all agents get the new value on next request. No redeployment needed.
# Agent-side usage - requests credential through MCP
import requests, os
def search_with_managed_creds(query: str) -> dict:
# Agent calls credential MCP to get current key
cred_resp = mcp_call("credential_server", "get_credential", {
"name": "scavio_api_key",
"scope": "search_read",
"agent_id": os.environ.get("AGENT_ID", "unknown")
})
api_key = cred_resp["value"]
# Use the credential for the actual API call
resp = requests.post("https://api.scavio.dev/api/v1/search",
headers={"x-api-key": api_key},
json={"platform": "google", "query": query},
timeout=10)
return resp.json()MCP config for the credential server
// .mcp.json - adding credential server to agent config
{
"mcpServers": {
"credentials": {
"command": "python",
"args": ["credential_mcp_server.py"],
"env": {
"MASTER_KEY_PATH": "~/.agent-creds/master.key"
}
},
"search": {
"command": "npx",
"args": ["scavio-mcp-server"],
"env": {}
}
}
}Audit and monitoring
Every credential request is logged: timestamp, agent ID, credential name, scope requested. This gives you a full picture of which agents are using which services and how often. Anomaly detection is straightforward: if your research agent suddenly requests publishing credentials at 3am, something is wrong. The credential MCP can deny the request and alert you.
When to implement this
If you have one agent with two API keys, this is overkill. If you have three or more agents sharing credentials, or if you need to rotate keys without restarting agents, or if you need an audit trail for compliance, the credential MCP pattern pays for itself immediately. The initial setup is about 200 lines of Python. The ongoing benefit is zero-downtime key rotation and clear security boundaries between agents.