The Problem
MCP (Model Context Protocol) servers need API keys to call external services, but securely managing these secrets in MCP deployments is an unsolved problem for most teams. Common mistakes include hardcoding keys in MCP server code, passing them as plain-text environment variables in Docker, or storing them in version-controlled config files. These practices create security vulnerabilities that compliance teams flag during reviews, blocking MCP deployments from reaching production.
The Scavio Solution
Implement a secure MCP secret management pattern using environment variables injected at runtime from a secret manager (AWS Secrets Manager, HashiCorp Vault, or even a local .env file excluded from git). The MCP server reads API keys from environment variables, never from code or config files. For Scavio's MCP server at mcp.scavio.dev/mcp, the API key is passed as a header, keeping it out of the MCP server's codebase entirely.
Before
Before: A team had API keys hardcoded in 4 MCP server configs checked into GitHub. A security audit flagged all 4. Rotating the compromised keys took 2 days and broke 3 downstream integrations. The MCP deployment was blocked from production for 3 weeks during remediation.
After
After: All MCP secrets are stored in AWS Secrets Manager and injected as environment variables at container startup. Key rotation is automated with zero downtime. The security audit passed on first review. MCP servers reached production in 1 week.
Who It Is For
DevOps engineers and security teams deploying MCP servers to production. Anyone who has failed a security audit due to hardcoded API keys in agent infrastructure.
Key Benefits
- Zero hardcoded secrets in MCP server code or config files
- Automated key rotation with no MCP server restarts needed
- Pass security audits on first review with documented secret management
- Environment variable injection works with Docker, K8s, and serverless
- Scavio API key stays in headers, never in MCP server source code
Python Example
import os
import requests
# Secret injected via environment variable at runtime
# Never hardcode: API_KEY = "sk-abc123" # DO NOT DO THIS
API_KEY = os.environ["SCAVIO_API_KEY"]
def mcp_search_handler(query: str, platform: str = "google") -> dict:
"""MCP tool handler that reads API key from environment."""
r = requests.post(
"https://api.scavio.dev/api/v1/search",
headers={"x-api-key": API_KEY},
json={"platform": platform, "query": query},
timeout=10,
)
return r.json()
# For AWS Secrets Manager rotation:
import json
try:
import boto3
client = boto3.client("secretsmanager")
secret = json.loads(client.get_secret_value(SecretId="scavio-api-key")["SecretString"])
API_KEY = secret["api_key"]
except ImportError:
pass # Fall back to env var in non-AWS environments
result = mcp_search_handler("secure mcp deployment patterns")
print(f"Results: {len(result.get("organic", []))}")JavaScript Example
const API_KEY = process.env.SCAVIO_API_KEY;
if (!API_KEY) throw new Error("SCAVIO_API_KEY environment variable is required");
async function mcpSearchHandler(query, platform = "google") {
const res = await fetch("https://api.scavio.dev/api/v1/search", {
method: "POST",
headers: { "x-api-key": API_KEY, "content-type": "application/json" },
body: JSON.stringify({ platform, query }),
});
return res.json();
}
// For secret rotation without restart:
async function getRotatedKey() {
// AWS Secrets Manager, Vault, or any secret store
// Cache with TTL to avoid per-request lookups
const cached = globalThis.__scavioKeyCache;
if (cached && Date.now() - cached.ts < 300000) return cached.key;
// Fetch fresh key from secret manager here
const freshKey = process.env.SCAVIO_API_KEY; // placeholder
globalThis.__scavioKeyCache = { key: freshKey, ts: Date.now() };
return freshKey;
}
const result = await mcpSearchHandler("secure mcp deployment patterns");
console.log(`Results: ${(result.organic || []).length}`);Platforms Used
Web search with knowledge graph, PAA, and AI overviews
YouTube
Video search with transcripts and metadata
Amazon
Product search with prices, ratings, and reviews