arcade-mcp/libs/arcade-mcp-server/docs/examples/04_secrets.md
Eric Gustin a11f79b32d
Update arcade-mcp-server docs (#597)
1. Updates docs to prefer `uv run server.py` instead of `arcade mcp` or
`python -m arcade_mcp_server`
2. Found a bug with running stdio servers while updating the docs, so i
snuck that in this PR
2025-10-02 17:16:38 -07:00

1.7 KiB

04 - Tool Secrets

Read secrets from environment and .env files securely via Context.

Running the Example

  • Run: uv run 04_secrets.py
  • Run (stdio): uv run 04_secrets.py stdio
  • Create .env: Add API_KEY=supersecret to a .env file

Source Code

--8<-- "docs/examples/04_secrets.py"

Working with Secrets

1. Environment Variables

Secrets can be provided via environment variables:

export API_KEY="your-secret-key"
export DATABASE_URL="postgresql://localhost/mydb"

2. Using .env Files

Create a .env file in the directoryof your server:

API_KEY=supersecret
DATABASE_URL=postgresql://user:pass@localhost/db
GITHUB_TOKEN=ghp_xxxxxxxxxxxx

3. Declaring Required Secrets

Use the requires_secrets parameter to declare which secrets your tool needs:

@tool(requires_secrets=["API_KEY", "DATABASE_URL"])
def my_secure_tool(context: Context) -> str:
    api_key = context.get_secret("API_KEY")
    db_url = context.get_secret("DATABASE_URL")

4. Security Best Practices

  • Never log secret values: Always mask or truncate when displaying
  • Declare requirements: Use requires_secrets to document dependencies
  • Handle missing secrets: Use try/except when accessing secrets
  • Use descriptive names: Make it clear what each secret is for

Key Concepts

  • Secure Access: Secrets are accessed through context, not imported directly
  • Environment Integration: Works with both environment variables and .env files
  • Error Handling: Always handle the case where a secret might be missing
  • Masking: Never expose full secret values in logs or return values
  • Declaration: Use requires_secrets to make dependencies explicit