arcade-mcp/libs/arcade-mcp-server/docs/examples/04_secrets.md
Eric Gustin a11f79b32d
Update arcade-mcp-server docs (#597)
1. Updates docs to prefer `uv run server.py` instead of `arcade mcp` or
`python -m arcade_mcp_server`
2. Found a bug with running stdio servers while updating the docs, so i
snuck that in this PR
2025-10-02 17:16:38 -07:00

59 lines
1.7 KiB
Markdown

# 04 - Tool Secrets
Read secrets from environment and `.env` files securely via Context.
## Running the Example
- **Run**: `uv run 04_secrets.py`
- **Run (stdio)**: `uv run 04_secrets.py stdio`
- **Create `.env`**: Add `API_KEY=supersecret` to a `.env` file
## Source Code
```python
--8<-- "docs/examples/04_secrets.py"
```
## Working with Secrets
### 1. Environment Variables
Secrets can be provided via environment variables:
```bash
export API_KEY="your-secret-key"
export DATABASE_URL="postgresql://localhost/mydb"
```
### 2. Using .env Files
Create a `.env` file in the directoryof your server:
```
API_KEY=supersecret
DATABASE_URL=postgresql://user:pass@localhost/db
GITHUB_TOKEN=ghp_xxxxxxxxxxxx
```
### 3. Declaring Required Secrets
Use the `requires_secrets` parameter to declare which secrets your tool needs:
```python
@tool(requires_secrets=["API_KEY", "DATABASE_URL"])
def my_secure_tool(context: Context) -> str:
api_key = context.get_secret("API_KEY")
db_url = context.get_secret("DATABASE_URL")
```
### 4. Security Best Practices
- **Never log secret values**: Always mask or truncate when displaying
- **Declare requirements**: Use `requires_secrets` to document dependencies
- **Handle missing secrets**: Use try/except when accessing secrets
- **Use descriptive names**: Make it clear what each secret is for
## Key Concepts
- **Secure Access**: Secrets are accessed through context, not imported directly
- **Environment Integration**: Works with both environment variables and .env files
- **Error Handling**: Always handle the case where a secret might be missing
- **Masking**: Never expose full secret values in logs or return values
- **Declaration**: Use `requires_secrets` to make dependencies explicit