1. Updates docs to prefer `uv run server.py` instead of `arcade mcp` or `python -m arcade_mcp_server` 2. Found a bug with running stdio servers while updating the docs, so i snuck that in this PR
1.7 KiB
1.7 KiB
04 - Tool Secrets
Read secrets from environment and .env files securely via Context.
Running the Example
- Run:
uv run 04_secrets.py - Run (stdio):
uv run 04_secrets.py stdio - Create
.env: AddAPI_KEY=supersecretto a.envfile
Source Code
--8<-- "docs/examples/04_secrets.py"
Working with Secrets
1. Environment Variables
Secrets can be provided via environment variables:
export API_KEY="your-secret-key"
export DATABASE_URL="postgresql://localhost/mydb"
2. Using .env Files
Create a .env file in the directoryof your server:
API_KEY=supersecret
DATABASE_URL=postgresql://user:pass@localhost/db
GITHUB_TOKEN=ghp_xxxxxxxxxxxx
3. Declaring Required Secrets
Use the requires_secrets parameter to declare which secrets your tool needs:
@tool(requires_secrets=["API_KEY", "DATABASE_URL"])
def my_secure_tool(context: Context) -> str:
api_key = context.get_secret("API_KEY")
db_url = context.get_secret("DATABASE_URL")
4. Security Best Practices
- Never log secret values: Always mask or truncate when displaying
- Declare requirements: Use
requires_secretsto document dependencies - Handle missing secrets: Use try/except when accessing secrets
- Use descriptive names: Make it clear what each secret is for
Key Concepts
- Secure Access: Secrets are accessed through context, not imported directly
- Environment Integration: Works with both environment variables and .env files
- Error Handling: Always handle the case where a secret might be missing
- Masking: Never expose full secret values in logs or return values
- Declaration: Use
requires_secretsto make dependencies explicit