Skip to content

Credential Management

The MCP server provides encrypted credential management for cloud storage providers. Credentials are stored locally with AES-256-GCM authenticated encryption.

Aspect Implementation
Encryption AES-256-GCM (authenticated)
Key Derivation scrypt with OWASP-recommended parameters
Storage Local encrypted file (./data/credentials.enc)
File Permissions 0600 (owner read/write only)
Memory Decrypted keys cached with timeout + zeroing
Variable Required Description
CREDENTIAL_MASTER_PASSWORD Yes Master password for encryption/decryption
CREDENTIAL_STORE_PATH No Path to credential store (default: ./data/credentials.enc)

Store new credentials with AES-256-GCM encryption.

Parameter Type Required Description
id string Yes Unique identifier
name string Yes Human-readable name
credentials object Yes Provider-specific credentials (see below)
description string No Optional description
tags string[] No Optional tags
{
"id": "company-gdrive",
"name": "Company Google Drive",
"credentials": {
"type": "googledrive",
"clientId": "xxx.apps.googleusercontent.com",
"clientSecret": "GOCSPX-xxx",
"refreshToken": "1//xxx"
},
"tags": ["production", "google"]
}

Retrieve full credentials by ID (including secrets).

Update existing credentials. The id must already exist. Provider type is immutable after creation.

Delete credentials by ID. Cannot be undone.

List all stored credential metadata (no secrets returned).


{
"type": "googledrive",
"clientId": "xxx.apps.googleusercontent.com",
"clientSecret": "GOCSPX-xxx",
"refreshToken": "1//xxx",
"rootFolderId": "optional-folder-id"
}
Field Required Description
type Yes Must be "googledrive"
clientId Yes OAuth2 Client ID
clientSecret Yes OAuth2 Client Secret
refreshToken Yes OAuth2 Refresh Token
rootFolderId No Default folder for operations