Vault - Secure Secret Management

Overview

The Vault provides secure, encrypted storage for sensitive values like API keys, database passwords, and authentication tokens. Secrets stored in the Vault can be referenced in your MCP proxy configurations, ensuring credentials are never exposed in plain text.

Why Use the Vault?

When configuring custom MCP servers, you often need to include sensitive information like:

Database connection strings with passwords
API keys for external services
OAuth client secrets
Private tokens and credentials

Instead of hardcoding these values in your MCP configurations, store them securely in the Vault and reference them using placeholder syntax.

Key Features

AES-256 Encryption – All secrets are encrypted using industry-standard encryption before storage
Organization Scoped – Each secret belongs to your organization and cannot be accessed by others
Audit Logging – All create, update, and delete operations are logged for compliance
Easy References – Use simple placeholder syntax to inject secrets into MCP configs
Secure Decryption – Secrets are only decrypted at runtime when needed

Creating a Secret

Navigate to Security Center → Vault
Click Add Secret
Enter a Secret Name
Enter the Secret Value (the sensitive data)
Click Add Secret

Naming Convention

Use descriptive, uppercase names with underscores (e.g., STRIPE_API_KEY, DB_CONNECTION_STRING) to make them easily identifiable in your configurations.

Using Secrets in MCP Configurations

Reference your secrets using the {{vault.SECRET_NAME}} syntax anywhere in your MCP proxy configuration:

Example: Database MCP Server

{
  "command": "npx",
  "args": [
    "-y",
    "@modelcontextprotocol/server-postgres",
    "postgresql://user:{{vault.DATABASE_PASSWORD}}@localhost/mydb"
  ]
}

Example: API Key Authentication

{
  "command": "node",
  "args": ["server.js"],
  "env": {
    "API_KEY": "{{vault.EXTERNAL_API_KEY}}",
    "API_SECRET": "{{vault.EXTERNAL_API_SECRET}}"
  }
}

How It Works

When you reference a secret using {{vault.SECRET_NAME}}:

Configuration Time – The placeholder remains in your MCP configuration as plain text
Runtime Resolution – Webrix replaces vault placeholders with actual secret values when the MCP server starts
Secure Execution – The MCP server receives the fully resolved configuration with real credentials

This process happens transparently for both:

Remote MCP Servers (HTTP/SSE) – Resolved by Webrix before connecting
Local MCP Servers (stdio) – Resolved configuration sent to your client

Editing a Secret

Navigate to Security Center → Vault
Find the secret in the list
Click the pencil icon next to the secret
Enter the new value
Click Save Changes

Impact Notice

When you update a secret, any MCP integrations using that secret will receive the new value on their next connection. Existing active connections may need to be restarted.

Deleting a Secret

Navigate to Security Center → Vault
Find the secret in the list
Click the trash icon next to the secret
Confirm the deletion

Warning

Deleting a secret will cause any MCP configurations referencing it to fail. Make sure no active integrations depend on the secret before deleting.

Security

Encryption

At Rest – Secrets are encrypted using AES-256-GCM with unique initialization vectors
Key Management – Encryption keys are managed through AWS KMS (cloud) or secure encryption keys (on-premises)
Never Stored Plain – The plaintext value is only held in memory during encryption/decryption

Access Control

Organization Isolated – Secrets are strictly scoped to your organization
Admin Only – Only organization administrators can view, create, update, or delete secrets
Audit Trail – All operations are logged with user ID and timestamp

Troubleshooting

Secret Not Found Warning

If you see warnings like Vault secret "SECRET_NAME" not found, check:

The secret name is spelled correctly in your MCP configuration
The secret exists in the Vault (check Security Center → Vault)
The secret name matches exactly (case-sensitive)

MCP Connection Failed After Secret Update

If an MCP server stops working after updating a secret:

Verify the new secret value is correct
Check the secret value doesn't contain characters that break the configuration (e.g., unescaped quotes)
Restart the MCP client/integration to pick up the new value

Next Steps

Learn about API Tokens for programmatic access
Explore Guardrails for data protection

Overview​

Why Use the Vault?​

Key Features​

Creating a Secret​

Using Secrets in MCP Configurations​

Example: Database MCP Server​

Example: API Key Authentication​

How It Works​

Editing a Secret​

Deleting a Secret​

Security​

Encryption​

Access Control​

Troubleshooting​

Secret Not Found Warning​

MCP Connection Failed After Secret Update​

Next Steps​