MCP Security Best Practices

MCP servers give AI assistants powerful access to your tools and data. Follow these practices to keep your setup secure.

1. Use Read-Only Tokens Where Possible

Many APIs support scoped API keys. Create tokens with minimal permissions — read-only access when the MCP server doesn't need to write data. For example, a monitoring MCP server only needs GET access.

2. Never Commit API Keys

MCP configs contain sensitive environment variables. Always externalize API keys using environment variables or a secrets manager. Use claude_desktop_config.json with env vars rather than hardcoded values.

3. Run MCP Servers Locally

Prefer local MCP server processes over remote ones when possible. Local servers run on your machine with your existing security context. Remote servers require additional authentication and transport security.

4. Audit Your Configurations

Regularly review which MCP servers are configured and what permissions each one has. Remove unused servers and rotate API keys periodically.

5. Validate OpenAPI Specs Before Converting

Only convert OpenAPI specs from trusted sources. Use our converter which processes everything in your browser — no data is sent to any server.

6. Use Environment Variables for Secrets

Structure your MCP configs to reference environment variables rather than embedding secrets:

{"mcpServers":{"github":{"command":"npx","args":["-y","@github/mcp-server"],"env":{"GITHUB_TOKEN":"${GITHUB_TOKEN}"}}}}