Secret storage

[strawgate]

Enhancement

We currently have a need for secure storage of secrets.

These secrets might be private keys for issuing oauth tokens or they might be client oauth secrets.

This issue is to track this requirement

[strawgate]

My current intention for this is to focus on local secret stores and add secret backends (Windows credential Manager, keychain, etc) to https://github.com/strawgate/py-key-value

[Hyperclaw79]

As an alternate approach, can't we rely on a 3rd party application like Hashicorp Vault via API calls? It might be more robust and secure but on the flip side would introduce slight latency. Thoughts?

[strawgate]

https://github.com/strawgate/py-key-value supports hashicorp vault as a backend as of yesterday

Local keyrings allow us to store secrets securely "out of the box" including during development but distributed stores are necessary for horizontally scaled deployments.

py-key-value also lets you do passthrough caching where you can define a memory store and a distributed store and only reach out to the distributed store if the entry is missing from the memory store

[jnjpng]

@strawgate is there a plan to support retrieving secrets from an external db store? As a comparison for example, the official MCP SDK provides a token storage/retrieval interface that you pass into the MCP client that you can implement to query your DB.

[strawgate]

Yes, the py-key-value library that is used for secrets can be used to store oauth tokens in redis, vault, any number of remote key value stores already I believe we have docs for this now too

This issue was actually just meant for the out of the box configuration for secure secret storage that @jlowin and I are working on

See https://gofastmcp.com/servers/storage-backends#storage-backends

[jnjpng]

Awesome! Thanks a bunch - will try it out.