Replacing a shared .env file with scoped MCP tokens
I appreciate the time if you read all of this.
I work on CertLocker so this is a product post as well. And it's fully working and out in the open. It's a devops control plane that handles secrets and tokens as well as a few other things. But today I just want to show the MCP side and get some feedback.
I was talking to an agency recently about how they are using Claude and MCP agents for real client work.
Reports.
Scripts.
SOPs.
Campaign checks.
Small bits of automation.
They have staff and contractors working from different countries and the access side of it was the part that stood out to me.
It was basically one .env file with all the useful stuff inside it.
AI provider keys
Client advertising tokens
Search Console OAuth
Webhook secrets
GitHub tokens
SOP repo access
Then that file, or parts of it, gets passed around because people and agents need access to get the work done.
I have done the same thing myself plenty of times.
The problem is once you give someone the .env file they have access to everything inside it.
A contractor working on Client A might also have Client B credentials.
An agent checking SOPs might also be able to read webhook secrets or tokens it has no reason to access.
Something gets printed into logs.
Copied into chat.
Pasted into another tool.
Then later someone asks who accessed what and you are trying to work it out from different systems.
That is the problem we have been working on with CertLocker and MCP access.
Instead of giving the agent the full .env file we import each entry as its own secret.
Secrets can then be grouped by client or function.
Each agent gets its own identity.
Each agent gets its own scoped token.
The agent can ask CertLocker for one specific secret through MCP.
CertLocker checks the group and scope.
The request is allowed or denied.
Either way it is logged.
If one agent or contractor needs removed you revoke that one identity.
You do not need to rotate every client credential because one person or agent had access to the same file.
So the agent does not get the whole env file.
It gets access to the few secrets it actually needs.
The bit I am still working out is how granular the scopes should be.
Too broad and you are back to the same problem.
Too narrow and people will just get annoyed and start passing .env files around again.
For anyone building MCP servers or using agents with contractors/staff how granular are you making the access?
We also offer an on-prem model for companies who do not want secrets or credentials stored with a third party
I wrote up the full workflow with screenshots here:
https://t.co/5PdhtZn8zT
#AI #MCP #AIAgents #Claude
#ModelContextProtocol #DevOps #SecretsManagement #AIInfrastructure
Your SSL certs should not live in a spreadsheet.
CertLocker helps DevOps and security teams track certificates, expiry dates, private keys, secrets, renewals, scoped access and audit logs in one place.
Drop your domain and I’ll have a quick look at your SSL setup.
Expiry dates, issuer, SANs, chain, what cert is actually being served, and anything that looks off from the outside.
We’re building CertLocker because this stuff always gets ignored until it breaks something.
https://t.co/bcSBvP5qNi
Drop your domain below and I’ll give it a quick SSL/TLS teardown.
I’ll check when your cert expires, what domains are on it, who issued it, if the chain looks clean, what’s being served publicly and if anything looks messy or easy to miss.
We’re building CertLocker around this problem, so happy to take a look.
https://t.co/bcSBvP5qNi
CertLocker billing is live now.
Free, Standard, Enterprise.
Stripe checkout.
Monthly/yearly billing.
Invoice history.
Tier limits enforced in the product.
Next few sprints: less hiding in code, more talking to operators.
https://t.co/AFZ5efC4eq
#devops#outage#startup #support #ssl #engineering
@IAmPascio https://t.co/WE7FDCmz5A
•CertLocker gives DevOps and security teams one place to manage TLS certs, secrets, scoped access, probes, and audit trails across messy real infrastructure before something expires,
leaks, or becomes impossible to prove.