get-mcp-keys is a security-focused MCP helper that loads your API keys from a secure file in your home directory (~/.mcprc) and injects them into the environment when running your MCP server. This lets you avoid committing sensitive keys to your repos while still enabling your MCP servers to access the credentials they need. To use it, configure your MCP server command to be executed through get-mcp-keys (via npx in the provided example). When you start the MCP server, get-mcp-keys will read your keys from ~/.mcprc, set the corresponding environment variables, and then run your specified MCP server command with those keys available in the process environment. This works with any MCP server that relies on environment variables for API keys, such as FireCrawl, Brave Search, Supabase, and others you configure.

Prerequisites:

• Node.js and npm installed on your system (for npx usage)
• A configured ~/.mcprc file to store your API keys securely
• An MCP server command you want to run that relies on environment variables for API keys

Installation steps:

1. Ensure Node.js and npm are installed. You can verify with: node --version npm --version

2. Install or use npx to run the get-mcp-keys helper without a global install. You typically don’t need to install anything globally; just ensure you have an active internet connection: npx @masonator/get-mcp-keys

3. Prepare your ~/.mcprc file with your API keys. Example:

   ~/.mcprc

   FIRECRAWL_API_KEY="your_actual_api_key_here" BRAVE_API_KEY="another_secret_key_here"

   Add any other MCP server keys you use

4. Update your MCP server configuration to route through get-mcp-keys. For example, in your mcp.json (or equivalent), configure: { "mcpServers": { "firecrawl": { "command": "npx", "args": [ "@masonator/get-mcp-keys", "npx", "-y", "firecrawl-mcp" ] } } }

5. Run your MCP server as you normally would; get-mcp-keys will load the keys from ~/.mcprc, inject them into the environment, and execute the specified MCP server command with access to those keys.

Notes:

• Your keys stay in ~/.mcprc and are not committed to any repository. They are loaded only when you start the MCP server and are available to the process environment during execution.
• The utility will typically reveal only the first/last few characters of keys in any debug output to avoid leaking secrets.
• If a key needs to be refreshed, update ~/.mcprc and restart the MCP server; no code changes are required.
• Ensure proper file permissions on ~/.mcprc (e.g., chmod 600) to prevent other users from reading your keys.
• If you need to support multiple MCP servers, repeat the configuration blocks for each server and add corresponding keys to ~/.mcprc.