type: rule
status: active
timestamp: 2026-06-27
tags: [mcp, env, sync, smithery, no-commit-keys]
status: active
timestamp: 2026-06-27
tags: [mcp, env, sync, smithery, no-commit-keys]
MCP env credentials — Win env vars + Smithery profile (both layers)
MCP env vars sync via Win system env (local) + Smithery profile (cross-machine). Never commit values
MCP env credentials — dual-layer sync
Rule
MCP server credentials sync via TWO layers:
| Layer | Scope | What it stores |
|---|---|---|
Windows env vars (setx) | This machine, all shells | Local-only credentials |
| Smithery profile | Cross-machine, cross-session | All keyed MCPs |
Both layers active. Win env is faster (no Smithery roundtrip). Smithery survives re-image / new machine.
How to add a credential
# 1) Win env (local)
setx FIRECRAWL_API_KEY "fc-xxxxxx"
# 2) Smithery (persistent, cross-machine)
npx -y @smithery/cli install firecrawl-mcp --client claude
# Smithery CLI prompts for the key, stores in your Smithery vault
NEVER
- Commit any key to
.env(gitignored but human-error-prone) - Commit any key to
.mcp.json(would be public) - Hardcode in scripts
- Share Smithery profile credentials between users
Recovery
If you lose the Win env (new machine), Smithery profile restores everything:
npx -y @smithery/cli login
npx -y @smithery/cli sync --client claude