Authentication methods
An MCP source declares how it authenticates through theauthType field. Synti supports three approaches for the connection itself:
Local (stdio) servers
A local stdio server runs as a process on your machine, so it usually needs no network authentication of its own. When such a server needs a secret—say, an API key for a service it calls—it typically reads it from an environment variable or a config file that you supply in the source’s launch configuration.How credentials are stored
Credentials are encrypted and written to a single local file, never intoconfig.json:
Managing credentials
-
See what’s stored. Run
/debugto list which sources have credentials, without revealing the values. - Remove one source’s credentials. Delete the source; its scoped credentials go with it.
-
Clear everything. Remove the encrypted store entirely:
Synti will prompt you to re-authenticate each source the next time you use it.
Good practices
Prefer OAuth where available
Prefer OAuth where available
Scoped, revocable, and self-refreshing—OAuth avoids a long-lived key on disk and lets you revoke access from the provider side at any time.
Limit token scope
Limit token scope
When you must use a static token, mint it with only the permissions the agent actually needs. A read-only token is a safer default than a full-access one.
Rotate sensitive credentials
Rotate sensitive credentials
Rotate tokens for sensitive services periodically. Because secrets are scoped per source, rotating one never disturbs the others.