how should credential management work over MCP?
MCP makes credentials available through tools an agent can call. That is easier than building separate integrations, but the tool boundary must be designed as a security boundary rather than a convenient secret lookup.
pair the agent before exposing tools
A connected agent needs its own identity, scopes and key material. Decoy pairs the local MCP bridge with the user’s phone, registers the agent public key and stores the resulting token locally.
The user sees the connected application and can later change or revoke its access without affecting other agents.
separate metadata from secrets
Listing accounts and messages should not automatically reveal passwords or message bodies. Metadata helps an agent find the right target. A separate unlock tool provides the sensitive value only after the policy check succeeds.
- List tools return identifiers and safe metadata.
- Unlock tools request passwords, message bodies or personal information.
- Passkey tools return signed assertions rather than private keys.
- Write tools use their own scopes and approval rules.
the server should not hold the decryption key
Decoy stores encrypted data and envelopes. The local MCP bridge holds the agent private key and decrypts approved values in its own process. This keeps plaintext away from the Decoy server.
Local decryption does not automatically keep a secret away from the model. The host runtime still decides how MCP tool results enter context and logs.
make permission failures actionable
A generic forbidden error leaves the agent guessing. Useful MCP errors distinguish missing scope, missing resource access, denial, expiry and temporary unavailability so the agent can recover without repeatedly prompting the user.
common questions
which MCP clients can use Decoy?
Any client that can connect to the local Decoy MCP server can use its tools. The bridge runs locally and exposes an HTTP MCP endpoint.
where is the agent token stored?
The Decoy MCP bridge stores its token and agent key under the local Decoy configuration directory on the machine running the bridge.
does MCP keep passwords out of model context?
Not by itself. MCP defines the tool connection. The agent runtime controls whether a returned password appears in model context or logs.
