loading…
Search for a command to run...
loading…
▸ TL;DR
API keys are passed to the MCP server as environment variables when it starts. The MCP server reads them and uses them to call upstream APIs. The LLM never sees the raw credentials — only sees the tools they enable.
Open Unyly catalogWhen Claude Desktop or another client launches an MCP server (stdio mode), it passes env vars from the config. Example: GitHub MCP gets GITHUB_TOKEN set, then makes GitHub API calls with that token. The LLM only sees "list_repos called → returned 10 repos" — never the token. Best practice: use fine-grained tokens (read-only when possible), rotate periodically, store in OS keychain instead of plain config files. Unyly's MCP detail pages show exactly which env vars each MCP needs, so you can audit before installing.
Yes, when you use MCPs from a vetted catalog. Unyly auto-scans every MCP for leaked secrets and malicious dependencies. Avoid installing random GitHub gists without verification.
Function calling is a vendor-specific LLM API (OpenAI, Anthropic). MCP is an open protocol — same MCP server works with any client (Claude Desktop, Cursor, VS Code). MCP avoids vendor lock-in.
Use the official SDK in your language (TypeScript, Python, Go), define tools with JSON Schema, expose them via stdio or HTTP. Submit to unyly.org/submit so other users can discover it.