Stu Mason
Stu Mason
Back to feed

I Almost Pushed My API Keys to GitHub

Stu Mason3 min read

Nearly committed my API keys to GitHub. Built a wrapper to keep MCP secrets out of repos entirely.

I Almost Pushed My API Keys to GitHub

I was one git add . away from publishing my FireCrawl API key to GitHub. Caught it in the diff, panicked, and then realised this was going to keep happening unless I fixed it properly.

The problem? Cursor's MCP config wants your API keys right there in the project:

{
    "mcpServers": {
        "firecrawl": {
            "command": "npx",
            "args": ["-y", "firecrawl-mcp"],
            "env": {
                "FIRECRAWL_API_KEY": "fc-my-actual-key-lol"
            }
        }
    }
}

That file gets committed. Those keys go public. Even if you remove them later, they're in your Git history forever. Someone will find them.

The Things I Tried That Didn't Work

Went through a bunch of half-arsed solutions:

  1. Environment variable wrappers - Too easy to forget
  2. Global config files - Cursor doesn't support them
  3. Node.js env loaders - Needed setting up per project
  4. NPM package approach - Had weird env var issues

Every solution was either too complex, too fragile, or too much of a pain to set up consistently.

What I Built Instead

Ended up making get-mcp-keys. Dead simple idea:

  1. Put all your API keys in ~/.mcprc (in your home directory, nowhere near any repos)
  2. Use the package as a wrapper in your MCP config
  3. It loads your keys and passes them through

The ~/.mcprc file:

FIRECRAWL_API_KEY=your-actual-key-here
BRAVE_API_KEY=your-brave-search-key
REPOSITORY_PATH=/path/to/repositories

Your MCP config:

{
    "mcpServers": {
        "firecrawl": {
            "command": "npx",
            "args": [
                "@masonator/get-mcp-keys",
                "npx",
                "-y",
                "firecrawl-mcp"
            ]
        }
    }
}

That's it. Your keys live safely outside your repos. Your config stays clean. You can commit without checking the diff for secrets.

The Security Bits

Built in some sensible defaults:

  • Keys in home directory - Nowhere near Git repos
  • Masked debug output - If something goes wrong, it doesn't log your full keys
  • Fallback support - Works with JSON or plain environment variable format
  • Clear warnings - Tells you when keys are missing

Installing It

npm install -g @masonator/get-mcp-keys

Create your ~/.mcprc, update your MCP configs to use the wrapper, and stop worrying about accidentally publishing your API keys.

The GitHub repo has full docs if you need them.

The Point

This took me an afternoon to build and has saved me from fucking up multiple times since. Sometimes the best tools are the ones that prevent problems you'd otherwise never know you avoided.

If you're using Cursor with MCP servers, sort this out before you push something you'll regret.

Get the Friday email

What I shipped this week, what I learned, one useful thing.

No spam. Unsubscribe anytime. Privacy policy.