Secret Management
Secret Management in Lunar.dev MCPX allows admins to provision credentials for MCP servers directly from your Kubernetes cluster. The control plane and admin UI have visibility only into secret names and key names, never the secret values themselves. Those values are injected directly into the MCP servers within the cluster, without being exposed outside the runtime environment.
How Secret Management Works
The Secrets page in the MCPX control plane displays the Kubernetes secrets available within your deployment namespace. Admins can assign individual secret keys to one or more Profiles.
At deployment time, those assigned keys are injected into the relevant MCP servers. Secret values flow directly from the Kubernetes Secret into the MCP server runtime, without passing through the control plane.
The control plane never accesses or stores the secret values themselves.
A user's access to a secret is determined through their Profile. Profile membership is managed through Group synchronization from your identity provider, creating an access chain of user → Group → Profile → secret. For more information on how Profiles and Groups are defined and managed, see Centralized User Management.
Benefits
- Keeps all credentials inside your controlled infrastructure
- Supports integration with existing enterprise secret management tools
- Enables scoped, auditable access to sensitive data
- Reduces the risk of credential leaks or configuration drift
- Restrict access by role. Use Centralized User Management to control which users or agents can access credentials for specific tools or servers.
- Bring your own secret manager. Seamless integration with your vault.
💡 MCPX Enterprise Feature - Secret Management is exclusively available on our Enterprise plan.
Contact our team to book a demo and unlock this feature.