What is a secret reference?
Also: secret references, secret placeholder
A secret reference is a placeholder such as ${env:GITHUB_TOKEN} that points to a secret stored elsewhere, so the raw value is never written into a config file.
Instead of pasting an API key or token directly into a client’s MCP config, a secret reference names where the value lives — an environment variable, a dotenv file, or a secret manager such as 1Password or Infisical. The config carries only the reference.
mcpfold resolves each reference at fold time, from your environment or secret manager, so nothing sensitive is written to a client config or committed to git. Some clients can even receive the reference natively via their own input mechanism.
This keeps credentials out of the files that are most likely to be shared, synced, or accidentally checked in.
Related
mcpfold is an independent, open-source project. The Model Context Protocol is an open standard; mcpfold is not affiliated with or endorsed by the MCP project.