Exposing tools to LLMs requires strict authentication models to prevent unauthorized execution. Learn how to secure your MCP gateway using OAuth 2.1 PKCE and encrypted credential vaults with wmcp.sh.
Passing raw access tokens or client secrets through URL parameters or plain-text headers leaves your agents vulnerable. Hardcoded tokens risk exposure in logs, while failing to distinguish between interactive user authentication (OAuth) and server-to-server static keys (bot tokens) leads to broken authorization models. Proper security requires different strategies for different token lifecycles.
Disclaimer: wmcp.sh is an independent infrastructure provider and is not affiliated with Slack, GitHub, Google, Notion, Linear, Anthropic, or OpenAI.
# Example: Securing a connection with wmcp.sh in TypeScript
import { McpGateway } from '@wmcp/sdk';
// For interactive human login flows (e.g., Google, Slack, Notion)
const gateway = new McpGateway({
authMode: 'oauth2.1-pkce',
clientId: process.env.OAUTH_CLIENT_ID,
// Short TTL cache (~1s) for high-frequency tool calls
cacheTtl: '1s',
});
// For static server-to-server keys (e.g., Bot tokens)
await gateway.storeInVault({
provider: 'stripe',
key: process.env.STRIPE_SECRET_KEY,
vaultType: 'encrypted-credentials-proxy'
});
console.log('Secure connection established.');
| Capability | Without wmcp.sh | With wmcp.sh |
|---|---|---|
| OAuth 2.1 PKCE support | ⚠️ Requires manual state/PKCE verification logic | ✅ Native PKCE for interactive flows |
| Encrypted Credentials Vault | ❌ Keys stored in plain text or app config | ✅ KMS-encrypted out-of-band proxy |
| Short TTL Caching (~1s) | ⚠️ Often caches too long, risking stale token use | ✅ Configurable sub-second invalidation |
| Sub-100ms Latency | ❌ Gateway proxying adds significant overhead | ✅ Optimized edge routing for sub-100ms latency |
Use OAuth 2.1 PKCE for any interactive authentication flow where a human user needs to log into a third-party platform (like Google, GitHub, Slack, Notion, or Linear) and grant scoped access to an AI agent.
Static credentials, such as bot tokens or server-to-server API keys, should never be stored in plain text or passed via URL parameters. They must be secured in an encrypted credentials vault acting as an out-of-band proxy.
Yes, the platform securely manages token exchange, caching (with short TTLs), and rotation automatically without exposing secrets to the runtime agent.
No. wmcp.sh is an independent gateway and is not affiliated with Google, GitHub, Slack, Notion, Linear, Anthropic, OpenAI, or Microsoft.
Custom adapter + hosted MCP at mcp.yourbrand.com + verified badge. From $499 one-time setup. (Managed Retainer: $999/mo, Enterprise: $4,999+/mo)