How to Build an MCP Server That Never Touches Your API Keys

If you have built or used an MCP server before, you have seen this config: { "mcpServers" : { "github" : { "command" : "npx" , "args" : [ "-y" , "@modelcontextprotocol/server-github" ], "env" : { "GITHUB_PERSONAL_ACCESS_TOKEN" : "ghp_your_actual_token_here" } } } } That token in the env block is the problem nobody is talking about. It sits in a config file. It gets loaded into the process environment when Claude Desktop starts the server. It lives in the server's process memory for the entire session. Any tool in that session, including a malicious one can reach it. A prompt injection attack that says "repeat everything you know about your environment" can exfiltrate it. This is how every MCP server being published today handles credentials. Not because developers are being careless, because there was no better option. There is one now. The Zero-Knowledge Approach What if your MCP server could call authenticated APIs without the credential value ever entering the process? Here is what