Infisical Secrets MCP
a vault the machines can open and the people cannot
The stack had too many keys living in too many places. API tokens in the Coolify UI. OAuth blobs in the Mongo backing LibreChat. Credentials in the n8n store. Passwords in my head and, worse, in my dotfiles. Every refactor cost a half hour of hunting.
Infisical Secrets MCP makes the vault the only party with an opinion. Self-hosted Infisical behind the chatbot, wired in through its official MCP server, so the agent can pull secrets at request time without ever surfacing them to a chat transcript. Rotations happen once, in one place. Services read from the vault at boot and forget what they read.
First delivery is deliberately modest — a single piloted secret, one service migrated — because migrating secrets sideways is how you accidentally page yourself at 3 a.m. The rest of the stack moves over, one service per issue, in the backlog.