| What | Where | Risk if leaked |
|---|---|---|
SPLUNK_MCP_TOKEN |
.env only |
Full read access to your Splunk data |
ANTHROPIC_API_KEY |
.env only |
Billed API usage |
- Never commit
.env- it is in.gitignore - Never hardcode tokens in source files
- Never log tokens - the
--debugflag only shows method names, never credential values - Rotate immediately if you suspect a token has been exposed
# Linux/macOS - owner read/write only
chmod 600 .env
# Verify
ls -la .env
# Should show: -rw------- (600)On Windows, right-click .env → Properties → Security → remove all users except yourself.
Splunk MCP tokens use public-key encryption - they cannot be reused outside the MCP context. They are scoped to MCP tool execution only, not full Splunk admin access.
Still: treat them as secrets. Regenerate from the MCP Server app if compromised.