pub enum UpstreamAuth {
Bearer {
sealed_secret_ref: String,
},
Header {
header_name: String,
sealed_secret_ref: String,
},
EnvVar {
env_var_name: String,
sealed_secret_ref: String,
},
QueryParam {
param_name: String,
sealed_secret_ref: String,
},
}Expand description
How the operator’s upstream credentials are injected into an MCP
invocation. The actual secret is NOT stored in this struct — it is
stored separately by the node in a sealed credential vault, keyed
by sealed_secret_ref. The operator’s secret is fetched only at
invocation time and zeroized after the request completes.
Tenants who present a Tenzro API key never see sealed_secret_ref
or the underlying secret. They see only the MCP’s response payload.
Variants§
Bearer
Authorization: Bearer <secret> header on the outbound request.
Fields
Header
Arbitrary header injection: <header_name>: <secret>.
EnvVar
For stdio MCPs only: secret is injected as an environment
variable in the spawned subprocess. Common for npm-package
MCPs that expect e.g. OPENAI_API_KEY, STRIPE_API_KEY, etc.
QueryParam
Query-string parameter on the endpoint URL (rare; some legacy services). Discouraged for new integrations because of URL logging concerns, but supported for completeness.
Implementations§
Source§impl UpstreamAuth
impl UpstreamAuth
Sourcepub fn sealed_secret_ref(&self) -> &str
pub fn sealed_secret_ref(&self) -> &str
Returns the sealed-secret reference for vault lookup.
Trait Implementations§
Source§impl Clone for UpstreamAuth
impl Clone for UpstreamAuth
Source§fn clone(&self) -> UpstreamAuth
fn clone(&self) -> UpstreamAuth
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more