Manage runtime secrets and config
Keep server settings in the Runtime Profile and keep credentials out of AI client files. LightNow Proxy resolves the permitted runtime material when a managed client starts an MCP request.
Choose the right storage
| Put the value in | Use it for | Examples |
|---|---|---|
| Runtime config | Values that are safe to review and diagnose | Transport, timeout, working directory, input mapping |
| Runtime secrets | Values that grant access or sign requests | API keys, authorization headers, passwords |
| External secret provider | Credentials owned by your security platform | A Vault KV v2 path and field |
If a value would be unsafe in a support ticket, treat it as a secret. Client connection details generated by LightNow are neither server config nor server secrets; leave them in the generated proxy/client configuration.
Configure a server
- Open the Runtime Profile in the LightNow app.
- Select the server alias. The alias matters when the same server appears more than once in a profile.
- Add non-sensitive values under runtime config.
- Add credentials under secrets. Store an encrypted LightNow-managed value or select an external reference when your organization has configured one.
- Save the server and resolve every required input reported by the UI.
Organization secret providers are configured under Settings → Secret management. The current external provider type is Vault KV v2. Provider credentials and LightNow-managed secret values are write-only: the UI and API can report that a value exists without returning the value.
Sync the managed client
After saving the Runtime Profile, regenerate the proxy configuration for the client that should use it.
lightnow sync --client codex --local-proxy
Restart the AI client after the sync. Existing sessions can retain the MCP server list they loaded at startup.
Verify readiness
First confirm that the client points to the generated proxy entry, then check the exact proxy configuration used by that client.
lightnow config-status --client codex --json lightnow-proxy --config ~/.lightnow/lightnow-proxy/codex.yaml --health --json
The health report is designed for runtime status and does not print secret values. A missing input means the selected profile, alias, or organization context still lacks required material. Fix the value in the Runtime Profile; do not patch the generated YAML or the AI client file.
Rotate or remove a secret
Replace a LightNow-managed value or update its external reference in the same profile server row. Remove values that are no longer required, save the profile, and run the health check again. A running client does not need a copy of the rotated value because the runtime resolves it when needed.
Troubleshoot
| Symptom | Check |
|---|---|
| The UI still reports a missing input | Confirm the active Personal or organization context, Runtime Profile, and server alias. |
| Proxy health reports authentication failure | Replace the managed value or test the external provider, then retry health. |
| The client still uses an old value or server list | Re-sync the client and start a new client session. |
| A direct export contains placeholders | This is the safe default. Use LightNow Proxy instead of inserting plaintext. |
Continue with Debug LightNow Proxy when the values are complete but the runtime is still unhealthy. Use runtime events to inspect metadata from an actual session without copying credentials into a ticket.