Skip to main content

Manage runtime secrets and config

Keep server settings in the Runtime Profile and keep credentials out of AI client files. LightNow Proxy resolves the permitted runtime material when a managed client starts an MCP request.

Choose the right storage

Put the value inUse it forExamples
Runtime configValues that are safe to review and diagnoseTransport, timeout, working directory, input mapping
Runtime secretsValues that grant access or sign requestsAPI keys, authorization headers, passwords
External secret providerCredentials owned by your security platformA Vault KV v2 path and field

If a value would be unsafe in a support ticket, treat it as a secret. Client connection details generated by LightNow are neither server config nor server secrets; leave them in the generated proxy/client configuration.

Configure a server

  1. Open the Runtime Profile in the LightNow app.
  2. Select the server alias. The alias matters when the same server appears more than once in a profile.
  3. Add non-sensitive values under runtime config.
  4. Add credentials under secrets. Store an encrypted LightNow-managed value or select an external reference when your organization has configured one.
  5. Save the server and resolve every required input reported by the UI.

Organization secret providers are configured under Settings → Secret management. The current external provider type is Vault KV v2. Provider credentials and LightNow-managed secret values are write-only: the UI and API can report that a value exists without returning the value.

Sync the managed client

After saving the Runtime Profile, regenerate the proxy configuration for the client that should use it.

Sync Codex through LightNow Proxy
lightnow sync --client codex --local-proxy

Restart the AI client after the sync. Existing sessions can retain the MCP server list they loaded at startup.

Verify readiness

First confirm that the client points to the generated proxy entry, then check the exact proxy configuration used by that client.

Verify client posture and proxy health
lightnow config-status --client codex --json
lightnow-proxy --config ~/.lightnow/lightnow-proxy/codex.yaml --health --json

The health report is designed for runtime status and does not print secret values. A missing input means the selected profile, alias, or organization context still lacks required material. Fix the value in the Runtime Profile; do not patch the generated YAML or the AI client file.

Rotate or remove a secret

Replace a LightNow-managed value or update its external reference in the same profile server row. Remove values that are no longer required, save the profile, and run the health check again. A running client does not need a copy of the rotated value because the runtime resolves it when needed.

Troubleshoot

SymptomCheck
The UI still reports a missing inputConfirm the active Personal or organization context, Runtime Profile, and server alias.
Proxy health reports authentication failureReplace the managed value or test the external provider, then retry health.
The client still uses an old value or server listRe-sync the client and start a new client session.
A direct export contains placeholdersThis is the safe default. Use LightNow Proxy instead of inserting plaintext.

Continue with Debug LightNow Proxy when the values are complete but the runtime is still unhealthy. Use runtime events to inspect metadata from an actual session without copying credentials into a ticket.