Deploying ADK Agent Securely While Maintaining Access to Local MCP tools (e.g. filesystem) and OAuth procedures for the user

[enxilium]

I am building an Electron app that speaks with an ADK agent over a Websocket connection. This ADK agent requires access to local-based MCPs, such as filesystem. How do I deploy it into production, while effectively/securely managing my API key? Should I store my API key in a remote server and inject it at runtime?

[adk-bot]

Response from ADK Answering Agent (experimental, answer may be inaccurate)

TLDR: The recommended and most secure approach to managing your API key is to use environment variables. This method is more secure than hardcoding keys in your code or passing them as plaintext arguments.

---

Hello! That's a great question on how to securely manage API keys for your ADK agent.

Environment Variables

The best practice for managing sensitive information like API keys is to use environment variables. [1] By setting your API key as an environment variable, you avoid hardcoding it in your application, which is a significant security risk.

You can set an environment variable in your terminal like this:

macOS/Linux:

export API_KEY="your_api_key"

Windows:

set API_KEY="your_api_key"

Then, in your Python code, you can access the API key using the os module:

import os

api_key = os.environ.get("API_KEY")

Secret Management Services

For production environments, we recommend using a secret management service like Google Secret Manager, AWS Secrets Manager, or HashiCorp Vault. These services provide a more secure way to manage your secrets, with features like encryption at rest and in transit, fine-grained access control, and audit logging.

ADK's Authentication Handling

ADK has built-in features to handle various authentication methods securely. You can define how an API expects authentication credentials using AuthScheme and AuthCredential. This allows you to abstract the authentication logic from your agent's business logic, making your code cleaner and more secure.

For more information, please refer to the following documentation:

• ADK Tools: Authentication
• ADK MCP Tools
• ADK Custom Streaming
• ADK Agent Team Tutorial

I hope this helps! Let me know if you have any other questions.

---

This response was generated by an automated agent. Please leave a comment if you have any feedback.

[1] https://google.github.io/adk-docs/tools/authentication/
[2] https://google.github.io/adk-docs/tools/mcp-tools/
[3] https://google.github.io/adk-docs/streaming/custom-streaming/
[4] https://github.com/google/adk-docs/blob/main/examples/python/tutorial/agent_team/adk-tutorial/readme.md