[GH-ISSUE #21902] feat: Per User - Encrypted Key/Value secrets vault #58275

New Issue

GiteaMirror · 2026-05-05T22:46:27-05:00

GiteaMirror commented

2026-05-05 22:46:27 -05:00

Originally created by @icsy7867 on GitHub (Feb 26, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21902

Check Existing Issues

I have searched for all existing open AND closed issues and discussions for similar requests. I have found none that is comparable to my request.

Verify Feature Scope

I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions.

Problem Description

I have been starting to explore making and using MCP servers. However one of the biggest issues I am facing are poor, specific user requirements. Authentication being the largest, but there are other concerns and capabilities that would be useful as well.

I have been experimenting with fastmcp, and I have made a really neat, simple MCP server with some useful IT diagnostics. like HTTP/HTTPS curl checks on a URL (Like getting headers and HTTP status codes), CA Chain retrieval on a specific IP/DNS and port (Like if someone needed an LDAPS CA Chain for their LDAPS connection), NMAP queries, TCP/UDP port checking. However all of these things are easy because anyone can do these things from pretty much anywhere.

Someone recently sent me this:
https://github.com/rhel-lightspeed/linux-mcp-server

Which looks really helpful and neat, but I would like to avoid manually managing permissions, and linking admin/root credentials for the entire MCP server. I would prefer to be able to track who does what and when as an IT Admin.

So I was thinking, what if there was a way that individuals could reference secret keys in the chat or per MCP server similarly to how kubernetes handles these:

...
    spec:
      containers:
      - name: app-container
        image: nginx:latest
        env:
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: my-secret
              key: password

These functonality is very helpful, as I can store deployments in gitlab/github, pull them with fleet, or share them without fear of sharing and revealing some sensitive password or string.

Desired Solution you'd like

Using the linux management MCP server as a hypothetical example... what if...

User John Smith could:

Manage their own personal secrets vault, adding in unique KEYS that contained some sensitive or secret value.
When chatting with an LLM, they could either reference the secret manually ( I.E ${{{MY_SECRET}}} ) or click the little + symbol, and click a vault section, and being able to manually select a KEY to use.
This key, I.E ${{{MY_SECRET}}} would display in the chat as ${{{MY_SECRET}}}, and when sharing the chats, other users, or even admins would only see ${{{MY_SECRET}}}
However, when the secret was parsed on the backend, or sent to an LLM, or MCP Server/Tool/Function it should be parsed as the actual value.

Other considerations:

When the LLM returns an answer, if a sub-string in the response matches a secret, it should be obfuscated. I acknowledge this part is difficult, since streaming back tokens would be hard. However a system prompt injected in when using secrets telling the model to never use "these values" in your response, could work.
The variable reference should be fairly unique to prevent obfuscation in a response. ${{{MY_SECRET}}} probably wouldn't even match anything that it shouldn't, for example. $MY_SECRET might accidentally match a variable in a code block for a different purpose, for example, which would confuse then LLM/response I believe.
For Functions/Tools/MCP servers, it would be great to be able to specify values to automatically include in a specific MCP server, whether a user provided one, or one provided at the admin level. This would require a section in the user settings that shows what tools are provided, and provide the ability to provide a custom KEY and a specific secret value.

I.E
You may have a secret key called ${{{MY_SECRET_SSH_KEY}}} with an ssh key as the value. When talking to a specific MCP tool or service, I might want to tell the LLM that MY SSH Key ${{{MY_SECRET_SSH_KEY}}}, so the "KEY" for that specific MCP server would be "My SSH Key", which should make more sense to the LLM when doing a function/tool call vs MY_SECRET_SSH_KEY ${{{MY_SECRET_SSH_KEY}}} (Though the LLM would probably understand this...)

This could work for anything, but especially could be beneficial for OAUTH tokens, passwords, ssh or PKI certs, access tokens, etc...

Alternatives Considered

I couldnt find any alternatives.

Additional Context

No response

Originally created by @icsy7867 on GitHub (Feb 26, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21902 ### Check Existing Issues - [x] I have searched for all existing **open AND closed** issues and discussions for similar requests. I have found none that is comparable to my request. ### Verify Feature Scope - [x] I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions. ### Problem Description I have been starting to explore making and using MCP servers. However one of the biggest issues I am facing are poor, specific user requirements. Authentication being the largest, but there are other concerns and capabilities that would be useful as well. I have been experimenting with fastmcp, and I have made a really neat, simple MCP server with some useful IT diagnostics. like HTTP/HTTPS curl checks on a URL (Like getting headers and HTTP status codes), CA Chain retrieval on a specific IP/DNS and port (Like if someone needed an LDAPS CA Chain for their LDAPS connection), NMAP queries, TCP/UDP port checking. However all of these things are easy because anyone can do these things from pretty much anywhere. Someone recently sent me this: https://github.com/rhel-lightspeed/linux-mcp-server Which looks really helpful and neat, but I would like to avoid manually managing permissions, and linking admin/root credentials for the entire MCP server. I would prefer to be able to track who does what and when as an IT Admin. So I was thinking, what if there was a way that individuals could reference secret keys in the chat or per MCP server similarly to how kubernetes handles these: ``` ... spec: containers: - name: app-container image: nginx:latest env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: my-secret key: password ``` These functonality is very helpful, as I can store deployments in gitlab/github, pull them with fleet, or share them without fear of sharing and revealing some sensitive password or string. ### Desired Solution you'd like Using the linux management MCP server as a hypothetical example... what if... User John Smith could: - Manage their own personal secrets vault, adding in unique KEYS that contained some sensitive or secret value. - When chatting with an LLM, they could either reference the secret manually ( I.E `${{{MY_SECRET}}}` ) or click the little `+` symbol, and click a vault section, and being able to manually select a KEY to use. - This key, I.E `${{{MY_SECRET}}}` would display in the chat as `${{{MY_SECRET}}}`, and when sharing the chats, other users, or even admins would only see ${{{MY_SECRET}}} - However, when the secret was parsed on the backend, or sent to an LLM, or MCP Server/Tool/Function it should be parsed as the actual value. Other considerations: - When the LLM returns an answer, if a sub-string in the response matches a secret, it should be obfuscated. I acknowledge this part is difficult, since streaming back tokens would be hard. However a system prompt injected in when using secrets telling the model to never use "these values" in your response, could work. - The variable reference should be fairly unique to prevent obfuscation in a response. ${{{MY_SECRET}}} probably wouldn't even match anything that it shouldn't, for example. $MY_SECRET might accidentally match a variable in a code block for a different purpose, for example, which would confuse then LLM/response I believe. - For Functions/Tools/MCP servers, it would be great to be able to specify values to automatically include in a specific MCP server, whether a user provided one, or one provided at the admin level. This would require a section in the user settings that shows what tools are provided, and provide the ability to provide a custom KEY and a specific secret value. I.E You may have a secret key called ${{{MY_SECRET_SSH_KEY}}} with an ssh key as the value. When talking to a specific MCP tool or service, I might want to tell the LLM that `MY SSH Key ${{{MY_SECRET_SSH_KEY}}}`, so the "KEY" for that specific MCP server would be "My SSH Key", which should make more sense to the LLM when doing a function/tool call vs `MY_SECRET_SSH_KEY ${{{MY_SECRET_SSH_KEY}}}` (Though the LLM would probably understand this...) This could work for anything, but especially could be beneficial for OAUTH tokens, passwords, ssh or PKI certs, access tokens, etc... ### Alternatives Considered I couldnt find any alternatives. ### Additional Context _No response_

GiteaMirror closed this issue

2026-05-05 22:46:29 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#58275