Credential Vault

Most MCP servers store their own OAuth tokens. That means duplicated refresh tokens across every server, no central revocation, and every new MCP server is a new place a credential could leak.

MCP Factory holds them all in one place.

How it works

Each integration (Google, Microsoft, GHL, WordPress, etc.) is connected once to MCP Factory through a standard OAuth flow. The refresh token lives in the vault. Your MCP server requests a fresh access token at runtime — it never sees, stores, or rotates the refresh token itself.

What the vault stores

• OAuth refresh tokens (Google Ads, Gmail, GSC, Microsoft Graph, OneNote, GHL, more)
• Static API keys (KIE.ai, Cloudflare, Telnyx, Stripe, etc.)
• Per-tenant service credentials with global-vs-user scoping
• Integration metadata (which user, which scopes, last refresh time)

Why this matters

If a token gets compromised, you revoke it in one place. If you need to rotate a client secret, you do it in one place. If a new MCP server needs the same integration, it asks the vault — no copy-paste between repos.

Self-host the vault on your own infrastructure, or use the hosted version. Either way, your MCP servers stop being credential stores.