Security & credential handling

• Treat client_secret like a password. Never commit it to source control, embed it in client-side code, or share it over insecure channels.
• Store secrets in a secrets manager (e.g. AWS Secrets Manager, Vault) and inject at runtime — not in plaintext config files.
• Rotate on suspected compromise. Contact Bonafide to rotate your credentials; the old secret is revoked immediately.
• Transport is TLS only. All traffic to mcp.bonafide.ai is HTTPS; plaintext HTTP is rejected.
• Tokens are short-lived. Bearer tokens expire; re-mint via client_credentials (see Connect programmatically) or rely on Claude’s silent refresh (see Connect from Claude).