Feature: Support environment variables for OAuth credentials

[benjrich-jasper]

Summary

Add support for providing OAuth credentials via environment variables as an alternative to file-based configuration. This enables better integration with secret management systems and automation workflows.

Motivation

Currently, credentials must be provided via a JSON file specified by VANTA_ENV_FILE. While this works, many users prefer to:

• Use their existing secret management systems (1Password, Vault, AWS Secrets Manager, etc.)
• Avoid storing credentials in files on disk
• Simplify CI/CD and automation setups

Proposed Implementation

New Environment Variables

• VANTA_MCP_CLIENT_ID - OAuth client ID
• VANTA_MCP_CLIENT_SECRET - OAuth client secret

Credential Resolution Order

1. Environment variables (if both VANTA_MCP_CLIENT_ID and VANTA_MCP_CLIENT_SECRET are set)
2. File-based (fallback to VANTA_ENV_FILE if env vars not set)

Code Changes

src/auth.ts - loadCredentials() function:

function loadCredentials(): OAuthCredentials {
  const clientIdFromEnv = process.env.VANTA_MCP_CLIENT_ID;
  const clientSecretFromEnv = process.env.VANTA_MCP_CLIENT_SECRET;

  // If both environment variables are set, use them
  if (clientIdFromEnv && clientSecretFromEnv) {
    return {
      client_id: clientIdFromEnv,
      client_secret: clientSecretFromEnv,
    };
  }

  // If only one is set, warn about the incomplete configuration
  if (clientIdFromEnv || clientSecretFromEnv) {
    console.error(
      "Warning: Only one of VANTA_MCP_CLIENT_ID or VANTA_MCP_CLIENT_SECRET is set. Both are required to use environment variable credentials. Falling back to file-based credentials.",
    );
  }

  // Fall back to file-based credentials
  const envFile = process.env.VANTA_ENV_FILE;
  if (!envFile) {
    throw new Error(
      "No credentials configured. Either set both VANTA_MCP_CLIENT_ID and VANTA_MCP_CLIENT_SECRET environment variables, or set VANTA_ENV_FILE to point to a credentials file.",
    );
  }
  
  // ... rest of existing file-based logic
}

Documentation Updates (README.md)

Add configuration examples showing both options:

Claude Desktop / Cursor config with env vars:

{
  "mcpServers": {
    "vanta": {
      "command": "npx",
      "args": ["-y", "@vantasdk/vanta-mcp-server"],
      "env": {
        "VANTA_MCP_CLIENT_ID": "your_client_id_here",
        "VANTA_MCP_CLIENT_SECRET": "your_client_secret_here"
      }
    }
  }
}

Update the Environment Variables section to document:

• VANTA_MCP_CLIENT_ID and VANTA_MCP_CLIENT_SECRET as the preferred method
• VANTA_ENV_FILE as the fallback option

Benefits

• Security: Credentials never written to disk
• Flexibility: Works with any secret management system
• Simplicity: Fewer files to manage
• Backwards compatible: Existing VANTA_ENV_FILE users unaffected

Testing Notes

I have tested this locally and confirmed:

• Env var credentials work when both are set
• Falls back to file-based when env vars not set
• Warning displayed when only one env var is set
• Clear error message when no credentials configured