- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- Configuring automation capabilities
- Solutions
- Audit
- Settings
- Registry
- Cloud robots
- Automation Suite Robots
- Folders Context
- Processes
- Jobs
- Apps
- Triggers
- Logs
- Monitoring
- Indexes
- Queues
- Assets
- Connections
- Business Rules
- Storage Buckets
- MCP Servers
- Orchestrator testing
- Resource Catalog Service
- Integrations
- Troubleshooting
Orchestrator user guide
MCP Servers often need secrets (API keys, database credentials, service tokens) to connect to external systems. Instead of hardcoding these values into MCP Server configuration, you can reference Orchestrator Assets using the %ASSETS/AssetName% syntax. At runtime, the robot resolves these references and injects the actual asset values as environment variables.
The mechanism is the same for Command and Coded MCP Servers. Only where the environment variables are configured differs between the two.
Create the asset in Orchestrator
Go to your folder in Orchestrator > Assets > Create Asset. For example:
- Name:
MyApiKey - Type: Secret (or Credential for username/password pairs)
- Value:
sk-abc123...
The asset must be in the same folder as the MCP Server.
Reference the asset in the MCP Server environment variables
The asset reference syntax is identical across server types. The location of the environment variables differs:
| Server type | Where to configure environment variables |
|---|---|
| Command MCP Server | Directly on the MCP Server, in the Environment Variables field of the create or edit form in Orchestrator. |
| Coded MCP Server | On the process in Orchestrator: Settings > Environment Variables. |
In both cases, entries take the form KEY=VALUE, with %ASSETS/AssetName% as the value:
API_KEY=%ASSETS/MyApiKey%
DATABASE_URL=%ASSETS/MyDatabaseUrl%
REGION=us-east-1
API_KEY=%ASSETS/MyApiKey%
DATABASE_URL=%ASSETS/MyDatabaseUrl%
REGION=us-east-1
Asset references and plain values can be mixed. Each variable goes on its own line.
Read the variables in your server code
Orchestrator stores the raw environment variables, including the %ASSETS/...% placeholders, in the database, encrypted at rest. When a session starts, Orchestrator forwards them to the Serverless runtime, which resolves the asset references to their actual values before passing them to the MCP Server process.
In the MCP Server code, the variables are then available as standard environment variables. For example:
import os
api_key = os.environ.get("API_KEY") # Resolved to the asset value at runtime
import os
api_key = os.environ.get("API_KEY") # Resolved to the asset value at runtime
The following behaviors apply to asset inference in MCP Servers:
- Asset names are case-insensitive in the
%ASSETS/...%syntax. - The environment-variable key determines secret masking in the UI. Keys matching patterns such as
API_KEY,SECRET,PASSWORD,TOKEN, orAuthorizationare automatically masked with****. The%ASSETS/...%reference itself is always visible (not masked). - If an asset does not exist or the robot does not have access, the environment variable will not be resolved and the server will receive the raw
%ASSETS/...%string.