Best Practices & Security
Secure and optimize your MCP setup
Best Practices & Security
Giving an AI assistant direct access to your infrastructure is powerful, but it comes with responsibilities. Follow these guidelines to keep your data safe.
1. Security First
❌ Audit Your Keys
NEVER paste API keys directly into Cursor or Claude configuration files if those files are checked into git.
✅ Use Environment Variables
Always use environment variables for sensitive data.
Bad:
"env": {
"SUPABASE_KEY": "eyJhbGciOiJIUzI1Ni..." // ❌ Don't do this
}Good:
"env": {
"SUPABASE_KEY": "your-env-var" // ✅ Configure this in the IDE's secure storage
}In Cursor, you can set environment variables in the MCP settings interface, which stores them locally on your machine, not in the project files.
Use Least-Privilege Keys
- For RevenueCat, use the Public API Key if read-only access is sufficient.
- For Firebase, create a customized Service Account with only the roles needed (e.g.,
Viewer, notEditor).
2. Performance
Lazy Loading
If you have 10+ MCP servers configured, your IDE startup might slow down.
- Enable only what you need: If you are working on frontend UI, you might not need the Supabase server running. Toggle them off in Cursor settings.
Context Usage
MCP servers provides a lot of data.
- Be Specific: Don't ask "Read my whole database." Ask "Read the schema for the
userstable." - token limits: Large schemas can consume your context window.
3. Workflow
"Ask Before Action"
When using MCP servers that can write or modify data (like Supabase SQL execution), always ask the AI to plan before executing.
"Plan the migration to add a
phonecolumn tousers. Show me the SQL first."
Keep Servers Updated
MCP is a new and evolving protocol. Regularly update your npx commands to fetch the latest server versions:
# Clear npx cache if things act up
npx clear-npx-cache4. Troubleshooting
"Server Connection Failed"
- Check if you are on a VPN (some firewalls block localhost connections).
- Verify Node.js version is 18+.
- Check if the API keys are expired.
"AI Hallucinating Columns" If the AI suggests columns that don't exist:
- Ask it to "Refresh schema" (it normally caches it).
- Restart the MCP server in settings.