I’m testing Agent Builder and have a specific question I haven’t been able to find an answer to.
One of our MCP servers requires its key to be rotated every hour (unfortunately not under my control). In our other AI setups, we handle this with a scheduled task that refreshes the key automatically.
My understanding is that in Agent Builder, the MCP tooling is fully hosted, meaning the key is also stored on OpenAI’s side. Other agent-builder platforms (e.g., ElevenLabs’ implementation) typically expose an API endpoint to update this key programmatically, but I haven’t been able to find an equivalent option for OpenAI’s Agent Builder.
Does anyone know if there is a supported method to update MCP keys programmatically, or any recommended workaround?
Unfortunately, I think this is at least partly by design. The Responses API docs say MCP authorization values are not stored and must be supplied on each request, likely for security reasons.
For hosted Agent Builder, I haven’t found a documented API to update MCP secrets programmatically. The workaround seems to be either running the workflow through your own backend so you can inject a fresh token per request, or putting a small proxy MCP server in front of the upstream service and handling token rotation there.
So for this particular case, using MCP directly inside hosted Agent Builder feels more suitable for prototyping than production, especially if the credential rotates every hour.
I use it though for my ChatKit+FileSearch. It works well on that (prod), but not with mcp