API Key additional handling

[chickymonkeys]

Overview

I have made some suggested changes to the Perplexity MCP Server's API key handling system to solve or workaround the issue in #17, and I will try to explain the technical reasoning behind the implementation decisions.

The Problem

Original Issue

The original README.md configuration suggested using .env files with automatic discovery:

{
  "mcpServers": {
    "perplexity": {
      "command": "node",
      "args": ["/path/to/perplexity-server/build/index.js"],
      "env": {
        "PERPLEXITY_API_KEY": "YOUR_API_KEY_HERE"
      }
    }
  }
}

However, this approach has some flaws:

1. Security Concerns: hardcoding the API key in the client configuration file is suboptimal because sometimes I want to commit that file.
2. MCP Client Parsing Issues: Kiro IDE is unable to properly parse API keys for the Perplexity MCP Server from an .env file, despite this working for other MCP servers like Context7. I have not found the exact reason for this.

A simple solution would be to just put the PERPLEXITY_API_KEY in the system environment variables or make a bash script that loads the environment variables before starting Kiro, but I thought to come up with a more general approach.

The Solution

New Three-Tier API Key Resolution System

I implemented a simple system that provides multiple reliable methods:

function getApiKey(): string {
  // 1. Command-line argument (highest priority)
  if (args['api-key']) {
    sanitizeArgs();
    return args['api-key'];
  }

  // 2. Environment variable
  if (process.env.PERPLEXITY_API_KEY) {
    return process.env.PERPLEXITY_API_KEY;
  }

  // 3. .env file (only with --cwd)
  if (args.cwd) {
    const key = readEnvFile(args.cwd);
    if (key) return key;
  }

  // Error if none found
  throw new Error(/* comprehensive error message */);
}

Priority Order Rationale

The Perplexity API Key is searched with this priority.

Command-line Argument (Highest Priority)

• ✅ Most Reliable: Direct argument passing is universally supported by all MCP clients
• ✅ Explicit Control: Users can override any other method
• ✅ Debugging Friendly: Easy to test and verify
• ⚠️ Security Trade-off: Visible in process lists (mitigated by argument sanitization)

Environment Variable (Preferred)

• ✅ Security: Not visible in process lists or configuration files
• ✅ Standard Practice: Industry standard for API key management
• ✅ MCP Compatible: Works reliably across different MCP client implementations
• ✅ Development Friendly: Easy to set in development environments

Explicit .env File (Lowest Priority)

• ✅ Project-Specific: Allows per-project API key configuration
• ✅ Controlled Discovery: Only reads files when explicitly told via --cwd
• ✅ Security: No automatic traversal of parent directories
• ⚠️ Complexity: Requires additional argument and file management

In this way, I can circumvent the problem of Kiro by passing the project directory with the .env file I am using for also the other MCP server using the --cwd argument.

Conclusion

I have changed the README file to explain how to use the new system, and I hope it will be useful.

[DaInfernalCoder]

sounds great, thanks for the pull!