[FEATURE]: {cmd:} config placeholder for credential helpers #12710
Description
Feature hasn't been suggested before.
- I have verified this feature I'm about to request hasn't been suggested before.
Describe the enhancement you want to request
Config placeholder for credential helpers
Problem Im soving
Currently, config files support {env:VAR} and {file:path} placeholders for injecting values. However, there's no way to securely fetch credentials from credential managers like macOS Keychain, 1Password,
pass, or custom credential helpers (like git credential helpers).
Users who want to configure MCP server authentication must either:
- Hardcode tokens in config files (insecure)
- Store tokens in environment variables (requires manual setup)
- Store tokens in plain text files (insecure)
Solution
A {cmd:command} placeholder that executes a shell command and uses its stdout (trimmed) as the value. This enables integration with any credential manager or helper that can output secrets to stdout.
Use Cases
macOS Keychain:
Authorization: Bearer {cmd:security find-generic-password -s mcp-token -w}
1Password CLI:
Authorization: Bearer {cmd:op read op://vault/mcp-api/token}
pass (password-store):
Authorization: Bearer {cmd:pass show api/token}
Custom credential helper (git-style host:token format):
Authorization: Bearer {cmd:grep '^api.example.com:' ~/.credentials | cut -d: -f2}
Encrypted secrets:
Authorization: Bearer {cmd:openssl enc -aes-256-cbc -d -a -pass pass:$KEY -pbkdf2 -in secret.enc}
Example
{
"$schema": "https://opencode.ai/config.json",
"mcp": {
"internal-api": {
"type": "remote",
"url": "https://api.internal.example.com/mcp",
"headers": {
"Authorization": "Bearer {cmd:security find-generic-password -s mcp-token -w}"
}
}
}
}I already have working implementation, if this is accepted I can open a PR.