- Added an "Append API Key to URL" block setting to the MCP Server List block. When disabled (the default), the API key is no longer included in the displayed MCP URL and the security notice is hidden.

Author: joshuahenninger

Rock.Blocks/Core/McpServerList.cs

@@ -40,24 +40,42 @@ namespace Rock.Blocks.Core
     [IconCssClass( "ti ti-robot" )]
     [SupportedSiteTypes( SiteType.Web )]
 
+    [BooleanField( "Append API Key to URL",
+        Description = "When enabled, the individual's API key is appended to the MCP URL. Use this if the MCP server requires authentication via URL parameter rather than using OAuth. Note that API keys grant access based on the permissions of the individual they belong to — treat them as sensitive credentials and avoid sharing or exposing MCP URLs that contain them.",
+        DefaultBooleanValue = false,
+        Order = 0,
+        Key = AttributeKey.AppendApiKeyToUrl )]
+
     [Rock.Cms.DefaultBlockRole( Rock.Enums.Cms.BlockRole.Primary )]
     [Rock.SystemGuid.EntityTypeGuid( "F0B14291-8035-4986-A4D8-DC1AE08E4F7B" )]
     [Rock.SystemGuid.BlockTypeGuid( "54B23A63-87C0-4955-B915-C91F23C36D48" )]
     public class McpServerList : RockBlockType
     {
+        #region Keys
+
+        private static class AttributeKey
+        {
+            public const string AppendApiKeyToUrl = "AppendApiKeyToUrl";
+        }
+
+        #endregion
+
         #region Methods
 
         public override object GetObsidianBlockInitialization()
         {
+            var appendApiKeyToUrl = GetAttributeValue( AttributeKey.AppendApiKeyToUrl ).AsBoolean();
+
             var box = new InitializationBox
             {
-                Items = GetMcpServers()
+                Items = GetMcpServers( appendApiKeyToUrl ),
+                IsApiKeyAppendedToUrl = appendApiKeyToUrl
             };
 
             return box;
         }
 
-        private List<McpServerListItemBag> GetMcpServers()
+        private List<McpServerListItemBag> GetMcpServers( bool appendApiKeyToUrl )
         {
             var mcpAiAgents = AIAgentCache.All()
                 .Where( a => a.AgentType == AgentType.Mcp )
@@ -84,21 +102,27 @@ private List<McpServerListItemBag> GetMcpServers()
 
             var publicApplicationRoot = GlobalAttributesCache.Get().GetValue( "PublicApplicationRoot" ).RemoveTrailingForwardslash();
 
-            // Create an API Key on block load instead of waiting for the individual to click the Copy URL button.
-            // Doing so here will place the sensitive API Keys in the page's HTML.
-            // If done in a block action, the API Key would be included in the API response which could be logged and
+            // Only create/fetch an API Key when the block is configured to append it to the URL.
+            // When appending, place the API Key in the page's HTML rather than returning it from a block action.
+            // A block action would include the API Key in an API response which could be logged and
             // would be more easily accessible to users inspecting network requests,
             // but including it in the page's HTML means it is less likely to be accidentally exposed in logs and is not included in API responses.
-            var apiKey = Types.Mobile.Cms.VoiceAgent.GetOrCreateMcpApiKeyForCurrentPerson( GetCurrentPerson(), RockContext );
+            var apiKey = appendApiKeyToUrl
+                ? Types.Mobile.Cms.VoiceAgent.GetOrCreateMcpApiKeyForCurrentPerson( GetCurrentPerson(), RockContext )
+                : null;
 
             return mcpAiAgents
                 .Select( aa => new McpServerListItemBag
                 {
                     AudienceType = aa.AudienceType,
                     Name = aa.Name,
                     Description = aa.Description,
-                    PartialUrl = $"{publicApplicationRoot}/api/v2/mcp/{aa.Slug}...",
-                    FullUrl = $"{publicApplicationRoot}/api/v2/mcp/{aa.Slug}?apikey={apiKey}",
+                    PartialUrl = appendApiKeyToUrl
+                        ? $"{publicApplicationRoot}/api/v2/mcp/{aa.Slug}..."
+                        : $"{publicApplicationRoot}/api/v2/mcp/{aa.Slug}",
+                    FullUrl = appendApiKeyToUrl
+                        ? $"{publicApplicationRoot}/api/v2/mcp/{aa.Slug}?apikey={apiKey}"
+                        : $"{publicApplicationRoot}/api/v2/mcp/{aa.Slug}",
                 } )
                 .ToList();
         }

Rock.JavaScript.Obsidian.Blocks/src/Core/mcpServerList.obs

@@ -5,7 +5,7 @@
         </template>
 
         <template v-if="items.length">
-            <NotificationBox alertType="warning">
+            <NotificationBox v-if="isApiKeyAppendedToUrl" alertType="warning">
                 <p><strong>Security Notice</strong></p>
                 Do not share the MCP links below. They are tied directly to your user account and permissions — sharing them could compromise your account and expose sensitive data.
             </NotificationBox>
@@ -47,21 +47,32 @@
     import NotificationBox from "@Obsidian/Controls/notificationBox.obs";
     import Panel from "@Obsidian/Controls/panel.obs";
     import { AudienceType, AudienceTypeDescription } from "@Obsidian/Enums/AI/Agent/audienceType";
-    import { useConfigurationValues } from "@Obsidian/Utility/block";
+    import { onConfigurationValuesChanged, useConfigurationValues, useReloadBlock } from "@Obsidian/Utility/block";
     import { InitializationBox } from "@Obsidian/ViewModels/Blocks/Core/McpServerList/initializationBox";
     import { McpServerListItemBag } from "@Obsidian/ViewModels/Blocks/Core/McpServerList/mcpServerListItemBag";
 
     const config = useConfigurationValues<InitializationBox>();
+    const reloadBlock = useReloadBlock();
+
+    // #region Computed Values
 
     const items = computed<McpServerListItemBag[]>(() => {
         return config.items || [];
     });
 
+    const isApiKeyAppendedToUrl = computed<boolean>(() => {
+        return config.isApiKeyAppendedToUrl === true;
+    });
+
     const panelLabel = computed<string>(() => {
         if (items.value.length === 0) {
             return "No MCP Servers";
         }
 
         return `${items.value.length} MCP Server${items.value.length === 1 ? "" : "s"}`;
     });
+
+    // #endregion Computed Values
+
+    onConfigurationValuesChanged(reloadBlock);
 </script>

Rock.JavaScript.Obsidian/Framework/ViewModels/Blocks/Core/McpServerList/initializationBox.d.ts

@@ -31,6 +31,12 @@ export type InitializationBox = {
      */
     errorMessage?: string | null;
 
+    /**
+     * Gets or sets a value indicating whether the individual's API key is appended to the MCP URL.
+     * When true, the URL contains a sensitive credential and a security notice should be displayed.
+     */
+    isApiKeyAppendedToUrl: boolean;
+
     /** Gets or sets the collection of MCP servers. */
     items?: McpServerListItemBag[] | null;
 

Rock.ViewModels/Blocks/Core/McpServerList/InitializationBox.cs

@@ -27,5 +27,11 @@ public class InitializationBox : BlockBox
         /// Gets or sets the collection of MCP servers.
         /// </summary>
         public List<McpServerListItemBag> Items { get; set; }
+
+        /// <summary>
+        /// Gets or sets a value indicating whether the individual's API key is appended to the MCP URL.
+        /// When <c>true</c>, the URL contains a sensitive credential and a security notice should be displayed.
+        /// </summary>
+        public bool IsApiKeyAppendedToUrl { get; set; }
     }
 }