MCP Configuration System

DeployStack uses a three-tier configuration architecture to manage MCP server arguments, environment variables, and credentials. This system enables secure credential management, team collaboration, and individual customization through sophisticated lock/unlock controls.

Three-Tier Architecture Overview

The system separates configuration into three distinct layers:

1. Template Level - Global schemas and locked elements defined by administrators
2. Team Level - Shared team configurations with lock/unlock controls
3. User Level - Personal configurations within team-defined boundaries per device

This architecture enables teams to share common settings like API keys while allowing individual members to customize personal settings like local file paths across multiple devices. Each user can have different configurations on different devices while maintaining team security and standards.

How It Works

┌─────────────────────────────────────────────────────────────────────────────────┐
│ TIER 1: TEMPLATE (Global Admin)                                                │
│ ┌─────────────────────────────────────────────────────────────────────────────┐ │
│ │ 🔒 Locked Elements: ["-y", "@modelcontextprotocol/server-filesystem"]     │ │
│ │ 📋 Configuration Schemas: Define what teams/users can configure           │ │
│ │ 🛡️ Lock/Unlock Rules: Set security boundaries                             │ │
│ └─────────────────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────────┘
                                        │
                                        ▼
┌─────────────────────────────────────────────────────────────────────────────────┐
│ TIER 2: TEAM (Team Admin)                                                      │
│ ┌─────────────────────────────────────────────────────────────────────────────┐ │
│ │ 🔧 Team Settings: API keys, shared credentials                             │ │
│ │ 🔒/🔓 Lock Controls: Decide what users can customize                       │ │
│ │ 👥 Team Isolation: Secure separation between teams                         │ │
│ └─────────────────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────────┘
                                        │
                                        ▼
┌─────────────────────────────────────────────────────────────────────────────────┐
│ TIER 3: USER (Individual) - Device-Aware                                      │
│ ┌─────────────────────────────────────────────────────────────────────────────┐ │
│ │ 🔓 Personal Settings: Local paths, preferences (per device)                │ │
│ │ 💻 Multi-Device: Different configs per device with automatic registration   │ │
│ │ 🔗 Automatic Inheritance: Use team credentials seamlessly across devices    │ │
│ │ 🛡️ Device Security: Hardware fingerprinting and secure registration        │ │
│ └─────────────────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────────┘
                                        │
                                        ▼
┌─────────────────────────────────────────────────────────────────────────────────┐
│ RUNTIME: Final Configuration = Template + Team + User                          │
└─────────────────────────────────────────────────────────────────────────────────┘

Lock/Unlock Control System

The heart of the system is sophisticated lock/unlock controls with precise categorization:

Secret Type Support: Configuration values marked as type: "secret" in schemas are automatically encrypted for security. For complete details on secret encryption, masking, and security, see Security and Privacy.

Global Administrator Controls:

• Sophisticated Categorization - Categorize every configuration element into Template/Team/User tiers
• Granular Lock/Unlock Controls - Set default lock states and visibility controls for each element
• Security Boundaries - Define what can never be changed vs. what teams/users can configure
• Validation Rules - Set data types, constraints, and security requirements for configurable elements
• Precise Schema Definition - Create detailed schemas that control the exact configuration experience

Team Administrator Controls:

• Configure Team Settings - Set shared credentials and parameters within schema boundaries
• Control User Access - Lock/unlock elements for team members based on organizational needs
• Manage Team Credentials - Securely handle team-wide secrets with appropriate visibility controls
• Work Within Schema Boundaries - Configure only elements designated as "Team Configurable" by global admins

User Access:

• Personal Customization - Modify only unlocked elements within boundaries set by global admin categorization
• Device-Specific Settings - Configure personal settings across multiple devices with automatic device registration
• Secure Experience - No access to locked configuration, team secrets, or template elements
• Focused Interface - See only configuration elements designated as personally configurable
• Multi-Device Workflow - Seamlessly work across different devices with device-specific configurations

User Journey Workflows

Each tier has its own focused workflow:

For Global Administrators

Admin Schema Workflow - Learn how to transform raw MCP configurations into secure three-tier schemas with sophisticated lock/unlock controls through the Configuration Schema Step.

Key workflow: Repository → Claude Desktop Config → Configuration Schema Categorization → Basic Info → Catalog Entry

For Team Administrators

Team Installation - Learn how to install MCP servers from the catalog, configure shared team settings, and control user access.

Key workflow: Browse Catalog → Configure Team Settings → Set Lock Controls → Deploy Installation

For Individual Users

User Configuration - Learn how to configure personal MCP settings and customize your workflow across multiple devices.

Key workflow: Access Team Installation → Configure Personal Settings → Multi-Device Setup → Save Configuration

Configuration Assembly Example

Here's how the three tiers combine into a final runtime configuration:

Template (Global Admin):

{
  "args": ["-y", "@modelcontextprotocol/server-filesystem"],
  "env": {"PROTOCOL_VERSION": "1.0"}
}

Team (Team Admin):

{
  "args": [],
  "env": {"SHARED_API_KEY": "••••• (encrypted secret)"}
}

User (Individual - i.e.: your MacBook Pro):

{
  "args": ["/Users/alice/Development", "/Users/alice/Projects"],
  "env": {"DEBUG": "true"}
}

Final Runtime Result:

{
  "command": "npx",
  "args": [
    "-y", 
    "@modelcontextprotocol/server-filesystem",
    "/Users/alice/Development", 
    "/Users/alice/Projects"
  ],
  "env": {
    "PROTOCOL_VERSION": "1.0",
    "SHARED_API_KEY": "decrypted-secret-for-runtime", 
    "DEBUG": "true"
  }
}

Note: Secret values are automatically decrypted only for runtime execution. In all other contexts (API responses, user interfaces), secrets appear masked as *****.

Key Benefits

Security: Sensitive credentials managed at appropriate tiers with encryption and access controls

Simplicity: Users see only what they can configure, teams share common settings automatically

Flexibility: Support for variable-length configurations and multi-device setups

Collaboration: Teams coordinate through shared settings while maintaining individual customization

Governance: Clear boundaries and audit trails for organizational compliance, with precise control over configuration inheritance

Common Use Cases

Development Teams: Share Git tokens and project settings while allowing personal directory configurations

Data Science Teams: Share database credentials and data lake access while supporting individual analysis workflows

Support Teams: Share customer service API keys while allowing personal workspace customization

Related Documentation

For complete system understanding:

• MCP Catalog - Browse and discover available MCP servers
• Teams - Team structure and membership management
• MCP Installation - Basic MCP server installation concepts
• Security and Privacy - Platform security including device security

The three-tier configuration system provides secure, scalable MCP server management that grows from individual developers to enterprise teams while maintaining simplicity and security at every level. Global administrators have sophisticated control over configuration boundaries through schema categorization, ensuring appropriate access and customization at each tier. The device-aware architecture enables seamless multi-device workflows while maintaining enterprise-grade security and governance.