[Docs] Update MCP authentication from headers to query parameters #7726

joaquim-verges · 2025-07-26T23:07:30Z

PR-Codex overview

This PR focuses on enhancing the Header component by adding AI-related links and updating the content of the MCP and LLMs.txt pages to provide clearer usage instructions and examples for interacting with the thirdweb API.

Detailed summary

Introduced aiLinks array in Header.tsx for AI-related navigation.
Updated Header component to use aiLinks instead of hardcoded links.
Modified Hero section in page.tsx to change title and layout for quick starts.
Enhanced llm-txt/page.mdx with clearer instructions and examples.
Improved mcp/page.mdx with new usage examples and configurations for various clients.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

Documentation
- Updated instructions and examples to use the project secret key as a URL query parameter instead of an HTTP header when accessing the MCP server.
- Introduced a tabbed interface to display usage instructions for multiple LLM clients with the updated URL format.
- Added example natural language prompts for managing server wallets, contracts, and transactions.
- Included a security reminder to keep the secret key confidential.
- Added guidance on downloading and using llms.txt files with example prompts.
- Clarified audience and use cases for Typescript SDK quick reference and full documentation.
- Enhanced navigation by consolidating AI-related links and adding them to the mobile menu.
New Features
- Updated the Playground section with new quick start cards for MCP and LLMs.txt, featuring new icons and descriptions.
- Changed the Playground section title from "Live Demos" to "Quick Starts" and introduced a responsive grid layout.

vercel · 2025-07-26T23:07:31Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
docs-v2	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 27, 2025 4:19am

4 Skipped Deployments

Name	Status	Updated (UTC)
nebula	⬜️ Skipped (Inspect)	Jul 27, 2025 4:19am
thirdweb_playground	⬜️ Skipped (Inspect)	Jul 27, 2025 4:19am
thirdweb-www	⬜️ Skipped (Inspect)	Jul 27, 2025 4:19am
wallet-ui	⬜️ Skipped (Inspect)	Jul 27, 2025 4:19am

changeset-bot · 2025-07-26T23:07:34Z

⚠️ No Changeset found

Latest commit: 124b92a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

coderabbitai · 2025-07-26T23:07:44Z

"""

Walkthrough

The documentation for accessing the thirdweb MCP server was updated to use a query parameter (secretKey) for authentication instead of the x-secret-key HTTP header. All relevant examples, including raw HTTP requests, LLM client configurations, agent framework usage, and multiple LLM client tabs, were modified accordingly. A security note and example natural language prompts were added. Additionally, AI-related navigation links were consolidated into a single constant and added to the mobile menu. The llm-txt documentation was expanded with usage instructions, example prompts, and reorganized headings. The main page's Playground section was enhanced with a responsive grid layout featuring new cards for MCP and LLMs.txt, including new icons and descriptions.

Changes

File(s)	Change Summary
apps/portal/src/app/ai/mcp/page.mdx	Replaced `x-secret-key` header with `secretKey` query parameter in all examples; introduced tabbed UI for multiple LLM clients; added security note and example natural language prompts for MCP server usage.
apps/portal/src/app/Header.tsx	Introduced `aiLinks` constant for AI navigation links; updated desktop dropdown and added AI links to mobile burger menu; removed unused `icon` prop from AI links.
apps/portal/src/app/ai/llm-txt/page.mdx	Added "How to use" section with instructions and example prompt; added recommendation notes before SDK sections; promoted API reference heading level.
apps/portal/src/app/page.tsx	Expanded icon imports; changed Playground section title to "Quick Starts"; replaced single Playground card with a responsive grid of three cards (Playground, MCP, LLMs.txt) including new icons and descriptions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes
"""

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

TEAM-0000: Entity not found: Issue - Could not find referenced Issue.

✨ Finishing Touches

📝 Generate Docstrings

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch _Docs_Update_MCP_authentication_from_headers_to_query_parameters

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Explain this complex logic.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai explain this code block.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and explain its main purpose.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai generate unit tests to generate unit tests for this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

joaquim-verges · 2025-07-26T23:07:55Z

[Docs] Update MCP authentication from headers to query parameters #7726 👈 (View in Graphite)
main

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

merge-queue - adds this PR to the back of the merge queue
hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

_{An organization admin has enabled the Graphite Merge Queue in this repository.} _{Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.}

This stack of pull requests is managed by Graphite. Learn more about stacking.

coderabbitai

Actionable comments posted: 2

🔭 Outside diff range comments (1)

apps/portal/src/app/ai/mcp/page.mdx (1)
41-46: Agent client should keep secrets out of source control

Hard-coding the secret in the URL inside application code will inevitably land in VCS.
Use env vars and pass via headers to keep secrets ephemeral:
import os
client = MultiServerMCPClient(
    {
        "thirdweb-api": {
            "transport": "streamable_http",
            "url": "https://api.thirdweb.com/mcp",
            "headers": {"x-secret-key": os.environ["TW_SECRET_KEY"]},
        }
    }
)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 34067c0 and df3a523.

📒 Files selected for processing (1)

apps/portal/src/app/ai/mcp/page.mdx (3 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Surface breaking changes prominently in PR descriptions

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Size
GitHub Check: Lint Packages
GitHub Check: Analyze (javascript)

coderabbitai · 2025-07-26T23:09:52Z

apps/portal/src/app/ai/mcp/page.mdx

 ```http
-# endpoint
-POST /mcp
-Host: api.thirdweb.com
-
-# auth header (required)
-x-secret-key <your-project-secret-key>
+POST https://api.thirdweb.com/mcp?secretKey=<your-project-secret-key>
 ```


⚠️ Potential issue

Secret key in query string is highly leak-prone

Putting secretKey in the URL means it is persisted in:
• browser history
• server/access logs
• proxy caches and analytics tools
• the Referer header of any subsequent navigation

This dramatically increases the blast-radius of credential leakage.
Strongly prefer sending the key in an HTTP header or request body instead.

🤖 Prompt for AI Agents

In apps/portal/src/app/ai/mcp/page.mdx around lines 9 to 11, the secretKey is included in the URL query string, which risks leaking the key through browser history, logs, caches, and referer headers. To fix this, remove the secretKey from the URL and instead send it securely in an HTTP header or in the request body of the POST request.

apps/portal/src/app/ai/mcp/page.mdx

codecov · 2025-07-26T23:10:00Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@34067c0). Learn more about missing BASE report.
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7726   +/-   ##
=======================================
  Coverage        ?   56.18%           
=======================================
  Files           ?      908           
  Lines           ?    58236           
  Branches        ?     4200           
=======================================
  Hits            ?    32718           
  Misses          ?    25410           
  Partials        ?      108

Flag	Coverage Δ		*Carryforward flag
packages	`56.18% <ø> (?)`		Carriedforward from 6e2f535

*This pull request uses carry forward flags. Click here to find out more.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions · 2025-07-26T23:12:05Z

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
thirdweb (esm)	63.33 KB (0%)	1.3 s (0%)	298 ms (+50.15% 🔺)	1.6 s
thirdweb (cjs)	353.15 KB (0%)	7.1 s (0%)	1.6 s (+4.07% 🔺)	8.7 s
thirdweb (minimal + tree-shaking)	5.7 KB (0%)	114 ms (0%)	109 ms (+1039.06% 🔺)	223 ms
thirdweb/chains (tree-shaking)	526 B (0%)	11 ms (0%)	12 ms (+41.44% 🔺)	22 ms
thirdweb/react (minimal + tree-shaking)	19.24 KB (0%)	385 ms (0%)	63 ms (+155.59% 🔺)	448 ms

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (3)

apps/portal/src/app/ai/mcp/page.mdx (3)
11-13: Secret key in query string is highly leak-prone

Putting secretKey in the URL means it is persisted in:
• browser history
• server/access logs
• proxy caches and analytics tools
• the Referer header of any subsequent navigation

This dramatically increases the blast-radius of credential leakage.
Strongly prefer sending the key in an HTTP header or request body instead.

38-83: All client configurations propagate the security vulnerability

Every configuration example (Cursor, WindSurf, VS Code, Claude Code) embeds the secret key in the URL, perpetuating the same security risk across all client integrations. This means any user following these instructions will implement insecure authentication.

Consider using headers instead:
{
  "mcpServers": {
    "thirdweb-api": {
      "url": "https://api.thirdweb.com/mcp",
      "headers": {
        "x-secret-key": "${TW_SECRET_KEY}"
      }
    }
  }
}
104-104: Agent framework example also uses insecure authentication

The langchain example perpetuates the same security vulnerability by embedding the secret key in the URL. Programmatic usage should especially avoid URL-based secrets as they may be logged or persisted by frameworks.

🧹 Nitpick comments (1)

apps/portal/src/app/Header.tsx (1)
363-374: Mobile AI section is well-implemented but has icon prop issue

The new AI section follows the established mobile menu pattern correctly. However, line 368 passes an icon prop that doesn't exist in the aiLinks definition, which could cause issues.

Remove the unnecessary icon prop:
                <NavLink  
                  href={link.href}
-                  icon={link.icon}
                  key={link.name}
                  name={link.name}
                  onClick={() => setShowBurgerMenu(false)}
                />

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 748ded9 and 6ebc1a0.

📒 Files selected for processing (3)

apps/portal/src/app/Header.tsx (3 hunks)
apps/portal/src/app/ai/llm-txt/page.mdx (1 hunks)
apps/portal/src/app/ai/mcp/page.mdx (3 hunks)

✅ Files skipped from review due to trivial changes (1)

apps/portal/src/app/ai/llm-txt/page.mdx

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (CLAUDE.md)

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity
Re-use shared types from @/types or local types.ts barrels
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose

Files:

apps/portal/src/app/Header.tsx

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit Inference Engine (CLAUDE.md)

Load heavy dependencies inside async paths to keep initial bundle lean (lazy loading)

Files:

apps/portal/src/app/Header.tsx

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Surface breaking changes prominently in PR descriptions

apps/portal/src/app/ai/mcp/page.mdx (9)

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-07-18T19:20:32.530Z
Learning: Applies to dashboard/**/*client.tsx : Prefer API routes or server actions to keep tokens secret; the browser only sees relative paths.

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to apps/{dashboard,playground-web}/**/*.{ts,tsx} : Keep tokens secret via internal API routes or server actions

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-07-18T19:20:32.530Z
Learning: Applies to dashboard//api//*.{ts,tsx} : Pass the token in the Authorization: Bearer header – never embed it in the URL.

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to apps/{dashboard,playground-web}/**/*.{ts,tsx} : Use Authorization: Bearer header – never embed tokens in URLs

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-07-18T19:20:32.530Z
Learning: Applies to dashboard/**/*client.tsx : Keep queryKey stable and descriptive for cache hits.

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to apps/{dashboard,playground-web}/**/*.{ts,tsx} : Use descriptive, stable queryKeys for React Query cache hits

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to apps/{dashboard,playground-web}/**/*.{ts,tsx} : Always call getAuthToken() to retrieve JWT from cookies on server side

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-07-18T19:20:32.530Z
Learning: Applies to dashboard/**/*.{ts,tsx} : Accessing server-only environment variables or secrets.

Learnt from: MananTank
PR: #7177
File: apps/dashboard/src/app/(app)/(dashboard)/(chain)/[chain_id]/[contractAddress]/public-pages/erc20/_hooks/useTokenTransfers.ts:41-44
Timestamp: 2025-05-27T19:56:16.920Z
Learning: When reviewing hooks that use environment variables like NEXT_PUBLIC_DASHBOARD_THIRDWEB_CLIENT_ID for API calls, MananTank prefers not to add explicit validation checks for these variables, trusting they will be set in the deployment environment.

apps/portal/src/app/Header.tsx (12)

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to apps/{dashboard,playground-web}/**/*.{ts,tsx} : Use NavLink for internal navigation with automatic active states in dashboard and playground apps

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-07-18T19:20:32.530Z
Learning: Applies to dashboard/**/*.{tsx,jsx} : Use NavLink (@/components/ui/NavLink) for internal navigation so active states are handled automatically.

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to apps/{dashboard,playground-web}/**/*.{ts,tsx} : Import UI primitives from @/components/ui/* (Button, Input, Select, Tabs, Card, Sidebar, Badge, Separator) in dashboard and playground apps

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-07-18T19:20:32.530Z
Learning: Applies to dashboard//api//*.{ts,tsx} : Co-locate data helpers under @/api/** and mark them with "server-only".

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to apps/{dashboard,playground-web}/**/*.{ts,tsx} : Use cn() from @/lib/utils for conditional class logic

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to src/exports/react.native.ts : React Native specific exports are in src/exports/react.native.ts

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-07-18T19:20:32.530Z
Learning: Applies to dashboard/**/*.{tsx,jsx} : Prefer composable primitives over custom markup: Button, Input, Select, Tabs, Card, Sidebar, Separator, Badge.

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-07-18T19:20:32.530Z
Learning: Applies to dashboard/**/*.{tsx,jsx} : Merge class names with cn from @/lib/utils to keep conditional logic readable.

Learnt from: arcoraven
PR: #7505
File: apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/webhooks/analytics/components/WebhookAnalyticsCharts.tsx:186-204
Timestamp: 2025-07-10T10:18:33.238Z
Learning: The ThirdwebBarChart component in apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/webhooks/analytics/components/WebhookAnalyticsCharts.tsx does not accept standard accessibility props like aria-label and role in its TypeScript interface, causing compilation errors when added.

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-07-18T19:20:32.530Z
Learning: Applies to dashboard/**/*.{tsx,jsx} : Icons come from lucide-react or the project-specific …/icons exports – never embed raw SVG.

Learnt from: jnsdls
PR: #7365
File: apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/components/ProjectFTUX/ProjectFTUX.tsx:16-17
Timestamp: 2025-06-18T04:30:04.326Z
Learning: Next.js Link component fully supports both internal and external URLs and works appropriately with all standard anchor attributes including target="_blank", rel="noopener noreferrer", etc. Using Link for external URLs is completely appropriate and recommended.

Learnt from: jnsdls
PR: #7365
File: apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/components/ProjectFTUX/ProjectFTUX.tsx:16-17
Timestamp: 2025-06-18T04:27:16.172Z
Learning: Next.js Link component supports external URLs without throwing errors. When used with absolute URLs (like https://...), it behaves like a regular anchor tag without client-side routing, but does not cause runtime crashes or errors as previously believed.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

GitHub Check: Size
GitHub Check: E2E Tests (pnpm, esbuild)
GitHub Check: E2E Tests (pnpm, webpack)
GitHub Check: E2E Tests (pnpm, vite)
GitHub Check: Lint Packages
GitHub Check: Unit Tests
GitHub Check: Analyze (javascript)

🔇 Additional comments (3)

apps/portal/src/app/ai/mcp/page.mdx (1)

115-142: Good addition of example prompts

The example prompts provide clear, practical guidance for users on how to interact with the MCP server using natural language. This enhances the documentation's usability.

apps/portal/src/app/Header.tsx (2)

144-153: Good refactoring to consolidate AI navigation links

Creating the aiLinks constant improves maintainability by centralizing AI-related navigation links and follows the established pattern used by other link arrays in the file.

302-302: Correct usage of the new aiLinks constant

The dropdown now properly references the centralized aiLinks constant, completing the refactoring consistently.

coderabbitai · 2025-07-27T03:04:30Z

apps/portal/src/app/ai/mcp/page.mdx

 ```

-### Usage with LLM clients
+Make sure to keep your secret key safe and never share it with anyone.


🛠️ Refactor suggestion

⚠️ Potential issue

Security note is insufficient given the insecure implementation

While adding a security reminder is good practice, advising users to "keep your secret key safe" while instructing them to embed it in URLs is contradictory. URLs are inherently unsafe for secrets due to logging, caching, and history persistence.

🤖 Prompt for AI Agents

In apps/portal/src/app/ai/mcp/page.mdx at line 15, the security note advises keeping the secret key safe but contradicts this by instructing users to embed it in URLs, which is insecure. Update the instructions to remove any guidance that involves placing secret keys in URLs and instead recommend safer methods such as using environment variables or secure storage mechanisms to handle secret keys without exposing them in URLs.

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (1)

apps/portal/src/app/ai/mcp/page.mdx (1)

12-13: Secret key in plaintext URLs is a high-severity credential-leak vector

Placing secretKey in the query string means it will be recorded in browser history, proxies, load-balancer logs, analytics tools and Referer headers, effectively nullifying the “keep it safe” advice on L15.
Pass the secret in an Authorization/x-secret-key header or, if unavoidable, via POST body parameters that never hit logs.

This concern has already been raised in earlier reviews and remains unresolved.

Also applies to: 38-41, 54-57, 70-71, 83-84, 104-105

🧹 Nitpick comments (1)

apps/portal/src/app/ai/mcp/page.mdx (1)
100-110: Top-level await won’t run in a normal Python script

Regular Python files don’t support bare await; readers will copy-paste and hit a SyntaxError. Either:

Note that the snippet is for a REPL / Jupyter context, or

Wrap it in an async function and call asyncio.run.

Example adjustment:
-tools = await client.get_tools()
-agent = create_react_agent("openai:gpt-4.1", tools)
-response = await agent.ainvoke({"messages": "create a server wallet called 'my-wallet'"})
+import asyncio
+
+async def main():
+    tools = await client.get_tools()
+    agent = create_react_agent("openai:gpt-4.1", tools)
+    response = await agent.ainvoke(
+        {"messages": "create a server wallet called 'my-wallet'"}
+    )
+    print(response)
+
+asyncio.run(main())

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 75f3a01 and 124b92a.

📒 Files selected for processing (4)

apps/portal/src/app/Header.tsx (3 hunks)
apps/portal/src/app/ai/llm-txt/page.mdx (1 hunks)
apps/portal/src/app/ai/mcp/page.mdx (3 hunks)
apps/portal/src/app/page.tsx (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

apps/portal/src/app/ai/llm-txt/page.mdx
apps/portal/src/app/Header.tsx
apps/portal/src/app/page.tsx

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Surface breaking changes prominently in PR descriptions