mcp-synology stores credentials in your OS keyring (macOS Keychain, Windows Credential Manager, Linux Secret Service / GNOME Keyring / KDE Wallet).
Credentials are stored under the service name:
mcp-synology/{instance_id}
Where instance_id is:
- The value of
instance_idin your config file, if set explicitly (any[a-z0-9-]string) - Derived from
connection.hostotherwise:- IP addresses: dots become hyphens (
192.168.1.100->192-168-1-100) - Hostnames: first component only (
nas.local->nas)
- IP addresses: dots become hyphens (
The instance_id is the key that separates everything — keyring entries, state files, and log identification. Choose a meaningful name if you manage multiple NAS devices.
Each service stores up to three keys:
| Key | Description |
|---|---|
username |
DSM login username |
password |
DSM login password |
device_id |
2FA device token (only present after 2FA bootstrap) |
For accounts with two-factor authentication enabled:
- Run
mcp-synology setup— it detects 2FA (DSM error 403) and prompts for your OTP code - On successful OTP, DSM returns a device token which is stored as
device_idin the keyring - Subsequent logins include the device token, so DSM treats the server as a remembered device — no OTP required
- If the device token expires or is revoked in DSM, run
mcp-synology setupagain to re-bootstrap
The device token is specific to the instance_id. Multiple NAS configs with different 2FA accounts each get their own token.
| Platform | Keyring Backend | Claude Desktop | Notes |
|---|---|---|---|
| macOS | Keychain | Works | May prompt once for keychain access |
| Windows | Credential Manager | Works | Runs as logged-in user |
| Linux | GNOME Keyring / KWallet | Works | Uses standard D-Bus socket path |
| Docker | None | N/A | Use env vars or config file credentials |
On Linux, keyring backends communicate via D-Bus. When Claude Desktop launches the MCP server, the subprocess may not inherit the DBUS_SESSION_BUS_ADDRESS environment variable. mcp-synology handles this by checking for the standard systemd socket at /run/user/<uid>/bus and setting the env var if the socket exists.
No special configuration is needed — keyring works from Claude Desktop on Linux with standard systemd-based desktop environments.
You can inspect stored credentials using your OS keyring tools or Python's keyring CLI:
# Check what's stored for a given instance
python -m keyring get mcp-synology/192-168-1-100 username
# Or using the keyring CLI directly
keyring get mcp-synology/nas-primary username
# Check if a device token is stored (2FA)
keyring get mcp-synology/nas-primary device_idkeyring del mcp-synology/192-168-1-100 username
keyring del mcp-synology/192-168-1-100 password
keyring del mcp-synology/192-168-1-100 device_idWhen authenticating, mcp-synology checks these sources in order:
- Environment variables (highest priority) —
SYNOLOGY_USERNAME,SYNOLOGY_PASSWORD,SYNOLOGY_DEVICE_ID - Config file —
auth.username,auth.password— triggers a plaintext warning - OS keyring (default) — set via
mcp-synology setup
Explicit sources (env vars, config file) override the implicit default (keyring). This means setting SYNOLOGY_PASSWORD=x will always use that password, even if the keyring has a different one stored.
Each NAS gets its own keyring entry keyed by instance_id. Use any meaningful name:
# ~/.config/mcp-synology/nas-primary.yaml
instance_id: nas-primary
connection:
host: 192.168.1.100
# ~/.config/mcp-synology/nas-backup.yaml
instance_id: nas-backup
connection:
host: 192.168.1.200Their credentials are stored independently:
mcp-synology/nas-primary— username, password, device_idmcp-synology/nas-backup— username, password, device_id
Run mcp-synology setup --list to see all configured instances.