Any security concerns or vulnerabilities discovered in one of MongoDB's products or hosted services can be responsibly disclosed by utilizing one of the methods described in our create a vulnerability report docs page.
While we greatly appreciate community reports regarding security issues, at this time MongoDB does not provide compensation for vulnerability reports.
The MongoDB Atlas CLI uses a hybrid approach to store sensitive credentials, prioritizing security while maintaining compatibility across different environments and systems.
When available, the CLI uses your operating system's native keyring services to securely store sensitive credentials. This provides the highest level of security by leveraging OS-level encryption and access controls.
Credentials stored securely include:
- API Keys (public and private)
- Access Tokens
- Refresh Tokens
- Client ID and Client Secret
Supported platforms:
- macOS: Uses Keychain Services for secure credential storage
- Windows: Integrates with Windows Credential Manager
- Linux: Works with desktop Secret Service dbus interface
If the operating system's keyring services are unavailable, the CLI automatically falls back to storing credentials in a local configuration file (config.toml). This ensures the CLI remains functional even in restricted environments.
Important security considerations for fallback storage:
- Credentials are stored in plain text in the configuration file
You can verify whether your CLI is using secure storage by running any atlas command. You'll see the message Warning: Secure storage is not available, falling back to insecure storage, when secure storage is not available.
The CLI uses the go-keyring library to interface with OS keyring services. Each profile's credentials are stored under a service name prefixed with atlascli_ (e.g., atlascli_default for the default profile).
For detailed information about how your operating system manages keyring encryption and security:
- macOS Keychain: Apple Keychain Services Documentation
- Windows Credential Manager: Windows Credential Manager Documentation
- Linux GNOME Keyring: GNOME Keyring Documentation