fix(banking-ai-mcp-bootcamp): validate vaulted apiKey secret via metadata#16
fix(banking-ai-mcp-bootcamp): validate vaulted apiKey secret via metadata#16avdev4j wants to merge 3 commits into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
…data The apiKey environment variable is now stored as a Postman Vault secret, so its `value` is always empty in the API response. The previous check required a non-empty value, so the step could never validate. Validate the variable's metadata instead: it must exist (key "apiKey"), be enabled, and be marked sensitive (type "secret" / secret true). Works for both local (free) and cloud (enterprise) vaults. Co-Authored-By: Claude <noreply@anthropic.com>
ca230de to
f5c412f
Compare
|
Tested the changes on the Preview branch and it's fine for me as I worked through the module. A slight copy change will be needed to cover when Free users are not able to share a sensitive value without upgrading first. @quintonwall Could you give it a once over too? We also might need to add @avdev4j to the vercel team (subscription dependant) so that he can test on the Preview branches. |
4f80e1f to
f5c412f
Compare
|
Regarding the free account, I can confirm that users will have an unsecured variable "apiKey" in the environment after calling the Generate API Key endpoint. Users can store the value in the local vault but cannot share it. The API returns the variable entry with the following definition, which seems sufficient to validate the step: I'm updating the PR to take this into account. |

Problem
The "Set API Key" validation step in the Banking AI MCP bootcamp stopped passing even when learners had correctly configured their
apiKeyenvironment variable.Postman now stores sensitive environment values in Postman Vault. As a result, the variable's
valuefield is always returned empty by the API, with the real data referenced viasource.{vault_provider}.secretId. The previous validator required a non-emptyvalue, so a correctly configured secret could never validate.Fix
Validate the
apiKeyvariable's metadata instead of its value. The step now passes when the variable:apiKey),type: "secret"orsecret: true).The
value/ vault-backed checks were removed since the value is intentionally empty for vaulted secrets.Notes
This is a first suggestion — happy to discuss the approach.