Cursor

1. Install the CLI and log into Doppler

2. Create an agent-only config

Branch off your dev environment to create an isolated config so you control the agent's blast radius.

Branch configs are prefixed with the environment slug. dev_agent_cursor lives under dev and inherits from its root unless you override.

3. Add only the secrets the agent needs

Scope it down so the keys Cursor's agent uses for commands and tool calls (your APIs, a test DB), the secrets you'd otherwise have in an .env file.

Do not let the agent populate or modify its own secrets. A human decides what goes in this config. The token in the next step is read-only, so the agent can't write back.

4. Mint a scoped, read-only, expiring token

Bound to this one config, with an expiration so a leaked token dies on its own. Capture it into an environment variable so the next steps can reference it without pasting the raw value around.

Service tokens are read-only by default. The agent can fetch secrets, never change them. This is the agent's identity.

5. Scope the CLI token to the working directory

Bind the agent's token to a single directory so the CLI only uses it there. Run this from the project folder Cursor will open.

The --scope . flag locks the token to the current directory. Any doppler command run inside that folder - the doppler run launch below, the integrated-terminal subshell, and anything Cursor's agent itself invokes - resolves with this scoped agent token and never your personal CLI token. ($DOPPLER_CURSOR_TOKEN is the value you captured in step 4.)

Note: Run the agent in a sandbox scoped to that directory. And proceed with caution on production workloads: a non-deterministic agent with live credentials is real blast radius, so keep it pointed at dev/test configs unless you have a specific reason not to.

6. Inject secrets into Cursor's environment

Cursor's integrated terminal and agent inherit the environment of the process that launched Cursor, so launch the app through doppler run and everything downstream sees the scoped secrets.

The most reliable way to do this cross-platform is Cursor's own cursor CLI shim (macOS, Windows, and Linux alike). If you haven't already, open Cursor once and run Install 'cursor' command in PATH from the Command Palette, then:

7. Connect the Doppler MCP server

Steps 1-6 give Cursor's agent the credentials it runs commands with. The MCP server lets the agent see and operate Doppler itself: list projects, inspect a config, understand the secret layout before depending on it. Useful in almost any session, so set it up alongside the injection above.

The MCP server uses the same scoped, read-only token you minted in step 4. mcp.json is plain JSON and does not expand shell variables, so a literal "$DOPPLER_CURSOR_TOKEN" in an env block gets sent as the token and auth fails. Paste the raw token value directly instead.

If you'd rather not paste the value into a file, authenticate once with npx @dopplerhq/mcp-server login and drop the env block entirely, or wrap the server in doppler run --command "DOPPLER_TOKEN=$DOPPLER_CURSOR_TOKEN npx -y @dopplerhq/mcp-server --read-only" so a shell (not Cursor) resolves the variable. Enable the server in Cursor's MCP settings panel after saving.

Interested in more? Head back to the directory.

Pick Your Tool