# Setup-Token Anti-Patterns

- **Token in the repo.** Writing `FREE_WHISPER_API_TOKEN` into `.mcp.json`, into a committed `.env`, or any plugin/repo file. The token is a per-user secret and lives only in the user's global `~/.claude/settings.json`.
- **Clobbering settings.json.** Overwriting the file with `{ "env": { ... } }` and losing the user's `model`, `theme`, `permissions`, or `hooks`. Always read first and merge; preserve every existing key.
- **Wrong settings file.** Writing to a project-level `.claude/settings.json` or a `settings.local.json` instead of the global `~/.claude/settings.json`.
- **Empty token.** Saving `""` or a placeholder. Validate that the token is non-empty before writing.
- **Echoing the secret.** Printing the token value back into the chat or into a report.
- **Silent activation.** Saving the token and stopping without the reconnect instruction. The MCP server only reloads its env when reconnected via `/mcp`; without it the user gets 401 and thinks setup failed.
- **Auto-reconnect attempt.** Trying to kill or restart the MCP process from code. Claude cannot reload the MCP; only the user can, via `/mcp`.