Provides GitHub-native secret management, allowing AI assistants to validate environment configurations, scan for leaked GitHub tokens, and manage repository-specific secrets without exposing them in conversation history.
Supports the detection of leaked Slack webhooks during automated security scans of the codebase.
Enables the detection of leaked Stripe API keys within a codebase and validates that required Stripe credentials are present in specific deployment environments.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Keyway MCP ServerGenerate a new JWT secret for production"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Keyway MCP Server
Let AI manage your secrets securely
Keyway is a GitHub-native secrets manager. This MCP server lets AI assistants like Claude securely access your secrets without ever exposing them in conversation.
Installation · Tools · Security · Development
Why Keyway MCP?
Traditional secret management with AI is risky: copying secrets into chat exposes them in logs and context. Keyway MCP solves this:
Without Keyway | With Keyway MCP |
Copy secrets into chat | Secrets stay in vault |
Visible in conversation history | Never exposed to AI |
Manual secret creation | Generate securely, never exposed |
Hope AI doesn't leak them | Cryptographically protected |
Key features:
Zero exposure — Generate, validate, and use secrets without the AI ever seeing them
Pre-deployment validation — Check all required secrets exist before shipping
Secret scanning — Detect leaked credentials in your codebase
Environment diffing — Compare secrets across dev/staging/prod
Quick Install
Prerequisites
First, authenticate with Keyway CLI:
Claude Code
VS Code / Cursor
Or click: Install in VS Code
Other IDEs
Add to your MCP config:
Settings → AI → Manage MCP Servers → Add:
Then enter npx -y @keywaysh/mcp when prompted.
Advanced settings → Extensions → Add custom extension
Select STDIO type, command: npx -y @keywaysh/mcp
Available Tools
keyway_generate
Generate secure secrets and store them directly in the vault. The value is never exposed to the AI.
Types: password | uuid | api-key | jwt-secret | hex | base64
Response:
keyway_validate
Validate required secrets exist before deployment. Supports auto-detection from code.
Or auto-detect from your codebase:
Response:
keyway_scan
Scan your codebase for leaked secrets. Detects 18+ secret types.
Detects: AWS keys, GitHub tokens, Stripe keys, Slack webhooks, private keys, and more.
Response:
keyway_diff
Compare secrets between environments.
Response:
keyway_inject_run
Run commands with secrets injected as environment variables.
Secrets are injected into the command's environment and masked in any output.
keyway_list_secrets
List secret names (not values) in an environment.
keyway_set_secret
Create or update a secret manually.
keyway_list_environments
List available environments for the repository.
Security
Keyway MCP is designed with security as the primary concern:
Feature | How it works |
Token encryption | Uses AES-256-GCM, same as Keyway CLI |
No secret logging | Values never appear in logs or output |
Output masking |
|
Shell injection prevention | Commands run with |
File permissions | Validates |
Generate, don't expose |
|
What the AI can see
Tool | AI sees value? |
| No — only masked preview |
| No — only key names |
| No — only masked previews |
| No — only masked previews |
| No — values masked in output |
| No — only key names |
| Yes — value provided by user |
Development
Environment Variables
Variable | Description |
| Override API URL (default: |
License
MIT — see LICENSE
keyway.sh · Built for developers who care about security