secrets-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@secrets-mcpstore my GitHub personal access token"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
secrets-mcp
An encrypted credential vault for Claude Code (and any MCP client): store and use API keys, passwords, tokens, SSH keys, TLS certificates, and other sensitive material without the values ever entering the model's context.
The model can list what exists, collect new credentials from the user, run commands with credentials injected, call APIs with stored tokens, and render config files — but it never sees a value. Ships as a Claude Code plugin bundling the MCP server, a guard hook, and a skill.
How values stay out of the model
Input never crosses the chat.
vault_setopens a native dialog (hidden input on macOS) where the user types the value;vault_importreads a file straight from disk into the vault. Headless/Linux/Windows: thesecrets-vaultCLI reads from a hidden TTY prompt or piped stdin — never argv.Output is redacted.
vault_runandvault_httpscrub every stored value from captured output before it is returned — raw, base64, base64url, hex, URL-encoded, and JSON-escaped forms, plus each individual line of multi-line values (sogrep/headon a PEM file comes back redacted).Disk is guarded. A PreToolUse hook denies the model Read/Edit/Grep/Bash access to the vault directory and to any file produced by
vault_renderorvault_write.Storage is encrypted. AES-256-GCM vault files; the master key lives in the platform credential store — macOS Keychain, Linux libsecret (
secret-tool), Windows DPAPI — with a 0600 key file as last-resort fallback. Key material moves over stdin/stdout, never argv.
Related MCP server: API Locker
Threat model — read this
This protects against accidental exposure: secrets pasted into chat,
echoed by commands, logged, committed, or read out of config files into the
conversation. It is not a sandbox against an adversarial model. A model
that deliberately transforms a secret before printing it (e.g.
cut -c1-4, character arithmetic, XOR) defeats exact-match redaction — the
redaction layer catches common encodings and line-wise extraction, not
arbitrary computation. If that is your threat, the mitigation is Claude
Code's permission prompts on vault_run commands, not this tool.
Materialized files (vault_render / vault_write outputs, files: temp
paths) are plaintext on disk while they exist; temp files are 0600, created
inside the guarded directory, and deleted when the command exits.
Entry model
Scope |
|
Kind |
|
Type |
|
Non-credential types (ip_address, hostname, url, username, email)
get a visible input dialog but are stored, redacted, and injected exactly
like secrets — useful for infrastructure details that should not appear in
transcripts.
MCP tools
Tool | Purpose |
| Names and metadata only — never values |
| Store a text value via native user dialog |
| Import a file (keys, certs, .env) from disk; optional source shredding |
| Delete after native user confirmation |
| Run a shell command; entries injected as env vars ( |
| HTTP request with |
| Render a template ( |
| Materialize one entry to a permanent path (installing certs/keys); path guarded |
| Delete rendered files and release them from the guard (only guard-registered paths; |
| Leak check: report whether text contains any stored value in any common encoding |
Example — the model deploys over SSH without ever holding the key:
vault_run {
"command": "ssh -i \"$KEY\" -o IdentitiesOnly=yes deploy@prod 'systemctl restart app'",
"files": { "KEY": "deploy-ssh-key" }
}CLI
For terminals, SSH sessions, and multi-line values:
$ secrets-vault set github-token --type api_key --scope global
Value for 'github-token' (input hidden): ...
$ secrets-vault import deploy-key --file ~/.ssh/id_deploy --type ssh_private_key
$ pbpaste | secrets-vault set staging-db --type connection_string
$ secrets-vault list
$ secrets-vault rm old-token --scope projectInstall
$ npm install && npm run buildAs a Claude Code plugin (MCP server + guard hook + skill). Plugins install from marketplaces, and this repo self-hosts as one:
$ claude plugin marketplace add DatanoiseTV/secrets-mcp
$ claude plugin install secrets-mcp@datanoise --scope userFrom a local clone (development):
$ claude --plugin-dir /path/to/secrets-mcp # try it without installing
$ claude plugin marketplace add /path/to/secrets-mcp
$ claude plugin install secrets-mcp@datanoise --scope userBoth paths work out of the box: dist/ is a committed, self-contained
esbuild bundle with no runtime dependencies — installing the plugin requires
no npm step, only Node >= 20 on PATH.
Or just the MCP server, without the plugin:
$ claude mcp add --scope user secrets -- node /path/to/secrets-mcp/dist/index.jsPermissions: skipping the "allow this tool?" prompts
Claude Code asks before every MCP tool call unless the tool is allowlisted.
For the plugin, the tools are named mcp__plugin_secrets-mcp_secrets__<tool>
(standalone claude mcp add install: mcp__secrets__<tool>). Add rules to
~/.claude/settings.json (user-wide) or .claude/settings.json (per
project), or interactively via the /permissions command.
Recommended allowlist — everything whose consent already happens elsewhere or that cannot expose a value:
{
"permissions": {
"allow": [
"mcp__plugin_secrets-mcp_secrets__vault_list",
"mcp__plugin_secrets-mcp_secrets__vault_check",
"mcp__plugin_secrets-mcp_secrets__vault_set",
"mcp__plugin_secrets-mcp_secrets__vault_import",
"mcp__plugin_secrets-mcp_secrets__vault_delete",
"mcp__plugin_secrets-mcp_secrets__vault_render",
"mcp__plugin_secrets-mcp_secrets__vault_write",
"mcp__plugin_secrets-mcp_secrets__vault_cleanup"
]
}
}vault_set, vault_import (with remove_source), and vault_delete open
native dialogs — the dialog is the consent, so auto-allowing the tool call
loses nothing. vault_list and vault_check return metadata only.
Deliberately not on the list:
vault_run— executes arbitrary shell with secrets injected. The permission prompt showing you the command is the backstop against a malicious or confused command extracting a value past the redaction layer (see threat model). Keep it prompted.vault_http— sends stored credentials to whatever URL is in the call. A prompt showing the destination is what stands between a stored token and an unintended host. Keep it prompted.
If you accept those risks in a trusted workflow, one rule allows the whole
server: "mcp__plugin_secrets-mcp_secrets".
Environment
Variable | Effect |
| Vault directory (default |
| Master key override, 64 hex chars — tests/headless use |
| Project directory override (default: server cwd) |
Development
$ npm test # vitest: crypto round-trips, scoping, redaction, injection, cleanupTests run against an isolated SECRETS_MCP_HOME with an env master key; they
never touch the real keychain or vault.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/DatanoiseTV/secrets-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server