agentic-keyvault
Allows binding a project to a GitHub repository, enabling automatic environment pulling within that repository.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@agentic-keyvaultstore my OpenAI key as OPENAI_API_KEY"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
agentic-keyvault
A Cloudflare-native secrets manager with a CLI and an MCP server. Never lose an API key again.
agentic-keyvault is a small, self-hostable secrets store that runs entirely on
Cloudflare Workers + D1. It gives you one source of truth for your API keys,
tokens, and environment variables — one that you (and your AI coding agents) can
read back, version, and rotate in a single place.
Why
AI coding agents increasingly generate and set secrets for you — random API keys, internal tokens, signing secrets — and push them straight into write-only encrypted stores (Cloudflare Worker secrets, Vercel env, etc.). Those stores never let you read the value back, so:
The value is lost the moment it's set — you never saw it, you can't reuse it.
Rotating a provider key (shown only once) means updating it in many places. Miss one and production breaks.
agentic-keyvault fixes this by being a store you own and can read from,
designed for both humans (CLI) and agents (MCP):
Projects group your secrets. A project can optionally bind to a GitHub repo origin, so
akv env pullinside a repo just works.General (repo-less) secrets live under a project too.
Every write is versioned and never deleted — nothing is ever lost.
Rotate once, read everywhere.
Related MCP server: Janee
Architecture
┌──────────────┐ ┌──────────────┐
human → │ CLI (akv) │ │ MCP server │ ← AI agent
└──────┬───────┘ └──────┬───────┘
│ bearer token (HTTPS) │
└───────────┬────────────┘
▼
┌───────────────────────┐
│ Cloudflare Worker │ REST API + envelope crypto
│ (Hono) │
└───────────┬───────────┘
▼
┌───────────────────────┐
│ Cloudflare D1 (SQLite)│ encrypted secret versions + metadata
└───────────────────────┘Storage: Cloudflare D1. Queryable, transactional, versioned. Secret values are stored only as ciphertext.
Encryption: envelope encryption with
AES-256-GCM. A master key (KEK) lives as a Worker secret; each secret version has its own random data key (DEK) that is wrapped by the KEK. A D1/backup leak alone reveals nothing.Auth: opaque bearer tokens, stored SHA-256 hashed. Admin token plus project-scoped read-only / read-write tokens for agents.
See docs/ARCHITECTURE.md for the full design and threat model.
Packages
Package | Description |
Cloudflare Worker — REST API, envelope crypto, D1 access | |
| |
stdio MCP server for AI agents | |
shared API client + types |
Status
Early development. Built in phases — see docs/ARCHITECTURE.md.
License
MIT © Hitesh Sisara
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Hitesh-Sisara/agentic-keyvault'
If you have feedback or need assistance with the MCP directory API, please join our Discord server