keyper
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@keyperlist all secrets in the vault"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
██╗ ██╗███████╗██╗ ██╗██████╗ ███████╗██████╗
██║ ██╔╝██╔════╝╚██╗ ██╔╝██╔══██╗██╔════╝██╔══██╗
█████╔╝ █████╗ ╚████╔╝ ██████╔╝█████╗ ██████╔╝
██╔═██╗ ██╔══╝ ╚██╔╝ ██╔═══╝ ██╔══╝ ██╔══██╗
██║ ██╗███████╗ ██║ ██║ ███████╗██║ ██║
╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝your keys, kept — encrypted, local, MCP-native
Stop pasting sk-... into your AI. keyper keeps your API keys and env vars
encrypted at rest on your own machine and hands them to your AI agent on demand
over the Model Context Protocol.
Why
Every time you paste an API key into a chat, it lands in a transcript, maybe a log, maybe a
training set. keyper breaks that habit. Your secrets live in one AES-256-GCM–encrypted file
that only unlocks with your OS keychain or a passphrase. Your AI asks keyper for what it
needs — and for the common case (calling an API, running a deploy) the value never even
enters the conversation.
🔐 Encrypted at rest — AES-256-GCM, per-secret nonce, secret-name bound as AAD.
🗝️ Unlocks your way — OS keychain (silent) or a scrypt-derived passphrase.
🤖 MCP-native — works with Claude Desktop, Claude Code, Cowork, or any MCP client.
🧾 Redacted execution —
run_with_secretsuses a key without ever showing it.🖥️ Local web UI — add and name keys with a click; nothing leaves
127.0.0.1.📄 One auditable file — ~800 lines of Python, two real dependencies.
Related MCP server: enigmagent-mcp
Quickstart
git clone https://github.com/sharziki/keyper
cd keyper
bash quickstart.shThat installs the deps, creates your vault, prints your MCP config line, and opens the web UI to add keys. Prefer to do it by hand? Read on.
Install
pip install cryptography "mcp[cli]" keyring
# keyring is only needed for keychain mode; skip it if you'll use --passphraseCreate a vault
python keyper.py init # keychain mode (master key in your OS keychain)
python keyper.py init --passphrase # or derive the key from a passphrase (scrypt)Add secrets
python keyper.py set OPENAI_API_KEY -d "personal key" # prompts (not in shell history)
echo -n 'sk-...' | python keyper.py set STRIPE_KEY # or pipe it in
python keyper.py import-env ./.env # or bulk-import a .env
python keyper.py list # names only, no values…or skip the terminal entirely:
python keyper.py ui # opens http://127.0.0.1:8765/?token=…add · name · describe · delete — all over localhost, token-gated, values encrypted the instant you save
Connect it to your AI
All clients run the same stdio command: python keyper.py serve. Use absolute paths.
claude mcp add keyper -- /usr/bin/python3 /abs/path/keyper.py serve
# passphrase mode:
claude mcp add keyper -e KEYPER_PASSPHRASE=your-passphrase -- /usr/bin/python3 /abs/path/keyper.py serve{
"mcpServers": {
"keyper": {
"command": "/usr/bin/python3",
"args": ["/abs/path/keyper.py", "serve"],
"env": { "KEYPER_PASSPHRASE": "your-passphrase" }
}
}
}Drop the env block if you use keychain mode. Restart the app afterward.
Then ask your AI things like "use run_with_secrets with OPENAI_API_KEY to list my models."
Tools the AI gets
Tool | Returns the value? | Use it for |
| ❌ names + descriptions | Discovering what's in the vault |
| ❌ metadata only | Details on one secret |
| ✅ plaintext into context | When the AI must read the raw value |
| ❌ redacted from output | Using a key without exposing it |
The one tradeoff:
get_secretputs a plaintext value into the model's context, where it could be logged. Preferrun_with_secrets— it injects secrets as environment variables into a subprocess and redacts any occurrence from the output. Treat aget_secretresult as you would the key itself.
How it protects your secrets
AES-256-GCM authenticated encryption; a fresh random 96-bit nonce per secret.
The secret's name is bound in as Additional Authenticated Data, so a ciphertext can't be silently moved onto another name without decryption failing.
Master key: 32 random bytes in your OS keychain, or scrypt (n=2¹⁵) from a passphrase. The vault file alone is useless without it.
Plaintext is never written to disk or to the audit log.
Vault file and
access.logare created0600.The web UI binds to 127.0.0.1, requires a per-launch token, and rejects any request whose
Hostheader isn't localhost (blocks DNS-rebinding from malicious sites).
Threat model, briefly
keyper protects secrets at rest and keeps them out of your shell history and out of
chat when you use run_with_secrets. It does not defend against malware already running
as your user, or against you asking the AI to get_secret and pasting the result somewhere
public.
Configuration
Variable | Purpose |
| Vault file path (default |
| Passphrase for passphrase-mode vaults (required by the server) |
| Value source for non-interactive |
| Set to disable the access log |
CLI: init · set · get · list · rm · rotate · import-env · ui · serve — run keyper <cmd> -h.
Contributing
Issues and PRs welcome — see CONTRIBUTING.md. keyper is intentionally small and auditable; changes that touch crypto or the UI's auth must spell out their threat-model impact.
License
MIT © 2026 Sharvil Saxena
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/sharziki/keyper'
If you have feedback or need assistance with the MCP directory API, please join our Discord server