Keiko
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@KeikoRun curl with my_api_token to fetch https://api.example.com/data"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Keiko
Secure secrets manager for AI agents. Keiko lets AI tools like Claude Code use API tokens, passwords, and credentials without ever seeing the actual values.
The Problem
AI agents need API tokens to do useful work — calling APIs, deploying code, managing infrastructure. But passing secret values through an AI's context window is a security risk: they appear in conversation logs, tool responses, and potentially in training data.
Related MCP server: Vault MCP
How Keiko Solves It
Keiko uses a proxy pattern. The AI agent tells Keiko what command to run and which secrets it needs, but never sees the secret values themselves:
AI Agent ──► Keiko MCP Server ──► Keiko Backend
│ │
resolves secrets ◄── HTTPS ──┘
│
spawns: bash -c "your command"
with secrets as env vars
│
captures output
sanitizes (redacts leaked values)
│
AI Agent ◄── clean output onlyThe AI says "run this curl command with my API token" — Keiko injects the token as an environment variable, runs the command, scans the output for any leaked values, redacts them, and returns clean output.
Quick Start
1. Deploy the backend
The backend stores secrets encrypted (AES-256-GCM) and serves them over HTTPS. Deploy with Docker to any platform with persistent storage:
# Generate an encryption key
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
# Deploy (Railway, Render, Fly, Docker Compose, etc.)
# See docs/setup-guide.md for full instructions2. Set up the MCP server
The MCP server runs on each machine that needs access to secrets. It's a standalone package with only 2 dependencies — no native compilation needed.
cd packages/mcp
npm install
npm run build
node dist/index.js --store-token YOUR_TOKEN3. Connect to Claude Code
Add to ~/.mcp.json:
{
"mcpServers": {
"keiko": {
"command": "node",
"args": ["/absolute/path/to/keiko/packages/mcp/dist/index.js"],
"env": {
"KEIKO_URL": "https://your-keiko-backend.example.com"
}
}
}
}Restart Claude Code. Ask "Check Keiko session status" to verify.
How the AI Uses It
Once connected, the AI discovers available secrets and uses them in commands — without ever seeing the values:
AI: list_secrets
→ my_api_token [Bearer token in Authorization header]
AI: run_with_secrets
command: curl -s -H "Authorization: Bearer $API_TOKEN" https://api.example.com/data
secrets: [{env: "API_TOKEN", name: "my_api_token"}]
→ {"data": [...]} (secret values redacted from output)Each secret includes auth_pattern and auth_instructions metadata, so the AI knows how to use it without external documentation.
MCP Tools
Tool | Purpose |
| Run a command with secrets injected as env vars |
| Discover available secrets (names and auth patterns only) |
| Check authentication state |
| Kill switch — revoke all active sessions |
| Configure session expiry (0.5–24 hours) |
| Create a new secret |
| Replace an existing secret's value |
| Fetch the usage guide |
Security
Encryption at rest — AES-256-GCM with per-secret random IV, plus versioned keys (
ENCRYPTION_KEY,ENCRYPTION_KEY_V2, …) and an in-place rotation endpoint so the key can be rotated without downtimeHashed auth tokens — 64-char hex tokens, SHA-256 hashed in the database, plaintext shown once
Token scoping — each token is restricted to a set of secret-name glob patterns (e.g.
railway_*), so a leaked token only exposes the slice of the vault it actually needsOutput sanitization — command output scanned for secret values in raw, base64, base64url, URL-encoded, hex, JSON-string-escaped, and HTML-entity-escaped forms
Per-token rate limit — independent of per-IP, caps abuse from a single token routed through multiple IPs
CSRF protection —
X-CSRF-Tokenheader required on every mutating admin-UI endpointSession management — configurable TTL, auto-refresh, global kill switch
Audit trail — every action logged with token ID, session ID, IP, and timestamp
Secret values never appear in AI tool responses, conversation logs, or on disk on client machines. See GET /api/guide for the full threat model — what the proxy pattern does and does not prevent.
Architecture
keiko/
├── packages/mcp/ # MCP server (runs on your machine)
│ ├── src/
│ │ ├── server.ts # 7 tool registrations
│ │ ├── client.ts # HTTPS client to backend
│ │ ├── executor.ts # Shell spawner + env var injection
│ │ ├── sanitizer.ts # Output redaction
│ │ └── keychain.ts # OS keychain (Win/Mac/Linux)
│ └── package.json # 2 deps: @modelcontextprotocol/sdk + zod
│
├── src/ # Backend API (runs on your server)
│ ├── api/ # Express routes, auth, crypto
│ └── ui/ # EJS admin templates
│
└── Dockerfile # Multi-stage production buildThe MCP server and backend are fully independent packages. The MCP server has zero native dependencies — npm install works everywhere without compilers or --ignore-scripts.
Platform Support
Environment | Token Storage | Notes |
Windows | Windows Credential Manager | Commands run via Git Bash (not WSL) |
macOS | macOS Keychain | System bash |
Linux | libsecret | Requires |
Docker / CI |
| No keychain needed |
Documentation
Setup Guide — Full setup instructions for all environments, backend deployment, troubleshooting, API reference, and configuration options
Tech Stack
Backend: Node.js 20, TypeScript, Express, SQLite (better-sqlite3), EJS, Google OAuth
MCP Server: Node.js 20, TypeScript, MCP SDK v1.x, Zod
Deployment: Docker (multi-stage build), any platform with persistent volumes. Tested with Railway.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/goldtopcollective/keiko'
If you have feedback or need assistance with the MCP directory API, please join our Discord server