Skip to main content
Glama
deenesjakoruzh
ggc180820

mcp-keyward

by ggc180820
OverviewSchemaRelated ServersScoreDiscussions
Python
Local

🔐 mcp-keyguard

Your AI agent should never see your API keys. Now it won't.

mcp-keyguard is a local MCP server that acts as a secure proxy between your AI agent (Claude, Cursor, Windsurf...) and any external API.

Instead of pasting your OpenAI, Stripe or GitHub keys into the chat context, you store them encrypted on your machine. The agent calls mcp-keyguard, which injects the real key server-side and returns the result.

The key never leaves your machine. The agent never sees it.

Why this matters

In 2025, a vulnerability in a popular MCP hosting platform exposed thousands of API keys from over 3,000 servers. The root cause? Keys passed through infrastructure the user didn't control.

mcp-keyguard is the opposite: fully local, zero external dependencies, your keys encrypted at rest with AES-128.

How it works

Your prompt → Claude → mcp-keyguard → [injects real key] → External API
                           ↑
                    Key never leaves here

Installation

Requirements: Python 3.10+

pip install mcp httpx cryptography
git clone https://github.com/ggc180820/mcp-keyguard.git
cd mcp-keyguard

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "mcp-keyguard": {
      "command": "python",
      "args": ["/path/to/mcp-keyguard/main.py"]
    }
  }
}

Restart Claude Desktop. Done.

Usage

1. Store a key (you do this once per key)

"Use add_key to store my OpenAI key with alias 'openai',
header_name 'Authorization', header_prefix 'Bearer '"

2. Make authenticated requests (Claude does this automatically)

"Use make_request with alias 'openai' to call
https://api.openai.com/v1/models"

3. Check what's stored

"Use list_keys"
→ Shows aliases and headers. Never the real values.

Tools

Tool

What it does

add_key

Store an API key encrypted in the vault

list_keys

List stored aliases — values are never shown

make_request

Make an authenticated HTTP request, key injected server-side

delete_key

Remove a key from the vault

Security model

  • Keys are encrypted with Fernet (AES-128-CBC + HMAC-SHA256)

  • The encryption key lives in vault.key on your machine only

  • All HTTP requests are made locally with a 30s timeout

  • Never commit vault.key or vault.json to git (already in .gitignore)

mcp-keyguard Pro

Need more control? Pro adds:

Feature

Free

Pro

Encrypted local vault

Unlimited keys

Multiple vaults (per project/client)

Audit log (who used which key, when, where)

Key rotation alerts

👉 Get Pro — 5€/month

License

MIT — free forever for personal use.

This server cannot be installed

-
security - not tested
F
license - not found
-
quality - not tested

How are these scores calculated?

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/ggc180820/mcp-keyguard'

If you have feedback or need assistance with the MCP directory API, please join our Discord server