Skip to main content
Glama

Keiko

Secure secrets manager for AI agents. Keiko lets AI tools like Claude Code use API tokens, passwords, and credentials without ever seeing the actual values.

The Problem

AI agents need API tokens to do useful work — calling APIs, deploying code, managing infrastructure. But passing secret values through an AI's context window is a security risk: they appear in conversation logs, tool responses, and potentially in training data.

Related MCP server: Vault MCP

How Keiko Solves It

Keiko uses a proxy pattern. The AI agent tells Keiko what command to run and which secrets it needs, but never sees the secret values themselves:

AI Agent ──► Keiko MCP Server ──► Keiko Backend
                   │                      │
              resolves secrets ◄── HTTPS ──┘
                   │
              spawns: bash -c "your command"
              with secrets as env vars
                   │
              captures output
              sanitizes (redacts leaked values)
                   │
AI Agent ◄── clean output only

The AI says "run this curl command with my API token" — Keiko injects the token as an environment variable, runs the command, scans the output for any leaked values, redacts them, and returns clean output.

Quick Start

1. Deploy the backend

The backend stores secrets encrypted (AES-256-GCM) and serves them over HTTPS. Deploy with Docker to any platform with persistent storage:

# Generate an encryption key
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

# Deploy (Railway, Render, Fly, Docker Compose, etc.)
# See docs/setup-guide.md for full instructions

2. Set up the MCP server

The MCP server runs on each machine that needs access to secrets. It's a standalone package with only 2 dependencies — no native compilation needed.

cd packages/mcp
npm install
npm run build
node dist/index.js --store-token YOUR_TOKEN

3. Connect to Claude Code

Add to ~/.mcp.json:

{
  "mcpServers": {
    "keiko": {
      "command": "node",
      "args": ["/absolute/path/to/keiko/packages/mcp/dist/index.js"],
      "env": {
        "KEIKO_URL": "https://your-keiko-backend.example.com"
      }
    }
  }
}

Restart Claude Code. Ask "Check Keiko session status" to verify.

How the AI Uses It

Once connected, the AI discovers available secrets and uses them in commands — without ever seeing the values:

AI: list_secrets
→ my_api_token [Bearer token in Authorization header]

AI: run_with_secrets
   command: curl -s -H "Authorization: Bearer $API_TOKEN" https://api.example.com/data
   secrets: [{env: "API_TOKEN", name: "my_api_token"}]
→ {"data": [...]}  (secret values redacted from output)

Each secret includes auth_pattern and auth_instructions metadata, so the AI knows how to use it without external documentation.

MCP Tools

Tool

Purpose

run_with_secrets

Run a command with secrets injected as env vars

list_secrets

Discover available secrets (names and auth patterns only)

session_status

Check authentication state

lock

Kill switch — revoke all active sessions

set_ttl

Configure session expiry (0.5–24 hours)

add_secret

Create a new secret

update_secret

Replace an existing secret's value

get_guide

Fetch the usage guide

Security

  • Encryption at rest — AES-256-GCM with per-secret random IV, plus versioned keys (ENCRYPTION_KEY, ENCRYPTION_KEY_V2, …) and an in-place rotation endpoint so the key can be rotated without downtime

  • Hashed auth tokens — 64-char hex tokens, SHA-256 hashed in the database, plaintext shown once

  • Token scoping — each token is restricted to a set of secret-name glob patterns (e.g. railway_*), so a leaked token only exposes the slice of the vault it actually needs

  • Output sanitization — command output scanned for secret values in raw, base64, base64url, URL-encoded, hex, JSON-string-escaped, and HTML-entity-escaped forms

  • Per-token rate limit — independent of per-IP, caps abuse from a single token routed through multiple IPs

  • CSRF protectionX-CSRF-Token header required on every mutating admin-UI endpoint

  • Session management — configurable TTL, auto-refresh, global kill switch

  • Audit trail — every action logged with token ID, session ID, IP, and timestamp

Secret values never appear in AI tool responses, conversation logs, or on disk on client machines. See GET /api/guide for the full threat model — what the proxy pattern does and does not prevent.

Architecture

keiko/
├── packages/mcp/          # MCP server (runs on your machine)
│   ├── src/
│   │   ├── server.ts       #   7 tool registrations
│   │   ├── client.ts       #   HTTPS client to backend
│   │   ├── executor.ts     #   Shell spawner + env var injection
│   │   ├── sanitizer.ts    #   Output redaction
│   │   └── keychain.ts     #   OS keychain (Win/Mac/Linux)
│   └── package.json        #   2 deps: @modelcontextprotocol/sdk + zod
│
├── src/                    # Backend API (runs on your server)
│   ├── api/                #   Express routes, auth, crypto
│   └── ui/                 #   EJS admin templates
│
└── Dockerfile              # Multi-stage production build

The MCP server and backend are fully independent packages. The MCP server has zero native dependenciesnpm install works everywhere without compilers or --ignore-scripts.

Platform Support

Environment

Token Storage

Notes

Windows

Windows Credential Manager

Commands run via Git Bash (not WSL)

macOS

macOS Keychain

System bash

Linux

libsecret

Requires secret-tool

Docker / CI

KEIKO_TOKEN env var

No keychain needed

Documentation

  • Setup Guide — Full setup instructions for all environments, backend deployment, troubleshooting, API reference, and configuration options

Tech Stack

Backend: Node.js 20, TypeScript, Express, SQLite (better-sqlite3), EJS, Google OAuth

MCP Server: Node.js 20, TypeScript, MCP SDK v1.x, Zod

Deployment: Docker (multi-stage build), any platform with persistent volumes. Tested with Railway.

F
license - not found
-
quality - not tested
A
maintenance

Maintenance

Maintainers
Response time
Release cycle
1Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/goldtopcollective/keiko'

If you have feedback or need assistance with the MCP directory API, please join our Discord server