VaultBridge
Allows AI agents to securely search, retrieve, and inject secrets from Bitwarden vaults without exposing secret values to the LLM.
Allows AI agents to securely search, retrieve, and inject secrets from self-hosted Vaultwarden instances without exposing secret values to the LLM.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@VaultBridgesearch for AWS access keys"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
VaultBridge
Secret management for AI coding agents. Your secrets never enter the LLM context window.
The Problem
29 million secrets were leaked on GitHub in 2025 (GitGuardian State of Secrets Sprawl), up 25% year-over-year
AI-assisted commits leak secrets at 2x the baseline rate — autocomplete and agent workflows bypass the muscle memory that keeps developers from pasting keys into code
24,000+ secrets found in MCP config files — the new
claude_desktop_config.jsonis the new.envcommitted to gitEvery secret in the LLM context window is sent to the AI provider's servers — even if the model never prints it, it was transmitted and processed
VaultBridge is an MCP server that gives AI agents access to your secrets without ever exposing the values. The agent sees metadata (names, services, env var mappings). The actual values flow through a side channel directly to their targets.
How It Works
┌─── Your Machine ────────────────────────────────────────────┐
│ │
│ Claude Code / Cursor / Windsurf / AI Agent │
│ │ │
│ │ MCP Protocol (tool calls) │
│ ▼ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ VaultBridge MCP Server │ │
│ │ ● Returns metadata only (names, IDs, mappings) │ │
│ │ ● Secret values NEVER in tool responses │ │
│ └────────┬───────────────────────────┬────────────┘ │
│ │ │ │
│ MCP Tools Hook API (:9847) │
│ (search, inject, (capture, redact, │
│ manifest, status) check-value, redeem) │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Bitwarden CLI (bw / rbw) │ │
│ └────────────────────┬────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Vaultwarden / Bitwarden Cloud (encrypted) │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ Hooks: auto-capture · redact · leak-prevent │
└──────────────────────────────────────────────────────────────┘Data flow: The agent calls vault_search and gets back names and IDs. When it needs a value, it calls vault_inject which writes directly to a .env file, clipboard, or template — the value never appears in the tool response. Hooks intercept secrets in shell output and file writes before they reach the LLM.
Quick Start
Prerequisites
Runtime: Bun 1.0+ or Node.js 18+
Vault CLI: Bitwarden CLI (
bw) or rbwVault backend: Vaultwarden (self-hosted) or Bitwarden cloud account
1. Install
Add to your Claude Code MCP config (~/.claude/settings.json):
{
"mcpServers": {
"vaultbridge": {
"command": "bun",
"args": ["run", "/path/to/vaultbridge-mcp-server/src/index.ts"],
"env": {
"BW_SESSION": "<your-bitwarden-session-key>",
"BW_URL": "https://vault.example.com"
}
}
}
}2. Unlock your vault
# Bitwarden CLI
export BW_SESSION=$(bw unlock --raw)
# Or rbw
rbw unlock3. Verify
Ask your agent: "Check vault status" — it will call vault_status and confirm the connection.
MCP Tools
Tool | Description | Returns Values? |
| Search secrets by name, service, project, environment | Never |
| Store a new secret (generated passwords only via tool) | Never |
| Inject a secret into .env, clipboard, or template file | Never |
| Populate .env from .env.example using vault lookups | Never |
| Read project secret manifest (.vault-manifest.json) | Never |
| Check vault connection and lock state | N/A |
Claude Code Hooks
VaultBridge ships with three hooks that form a defense-in-depth layer:
Hook | Trigger | What It Does |
|
| Scans shell output for secrets (pattern + entropy detection), auto-captures to vault, redacts from context |
|
| Blocks file writes containing detected secrets; suggests |
|
| Loads project manifest, pre-warms vault connection, registers env var mappings |
Hook configuration in .claude/settings.json:
{
"hooks": {
"PostToolUse": [
{
"matcher": "Bash",
"hooks": [{
"type": "command",
"command": "curl -s http://127.0.0.1:9847/api/check-value -d '{\"value\":\"$TOOL_OUTPUT\"}' | jq -r '.should_block'"
}]
}
]
}
}Configuration
Environment Variable | Default | Description |
|
| Transport mode: |
|
| Port for Hook API (and HTTP transport) |
| (generated) | Bearer token for HTTP endpoints |
|
| Vault CLI backend: |
| — | Bitwarden session key (required for |
| — | Vaultwarden/Bitwarden server URL |
See docs/configuration.md for the complete reference.
Security Model
What's protected
Secret values never appear in MCP tool responses — the LLM cannot see them
The Hook API runs on
127.0.0.1only in stdio mode — no network exposureOne-time redeem tokens expire in 10 seconds and are single-use
Clipboard injection auto-clears after a configurable TTL (default 30s)
What's visible to the agent
Secret metadata: names, IDs, service labels, project/environment tags, env var mappings
Vault connection status (locked/unlocked, server URL, email)
Injection confirmations (target type, file path — never the value)
Defense layers
MCP layer — Tools return metadata only;
vault_injectwrites to targets via side channelHook layer —
post-bashscans output for secrets before the LLM sees it;pre-writeblocks file writes containing secretsVault layer — All secrets encrypted at rest in Vaultwarden/Bitwarden; accessed via CLI with session authentication
Transport layer — HTTP mode requires Bearer token auth; stdio mode binds to localhost only
Comparison
vs Indie/Open-Source Projects
Feature | VaultBridge | ||||
Values never reach LLM | Yes | Yes | No (leases expose) | Yes | Partial |
Auto-capture from output | Yes | No | No | No | Yes |
Leak prevention (block writes) | Yes | No | No | No | No |
Uses existing password manager | Yes (Bitwarden) | No (own store) | No (age files) | No (OS keychain) | No (Fernet vault) |
MCP server | Yes | Yes | No | Yes | No |
Claude Code hooks | Yes | No | No | No | Partial |
Team/workspace support | No | Yes | No | No | No |
Session leases / TTL | No | No | Yes | No | Yes |
vs Enterprise Products
Feature | VaultBridge | 1Password Unified | GitHub Secret Scanning | Bitwarden MCP |
Auto-capture from shell output | Yes | No | No | No |
Pre-LLM redaction (hooks) | Yes | No | No | No |
Leak prevention on file write | Yes | No | Post-commit only | No |
Metadata-only responses | Yes | No (returns values) | N/A | No (returns values) |
Open source | Yes | No | Partial | Yes |
Self-hostable vault | Yes | No | N/A | Yes |
MCP native | Yes | No | No | Yes |
VaultBridge's niche: The only tool that combines Bitwarden integration + auto-capture + pre-LLM redaction + leak prevention in one system. AgentSecrets is the closest competitor but uses its own encrypted store and takes a network proxy approach instead of hooks.
Development
# Clone
git clone https://github.com/Code-for-100k/vaultbridge.git
cd vaultbridge
# Install dependencies
bun install
# Type check
bun run typecheck
# Run in stdio mode (local dev)
bun run start
# Run in HTTP mode
bun run start:http
# Build
bun run buildSee CONTRIBUTING.md for the full development guide.
Architecture
VaultBridge operates as a 4-layer system:
Agent Layer — Claude Code / Cursor makes MCP tool calls
MCP Server Layer — Processes requests, enforces metadata-only responses
Hook Layer — Intercepts secrets in shell output and file writes
Vault Layer — Bitwarden CLI talks to encrypted storage
See docs/architecture.md for detailed diagrams and data flow documentation.
License
MIT - Copyright 2026 Code-for-100k Contributors
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Code-for-100k/vaultbridge'
If you have feedback or need assistance with the MCP directory API, please join our Discord server