SecureCode
SecureCode is a secrets management MCP server for securely storing, managing, and accessing sensitive data (API keys, tokens, passwords) without exposing raw values in AI conversations. Secrets are encrypted with AES-256-GCM and stored in SecureCodeHQ's cloud.
Secret Management
Get (
get-secret): Retrieves a secret by injecting its value into a local file by default (AI never sees it), or usereveal: truefor audited direct accessList (
list-secrets): View all secrets with tags and expiration status — values never returnedCreate (
create-secret): Store new secrets with optional tags, description, domain, and TTLUpdate (
update-secret): Modify an existing secret's value, description, tags, or domainRenew (
renew-secret): Reactivate expired secrets or change their TTLDelete (
delete-secret): Soft-delete a secret (recoverable)
Import & Export
Import (
import-env): Securely import from.envfiles via a web interface (values bypass the AI)Export (
export-env): Export secrets as a.envfile or CSV
Session Management
Wake (
wake-session): Unlock secret access, optionally scoped to tags with an auto-sleep timerSleep (
sleep-session): Immediately lock the sessionStatus (
session-status): Check active state, scope restrictions, and time remainingByebye (
byebye): Lock session and clean all injected secret files from disk
Access Control & Security
Active rules (
get-active-rules): View tag-based MCP access rules (block, require confirmation, require session, block models, notify) — managed from the dashboardSecurity check (
security-check): Analyze the project for security issues and get hardening recommendationsAll access is logged with AI model, IP, machine identity, and timestamp; secrets never pass through third parties (local stdio transport)
Onboarding, Account & Help
Onboard (
onboard): Guided setup for signup,.envimport, API key creation, and MCP/SDK configurationStatus (
get-status): Check plan, usage limits, secret count, and server versionHelp (
help): Access documentation on tools, SDK, sessions, rules, and troubleshootingCompanion SDK (
@securecode/sdk): Load secrets at runtime in your applications
Allows for the secure import and export of environment variables via .env files, enabling users to migrate existing secrets into the secure vault and manage them within development environments.
@securecode/mcp-server
MCP Server for SecureCodeHQ. Lets Claude Code access your secrets securely without ever seeing them.
Quick Start
claude mcp add securecode -- npx -y @securecode/mcp-serverThen tell Claude Code:
Set up SecureCode in this projectThe onboard tool walks you through account creation, secret import, and configuration. Takes about 2 minutes.
What It Does
Your secrets (API keys, tokens, passwords) are encrypted with AES-256 and stored in SecureCode. Claude Code accesses them via MCP, but the actual values never appear in the chat.
When Claude reads a secret, the value is written to a local file on your machine. The AI gets the file path but never sees the raw value. This is inject mode, the default.
Tools
Tool | What it does |
| Guided setup: signup, import, API key, config, SDK |
| Get a secret (injected to file by default, |
| List all secrets with tags and expiry status |
| Create a new secret |
| Update value, description, or tags |
| Delete a secret |
| Renew expired secrets or change TTL |
| Import .env via secure web window (values never pass through AI) |
| Export secrets as .env or CSV |
| Check plan, usage, and MCP server version |
| Unlock session with optional scope and auto-sleep timer |
| Lock session and clean injected files |
| Check session state and time remaining |
| Lock session + clean all secrets from disk |
| List active MCP access rules (read-only) |
| Post-setup security hardening checks |
| Docs: tools, SDK, sessions, rules, troubleshooting |
MCP Access Rules
Control how AI agents access your secrets with tag-based policies. Created from the dashboard, enforced server-side.
Action | Effect |
Block Always | Secret only accessible from the dashboard |
Require Confirmation | Agent must acknowledge before accessing |
Require Session | Requires active session (wake-session) |
Block Models | Only allows specific AI models |
Notify | Sends email on access (non-blocking) |
Session Lock
You: "Wake my session for acme staging"
Claude: Session unlocked. Only acme/staging secrets accessible.
You: "byebye"
Claude: Session locked & secrets cleaned from disk.Sessions auto-sleep after configurable inactivity (default: 2 hours).
How It Works
Secret values are written to a local file, the AI never sees them (inject mode)
Explicit
reveal: truereturns value to AI (audited)Injected files are removed on sleep, byebye, or process exit
Multiple Claude Code instances don't collide (hash based on API key + PID)
Encrypted with AES-256-GCM using envelope encryption (Cloud KMS)
Every access is logged with AI model, IP, machine identity, and timestamp
Runs locally via stdio transport, secrets never pass through third parties
Device approval required on first use from each machine
SDK
The companion SDK lets your app load secrets at runtime:
npm install @securecode/sdkimport { loadEnv } from '@securecode/sdk';
await loadEnv(); // all secrets loaded into process.envLinks
Website: https://securecodehq.com
Requirements
Node.js >= 18
A SecureCodeHQ account (free tier: 50 secrets, 10K accesses/month)
License
MIT
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/juanisidoro/securecode-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server