Skip to main content
Glama
juanisidoro

SecureCode

by juanisidoro
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Local

@securecode/mcp-server

MCP Server for SecureCodeHQ. Lets Claude Code access your secrets securely without ever seeing them.

Quick Start

claude mcp add securecode -- npx -y @securecode/mcp-server

Then tell Claude Code:

Set up SecureCode in this project

The onboard tool walks you through account creation, secret import, and configuration. Takes about 2 minutes.

What It Does

Your secrets (API keys, tokens, passwords) are encrypted with AES-256 and stored in SecureCode. Claude Code accesses them via MCP, but the actual values never appear in the chat.

When Claude reads a secret, the value is written to a local file on your machine. The AI gets the file path but never sees the raw value. This is inject mode, the default.

Tools

Tool

What it does

onboard

Guided setup: signup, import, API key, config, SDK

get-secret

Get a secret (injected to file by default, reveal: true to show to AI)

list-secrets

List all secrets with tags and expiry status

create-secret

Create a new secret

update-secret

Update value, description, or tags

delete-secret

Delete a secret

renew-secret

Renew expired secrets or change TTL

import-env

Import .env via secure web window (values never pass through AI)

export-env

Export secrets as .env or CSV

get-status

Check plan, usage, and MCP server version

wake-session

Unlock session with optional scope and auto-sleep timer

sleep-session

Lock session and clean injected files

session-status

Check session state and time remaining

byebye

Lock session + clean all secrets from disk

get-active-rules

List active MCP access rules (read-only)

security-check

Post-setup security hardening checks

help

Docs: tools, SDK, sessions, rules, troubleshooting

MCP Access Rules

Control how AI agents access your secrets with tag-based policies. Created from the dashboard, enforced server-side.

Action

Effect

Block Always

Secret only accessible from the dashboard

Require Confirmation

Agent must acknowledge before accessing

Require Session

Requires active session (wake-session)

Block Models

Only allows specific AI models

Notify

Sends email on access (non-blocking)

Session Lock

You: "Wake my session for acme staging"
Claude: Session unlocked. Only acme/staging secrets accessible.

You: "byebye"
Claude: Session locked & secrets cleaned from disk.

Sessions auto-sleep after configurable inactivity (default: 2 hours).

How It Works

  • Secret values are written to a local file, the AI never sees them (inject mode)

  • Explicit reveal: true returns value to AI (audited)

  • Injected files are removed on sleep, byebye, or process exit

  • Multiple Claude Code instances don't collide (hash based on API key + PID)

  • Encrypted with AES-256-GCM using envelope encryption (Cloud KMS)

  • Every access is logged with AI model, IP, machine identity, and timestamp

  • Runs locally via stdio transport, secrets never pass through third parties

  • Device approval required on first use from each machine

SDK

The companion SDK lets your app load secrets at runtime:

npm install @securecode/sdk
import { loadEnv } from '@securecode/sdk';
await loadEnv(); // all secrets loaded into process.env

SDK on npm

Links

Requirements

  • Node.js >= 18

  • A SecureCodeHQ account (free tier: 50 secrets, 10K accesses/month)

License

MIT

Install Server
A
security – no known vulnerabilities
A
license - permissive license
A
quality - confirmed to work

How are these scores calculated?

Resources

Tools

View all tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/juanisidoro/securecode-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server