Earl
Enables secure retrieval of secrets from 1Password for use in template operations.
Allows executing GitHub API operations, such as searching repositories, via HCL templates.
Allows executing GraphQL API queries and mutations via HCL templates.
Enables secure retrieval of secrets from HashiCorp Vault for use in template operations.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Earlsearch GitHub for repositories with over 100 stars"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Earl sits between agents and external services. Operations are HCL files committed to your repository. The LLM sees a tool name and description; it never reads the template body. An injected instruction in an API response has nowhere to land because the LLM isn't reading the part of the request that executes.
Secrets stay in the OS keychain. They aren't in tool arguments, tool descriptions, or output.
Quick start
# Install
curl -fsSL https://raw.githubusercontent.com/mathematic-inc/earl/main/scripts/install.sh | bash
# Import a provider template
earl templates import https://raw.githubusercontent.com/mathematic-inc/earl/main/examples/github.hcl
# Store a secret — prompts for the value, not echoed
earl secrets set github.token
# Call a command
earl call --yes --json github.search_repos --query "language:rust stars:>100"To use Earl as MCP tools in your agent, add it to your MCP config and restart. Claude Code and Cursor use the same format:
{
"mcpServers": {
"earl": {
"command": "earl",
"args": ["mcp", "stdio"]
}
}
}MCP tools don't activate until after restart. In the current session, use earl call --yes --json through the Bash tool.
See Quick Start for the full walkthrough, or Agent-Assisted Setup to let an agent handle the install and configuration.
Related MCP server: Aegis
How it works
You write an HCL template describing an operation: method, URL, auth, parameters. When an agent calls the tool, Earl loads the template, reads the required secret from the OS keychain, renders the Jinja expressions against the agent's supplied values, and executes the request. The LLM only ever provided parameter values. Every other part of the request — the URL, the auth header, the method — was written by a human and committed to the repo.
See How Earl Works for the full security model.
Documentation
Introduction — why Earl exists, how the security model works
Quick Start — install, first call, MCP config in five steps
Writing Templates — HTTP, GraphQL, gRPC, Bash, SQL; auth; result formatting
Template Schema — field-by-field reference
Secrets & Auth — OS keychain storage, OAuth2 flows
External Secrets — 1Password, Vault, AWS, GCP, Azure
MCP Integration — stdio and HTTP transport, full vs. discovery mode
Policy Engine — JWT auth and access control for HTTP deployments
Environments — production, staging, and per-environment overrides
Hardening — SSRF protection, egress allowlist, production checklist
Commands — complete CLI reference
Troubleshooting — keychain errors, template validation, MCP issues
License
Apache-2.0
This project is free and open-source work by a 501(c)(3) non-profit. If you find it useful, please consider donating.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/mathematic-inc/earl'
If you have feedback or need assistance with the MCP directory API, please join our Discord server