s-gw MCP server
Integrates with 1Password as a credential store, enabling secure resolution of typed handles to secrets stored in 1Password without exposing raw credentials.
Provides agent-specific configuration for GitHub Copilot, allowing it to interact with s-gw for credential handling via typed handles and scoped action requests.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@s-gw MCP servershow me available credential handles"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.

s-gw is a local gateway between coding agents and credentials. Agents work with typed handles and scoped action requests. You approve the request on your machine, s-gw resolves the credential inside a constrained local process, and the agent gets sanitized output instead of the raw value.
s-gw is an early preview. Storage formats and interfaces may change, Windows support is still experimental, and the project has not completed an independent security audit. Do not treat it as a replacement for endpoint security or a hardened enterprise secrets platform yet.
What It Does
Govern | Approve | Execute | Audit |
Turn secrets into typed local handles that agents can reference safely. | Review the requesting agent, handle, command, environment binding, working directory, and target before access is granted. | Inject the credential only into the approved child process on the same machine. | Record request, approval, execution, policy, and destination evidence without storing returned raw secrets. |
Related MCP server: Agentic Vault
Why Teams Use It
Local custody: raw values stay in macOS Keychain, Windows Credential Manager, 1Password, or the encrypted local ledger.
Action-scoped access: grants bind to the agent, handle, command, environment variable, working directory, target, approval mode, and optional time window.
Useful handles: agents can request real work with stable handle names instead of seeing keys, passwords, tokens, or SSH material.
Output sanitization: command output is scanned before it returns to the agent, replacing detected credential values with handles.
Agent-aware setup: Codex, Claude Code, Cursor, OpenCode, Gemini CLI, GitHub Copilot, VS Code, and other MCP clients get profile-specific configuration.
Local operator UI: the macOS app, menu helper, CLI, and web console show approvals, credential inventory, policies, usage flow, activity, and audit history.
Demo
Public demo: s-gw.com. The demo highlights the local console, trust loop, approval flow, supported agent catalog, and usage map.

How It Works
flowchart LR
A["Coding agent"] -->|"Handle + action request"| G["s-gw local gateway"]
G --> U["Local approval"]
U --> R["Constrained runner"]
K[("Keychain / Credential Manager / encrypted store")] --> R
R -->|"Sanitized output"| G
G --> AThe agent never needs the unlock passphrase or raw credential. Approval is scoped to the requested operation rather than granting general access to the store.
Core Surfaces
Surface | Purpose |
| Setup, credential enrollment, approvals, policies, agent snippets, guard mode, and diagnostics. |
| Stdio MCP server for agent-facing handle discovery and request creation. |
Native macOS app | Approval queue, credential inventory, policy rules, usage flow, activity, and audit review. |
Menu-bar helper | Fast visibility into pending approvals and local daemon status. |
Local web console | Browser-accessible fallback UI bound to |
Guard mode | Launch agents with credential-looking environment values replaced by s-gw handles. |
Quick Start
Requirements: Node.js 20 or newer.
npm install -g @s-gw/s-gw
s-gw setup
s-gw statusTo build from source, use a stable Rust toolchain. Building the native macOS surfaces also requires a Swift toolchain.
git clone https://github.com/sgateway/s-gw.git
cd s-gw
npm ci
npm run build
npm link
s-gw setup
s-gw statuss-gw setup generates local unlock material, stores it in the operating system credential store, initializes the encrypted ledger, and starts the local UI surfaces available on the current platform.
Add a credential from your terminal without placing the value in chat or a process argument:
printf '%s' "$MY_API_TOKEN" | s-gw secret add-keychain \
--name demo-token \
--type api-token \
--value-stdin \
--inject-env API_TOKEN \
--allow-command "$(command -v printenv)"Then inspect the non-secret handle metadata:
s-gw secret listThe end-to-end trust loop walks through a disposable request, local approval, execution, and output sanitization without touching a real credential.
Agent Integration
List the known agent profiles and render the configuration for one client:
s-gw agent list
s-gw agent mcp-snippet codex
s-gw agent mcp-snippet claude-code
s-gw agent mcp-snippet opencodeFor CLI agents, guard mode can replace credential-looking launch environment values with s-gw handles before the agent starts:
s-gw run codex --dry-run -- -v
s-gw run codex -- --ask-for-approval neverMCP registration does not intercept every prompt, file read, shell, or environment variable. See agent integration and the agent profile matrix for the supported paths and current limitations.
Example Request Flow
An agent sees
s-gw:credential:prod-readonlyand asks to runaws sts get-caller-identity.s-gw creates a pending request with the agent name, command, handle, environment binding, working directory, target, and policy result.
You approve once, for a time window, for the login session, or deny it.
s-gw starts the approved local process with the credential injected into the requested environment variable.
s-gw scans the process output before it returns to the agent.
The model can complete the task without receiving the raw access key.
Platform Status
Platform | Status | Credential store | User interface |
macOS 14+ | Primary development platform | Keychain | Native app, menu helper, local web console |
Windows 10/11 | Preview | Credential Manager | PowerShell client, tray helper, local web console |
Linux | Experimental CLI | Environment-provided unlock material | Local web console |
Preview installers are available from GitHub Releases. The macOS DMG is ad-hoc signed and unnotarized, and the Windows package is unsigned preview software. Build the same artifacts locally with npm run build:installers.
Security Model
s-gw is designed to reduce accidental credential exposure to coding agents. It does not protect against a compromised operating system account, a malicious approved executable, screen capture, kernel-level access, or every transformed derivative of a secret.
Read the threat model before relying on s-gw for sensitive workflows. Report suspected vulnerabilities through GitHub private vulnerability reporting, not a public issue.
Project Status
Public source distribution is preview quality.
macOS is the primary development and test platform.
Windows Credential Manager support is present but still needs broader native QA.
Linux currently depends on environment-provided unlock material.
Desktop preview downloads are unsigned and intended for evaluation.
The repository is prepared for open-source collaboration, but security-sensitive changes should come with focused tests and threat-model updates when behavior changes.
Documentation
Contributing
Issues and focused pull requests are welcome. Start with CONTRIBUTING.md, and use SECURITY.md for anything that may expose credentials or bypass approval.
License
Apache-2.0. See LICENSE and NOTICE. Third-party names and artwork remain the property of their respective owners and are documented in TRADEMARKS.md and the third-party notices.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/sgateway/s-gw'
If you have feedback or need assistance with the MCP directory API, please join our Discord server