Secret Vault MCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Secret Vault MCP ServerStore my GitHub token"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Secret Vault — MCP Server
AES-256-GCM encrypted local secret storage exposed as Claude Code MCP tools. The critical security property: secret values and the master key are captured via native OS dialogs and never pass through the LLM API.
Part of the secret-vault skill. This repo contains the standalone MCP server. The full skill (MCP server + CLI + docs) lives at wwt/ai-skills-catalog — skills/secret-vault.
Security Contract
What the LLM sees | What the LLM never sees |
Secret key names ( | Secret values |
Tags, created date, rotated date | The vault master key |
Operation results ( | Decrypted vault contents |
When you ask Claude to store a secret, it calls vault_set(name="github.token").
The MCP server opens a native macOS password dialog — you type the value there.
It goes directly from the dialog into the encrypted vault file, never through
the LLM API.
Related MCP server: claude-secrets
Installation
1. Clone and install dependencies
git clone https://github.com/sam-ueckert/vault-mcp.git ~/repos/vault-mcp
pip3 install -r ~/repos/vault-mcp/requirements.txt2. Register the server in ~/.claude.json
Add to the top-level mcpServers object:
{
"mcpServers": {
"secret-vault": {
"type": "stdio",
"command": "python3",
"args": ["/Users/YOUR_USERNAME/repos/vault-mcp/server.py"]
}
}
}3. Allow the tools in ~/.claude/settings.json
{
"permissions": {
"allow": [
"mcp__secret-vault__vault_status",
"mcp__secret-vault__vault_init",
"mcp__secret-vault__vault_rekey",
"mcp__secret-vault__vault_list",
"mcp__secret-vault__vault_set",
"mcp__secret-vault__vault_rotate",
"mcp__secret-vault__vault_delete",
"mcp__secret-vault__vault_exists",
"mcp__secret-vault__vault_get_metadata",
"mcp__secret-vault__vault_update_tags",
"mcp__secret-vault__vault_import"
]
}
}4. Restart Claude Code. The server spawns as a subprocess on first tool use.
Prerequisites
pip3 install cryptography mcpmcp 1.0+ is required. argon2-cffi is optional — if installed, passphrase KDF upgrades from PBKDF2 to Argon2id.
Installation
1. Register the server in ~/.claude.json
Open ~/.claude.json and add to the top-level mcpServers object:
{
"mcpServers": {
"secret-vault": {
"type": "stdio",
"command": "python3",
"args": ["/path/to/skills/secret-vault/mcp-server/server.py"]
}
}
}Replace /path/to/ with the actual path to your skills checkout, e.g.:
~/repos/claude-skills/skills/secret-vault/mcp-server/server.py2. Allow the tools in ~/.claude/settings.json
Add to the permissions.allow array:
"mcp__secret-vault__vault_status",
"mcp__secret-vault__vault_init",
"mcp__secret-vault__vault_list",
"mcp__secret-vault__vault_set",
"mcp__secret-vault__vault_rotate",
"mcp__secret-vault__vault_delete",
"mcp__secret-vault__vault_exists",
"mcp__secret-vault__vault_get_metadata",
"mcp__secret-vault__vault_update_tags",
"mcp__secret-vault__vault_rekey",
"mcp__secret-vault__vault_import"3. Restart Claude Code
The server spawns as a subprocess on first tool use. No daemon to start.
First-Run Behaviour
On macOS, the server auto-initializes the vault on first use:
Generates a random 256-bit key
Stores it in the macOS Keychain under
agent-secret-vaultCreates
~/.agent/vault/vault.enc
From that point on, all subsequent calls are silent — the Keychain handles key resolution without prompting.
To use a passphrase instead of the Keychain:
Ask Claude: "Initialize the vault with a passphrase"This calls vault_init(key_tier="passphrase") and prompts via native dialog.
Vault Storage
~/.agent/vault/
├── vault.enc # AES-256-GCM encrypted JSON — all secrets live here
├── .vault-meta # Key tier, salt (if passphrase), created date
└── audit.log # Append-only log: timestamps + key names, no valuesThe encryption format is identical to the CLI skill — both tools read and
write the same vault.enc file.
Tools Reference
vault_status
Check initialization state, key tier, and number of stored secrets.
Ask Claude: "What's my vault status?"
vault_init(key_tier, force?)
Initialize or re-initialize the vault.
| Behaviour |
| Random 256-bit key stored in OS Keychain (default on macOS) |
| Argon2id-derived key — prompts via native dialog |
| Reads |
Warning: Re-initializing creates a new empty vault, permanently destroying all stored secrets. The tool refuses if secrets exist unless
force=Trueis passed. Usevault_rekeyto rotate the master key while preserving secrets.
Ask Claude: "Initialize the vault" or "Initialize with a passphrase"
vault_rekey(new_key_tier)
Rotate the vault master key while preserving all stored secrets.
Decrypts with the current key, generates or derives a new key via native dialog (for passphrase), re-encrypts every secret under the new key, and updates the key tier. The new key never passes through the LLM.
| Behaviour |
| New random key stored in OS Keychain |
| New passphrase collected via native dialog |
| New key read from |
Ask Claude: "Rekey the vault" or "Rotate the vault master key to use a passphrase"
vault_list(tags?)
List all stored secret names, tags, and timestamps. Values are never shown.
Ask Claude: "List my secrets" or "List secrets tagged env:prod"
vault_set(name, tags?)
Store a new secret or overwrite an existing one.
The value is not a parameter — a native macOS password dialog opens and captures it directly. The LLM only receives the key name.
Ask Claude: "Store a secret called github.token" or "Save my AWS access key as aws.access_key_id tagged env:prod,service:aws"
vault_rotate(name)
Replace an existing secret's value. Same dialog-capture behaviour as vault_set.
Records a rotation timestamp.
Ask Claude: "Rotate my github.token"
vault_delete(name)
Permanently remove a secret.
Ask Claude: "Delete the secret github.token"
vault_exists(name)
Check whether a key exists without retrieving its value.
Ask Claude: "Does github.token exist in the vault?"
vault_get_metadata(name)
Return tags, created date, and last-rotated date for a secret. No value.
Ask Claude: "Show me the metadata for aws.access_key_id"
vault_update_tags(name, tags)
Replace all tags on a secret without touching its value.
Ask Claude: "Tag github.token with env:prod,service:github"
vault_import(file_path, tags?, keep?)
Import secrets from a file on disk. Supports .env (KEY=VALUE) and JSON ({"key": "value"}) formats.
Write the secrets to a file yourself, then call this tool — values go from
the file directly into the encrypted vault via the MCP server process, never
through the LLM API. The file is securely overwritten with random bytes and
deleted after import. Pass keep=True to preserve it.
Parameter | Default | Description |
| required | Absolute path to the .env or JSON file |
|
| Comma-separated tags applied to all imported secrets |
|
| Keep the file on disk after import |
Ask Claude: "Import secrets from /tmp/staging.env" or "Import /tmp/keys.json tagged env:prod"
Key Naming Convention
Use dot-separated namespaces for discoverability:
service.credential_type
aws.access_key_id
aws.secret_access_key
github.pat
github.token
azure.client_secret
slack.bot_token
anthropic.api_keyRelationship to the CLI Skill
This MCP server and the CLI script (vault.py in wwt/ai-skills-catalog) share the
same vault file (~/.agent/vault/vault.enc) and encryption format — both tools can
read and write the same vault.
Use case | Tool |
Asking Claude to manage secrets interactively | MCP server — values never hit LLM |
Bulk import from |
|
Scripting / CI pipelines | CLI |
Export for GitHub Actions / GitLab CI | CLI |
Warning:
vault.py get <key>prints the value to stdout. If captured as a Claude tool result, the secret is exposed to the LLM API. Use the MCP server for all interactive agent use.
Gotchas
Keychain prompt on first use: macOS may show a Keychain authorization dialog the first time a new session accesses
agent-secret-vault. Click "Always Allow" to suppress future prompts.Passphrase mode re-prompts every session: The master key is cached in the server process memory. When you open a new Claude Code session, the passphrase dialog appears on the first vault tool call.
No value retrieval tool by design: There is no
vault_get_valuetool. This is intentional — if you need a secret injected into a command, usevault.py get key --exportin a shell script outside of Claude.Binary secrets: Files with non-UTF-8 content (SSH keys, etc.) are stored as base64. The CLI skill handles these natively via file-based operations.
Vault location is fixed:
~/.agent/vault/— not configurable in this version.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/sam-ueckert/vault-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server