GhostKey
Provides authenticated HTTP requests to GitHub's API using Bearer token authentication.
Provides persistent connections to Odoo's XML-RPC interface for executing methods.
Provides persistent database connections to PostgreSQL for executing queries.
Provides authenticated HTTP requests to Stripe's API using Bearer token authentication.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@GhostKeyuse my stripe credential to get recent charges"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
GhostKey
MCP-native credential vault — AI agents authenticate without holding secrets.
What is GhostKey?
GhostKey is an MCP server that manages credentials on behalf of AI agents.
Agents never see raw secrets — they call MCP tools like ghostkey_request or
ghostkey_connect, and GhostKey injects the right authentication transparently.
Zero secret exposure — agents authenticate without holding API keys, passwords, or tokens
7 auth patterns — bearer, basic, API key header, custom header, XML-RPC, OAuth2, query parameter
Persistent connections — managed PostgreSQL and XML-RPC/Odoo sessions
Works with any MCP client — Claude Code, Claude Desktop, Cursor, VS Code, Gemini CLI, and more
Related MCP server: clavis-mcp-server
Tiers
Feature | Local (Free) | Cloud Backup (Free) | Pro ($10/mo) | Enterprise |
Encrypted local vault | ✓ | ✓ | ✓ | ✓ |
MCP stdio transport | ✓ | ✓ | ✓ | ✓ |
Midnight cloud backup | — | ✓ | ✓ | ✓ |
HTTP relay (remote agents) | — | — | ✓ | ✓ |
Included ops/month | — | — | 5,000 | Unlimited |
Cardano NFT ownership | — | — | ✓ | ✓ |
Own wallet mode | — | — | ✓ | ✓ |
Self-hosted proof server | — | — | — | ✓ |
SSO / RBAC | — | — | — | ✓ |
Install
npm install -g ghostkeyOr run without installing:
npx ghostkeyQuick Start
# 1. Create a vault
ghostkey init
# 2. Register a credential
ghostkey register --id stripe --type bearer --base-url https://api.stripe.com
# 3. Configure your AI client
ghostkey setup
# 4. Agents use MCP tools — no secrets exposed
# ghostkey_request { credential_id: "stripe", method: "GET", url: "/v1/charges" }MCP Client Configuration
Add GhostKey to your MCP client config:
{
"mcpServers": {
"ghostkey": {
"command": "npx",
"args": ["-y", "ghostkey"]
}
}
}Config file locations:
Client | Config Path |
Claude Desktop |
|
Claude Code |
|
Cursor |
|
VS Code (Copilot) |
|
MCP Tools
Tool | Description |
| List stored credentials, optionally filtered by tag, scope, or description |
| System status or detailed credential info with expiry warnings |
| Authenticated HTTP request using a stored credential |
| Open a persistent connection (PostgreSQL or XML-RPC/Odoo) |
| Execute a query on an existing managed connection |
Auth Patterns
Type | Use Case |
| REST APIs with Bearer tokens (Stripe, GitHub, etc.) |
| HTTP Basic authentication (username:password) |
| APIs that use a custom header for the key (e.g., |
| Arbitrary header with a |
| XML-RPC services (Odoo |
| OAuth2 client credentials with automatic token refresh |
| Secret injected as a URL query parameter |
Security
GhostKey is designed with defense-in-depth:
Argon2id key derivation (password to 256-bit AES key)
AES-256-GCM authenticated encryption for all stored credentials
SSRF prevention — domain whitelisting per credential, private IP blocking
CRLF injection — rejected in all header values
Error sanitization — credentials never leak in error messages or MCP responses
Buffer zeroing — best-effort secret wipe on shutdown
File permissions — vault directory 700, credential file 600
Privacy
No telemetry — GhostKey collects zero usage data
No network calls — in local vault mode, nothing leaves your machine
No cloud dependency — works fully offline with local vault storage
Credentials never logged — secrets are excluded from all error messages, MCP responses, and debug output
Your vault, your data — vault files are standard AES-256-GCM encrypted files on your filesystem
CLI Reference
Command | Description |
| Create a new credential vault |
| Add a new credential to the vault |
| List credential metadata |
| Show vault health status |
| Update a credential secret |
| Deactivate a credential |
| Launch MCP server with stdio transport |
| Configure LLM clients to use GhostKey |
Supported Clients
GhostKey auto-detects and configures itself for these MCP clients:
Client | Auto-Setup | Transport |
Claude Desktop |
| stdio |
Claude Code |
| stdio |
Cursor |
| stdio |
VS Code (Copilot) |
| stdio |
Windsurf |
| stdio |
Gemini CLI | Manual | stdio |
Continue | Manual | stdio |
Custom | Manual | stdio/SSE |
License
MIT. Copyright (c) 2026 Loomworks Solutions LLC. See LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/woodwosj/GhostShell'
If you have feedback or need assistance with the MCP directory API, please join our Discord server