Command Palette

Search for a command to run...

UnylyUnyly
Browse all

Agentic Vault

FreeNot checked

MCP server that lets AI agents call APIs without ever seeing the credentials, using a local encrypted vault and per-secret allowlist policies for HTTP requests

GitHubEmbed

About

MCP server that lets AI agents call APIs without ever seeing the credentials, using a local encrypted vault and per-secret allowlist policies for HTTP requests and subprocess environment variables.

README

MCP server that lets AI agents call APIs without ever seeing the credentials.

license: AGPL-3.0 commercial license available Node 20+

Secrets live in a local encrypted vault. The server substitutes them at call time into outbound HTTP requests or subprocess environment variables, under a per-secret allowlist policy. The model only ever sees secret names, never values.

Homepage: https://agenticvault.madhoob.dev


Why

Letting an AI agent make authenticated calls usually means giving it the raw API key. That breaks least-privilege, pollutes transcripts and logs, and means one jailbreak or prompt-injection is enough to exfiltrate the token.

Agentic Vault splits the two: the agent picks a secret by name and a destination; the vault checks the policy and injects the value. The plaintext never crosses the tool boundary.

Install

npm install -g secretproxy
secretproxy init                # creates the global vault, stores master password in the OS keychain
secretproxy add OPENROUTER_API_KEY sk-or-...
secretproxy policy set OPENROUTER_API_KEY --host openrouter.ai
secretproxy run                 # start the MCP server over stdio

Then point any MCP client (Claude Code, Cursor, Cline, Codex, Zed) at secretproxy run.

Tools exposed over MCP

Tool Purpose
list_secrets Enumerate available secret names (no values)
http_request Make an HTTP call with a secret injected into headers, query, or body
run_command Run a subprocess with secrets injected as env vars
scan_env_requirement Detect what env vars a project expects and match them to stored secrets

Features

  • Zero-plaintext injection — values substituted inside the vault, never in the model context
  • Per-secret policy — allow-lists for HTTP hosts, commands, env vars; deny by default; optional wildcards (strict mode rejects them)
  • AES-256-GCM vault with argon2id key derivation
  • Encrypted audit trail — every call logged with policy decision, surface, outcome
  • Scoped vaults — global defaults + per-project overrides
  • OS-native password storage — macOS Keychain, libsecret, Windows Credential Manager
  • Interactive TUI (secretproxy tui) and local-only web UI (secretproxy ui)
  • Rate limiting with token buckets
  • Zero telemetry — no outbound calls, local-only by design

Development

npm install
npm test            # 328 tests across 45 files
npm run build
npm run typecheck

Architecture primer: src/vault/ owns encryption, src/mcp/ owns the MCP tool surface, src/policy/ owns allowlist enforcement, src/audit/ owns the append-only log.

License

AGPL-3.0-or-later for open-source use — see LICENSE.

If your use case is incompatible with AGPL's network-copyleft clause (embedding in a proprietary product, offering as a managed service without source disclosure, etc.), a commercial license is available — see COMMERCIAL-LICENSE.md.

Contact: [email protected]

from github.com/AliProgrammin/agentic-vault

Install Agentic Vault in Claude Desktop, Claude Code & Cursor

Recommended · one command, every IDE
unyly install agentic-vault

Installs into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.

First time? Get the CLI: curl -fsSL https://unyly.org/install | sh

Or configure manually

Run in your terminal:

claude mcp add agentic-vault -- npx -y github:AliProgrammin/agentic-vault

FAQ

Is Agentic Vault MCP free?

Yes, Agentic Vault MCP is free — one-click install via Unyly at no cost.

Does Agentic Vault need an API key?

No, Agentic Vault runs without API keys or environment variables.

Is Agentic Vault hosted or self-hosted?

Self-hosted: the server runs locally on your machine via the install command above.

How do I install Agentic Vault in Claude Desktop, Claude Code or Cursor?

Open Agentic Vault on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare Agentic Vault with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All ai MCPs