Server Vault
БесплатноНе проверенBitwarden/Vaultwarden for agents: list tagged items, TOTP codes, one-time Sends, save new secrets.
Описание
Bitwarden/Vaultwarden for agents: list tagged items, TOTP codes, one-time Sends, save new secrets.
README
Bitwarden / Vaultwarden MCP server — BYOK vault access for AI agents.
Exposes 6 tools over stdio. Secret values are never sent in plaintext through list_vault_items or get_vault_metadata — secrets are delivered only through Bitwarden Sends (E2E-encrypted one-time URLs).
Install
npx -y @aiwerk/mcp-server-vault
Configure
| Variable | Required | Default | Description |
|---|---|---|---|
VAULT_API_BASE |
✅ | — | Base URL of your Bitwarden/Vaultwarden instance (no trailing slash), e.g. https://pass.aiwerk.ch |
VAULT_CLIENT_ID |
✅ | — | Personal API key client_id (e.g. user.abc-def-1234) |
VAULT_CLIENT_SECRET |
✅ | — | Personal API key client_secret |
VAULT_MASTER_PASSWORD |
✅ | — | Vault master password (used for E2E decryption key derivation) |
VAULT_EXPOSED_COLLECTION |
— | mcp-exposed |
Name of the collection visible to agents |
VAULT_AGENT_CREATED_COLLECTION |
— | mcp-agent-created |
Name of the collection for agent-created secrets |
VAULT_API_TIMEOUT_MS |
— | 15000 |
HTTP timeout in milliseconds |
DRY_RUN |
— | 0 |
Set 1 to log write operations without executing them |
READ_ONLY |
— | 0 |
Set 1 to block all write operations (Send creation and save) |
Auth — Personal API Key
- Log in to your Bitwarden/Vaultwarden instance
- Go to Account Settings → Security → Keys → API Key
- Note the
client_idandclient_secret - Reference: https://bitwarden.com/help/personal-api-key/
Vault Setup
Before using this server, create two collections in your Vaultwarden organization:
mcp-exposed— items you want to expose to agents (your existing secrets: API keys, passwords, etc.)mcp-agent-created— items written by agents viasave_generated_secret
Add items to mcp-exposed via the Vaultwarden web UI.
Custom fields
Optionally add these custom fields to items in mcp-exposed for fine-grained control:
| Field | Type | Purpose |
|---|---|---|
mcp-scope |
text | Comma-separated glob list of tool/server names allowed to use this item (e.g. stripe.*,openai) |
mcp-chat-reveal-allowed |
text | "true" to allow chat delivery of the Send URL |
mcp-delivery-channel |
text | "chat" (default), "telegram", or "email" |
Tools
| Tool | Description |
|---|---|
list_vault_items |
List items from mcp-exposed and mcp-agent-created. Returns metadata only — no secret values. |
get_vault_metadata |
Get full metadata for a named item (name, type, username, URIs, custom fields, expiry). No password/secret. |
reveal_secret_via_send |
Reveal a secret via a Bitwarden Send (E2E-encrypted one-time URL with configurable TTL and max-views). |
get_totp_code |
Get the current TOTP code for a login item, including remaining seconds in the period. |
save_generated_secret |
Save an agent-generated secret (password / api-key) into mcp-agent-created as a secure note. CREATE-only — no overwrite. |
save_login_item |
Save sign-in credentials (username + password + optional URL + TOTP seed) into mcp-agent-created as a real login item. CREATE-only — no overwrite. |
health_check |
Check connectivity: auth status, API version, collection visibility, item counts, latency. |
Security model
- Opt-in exposure: only items in
mcp-exposedormcp-agent-createdare accessible; all other items returnitem_not_visible - Read-only existing items: no
update_*,delete_*, orchange_*tools exist - Secret value delivery via Send only:
list_vault_itemsandget_vault_metadatanever return passwords, TOTP seeds, or api-key values - E2E encryption preserved: the server decrypts vault data locally (master password stays in env vars, never sent over the wire)
- Constrained agent writes:
save_generated_secretandsave_login_itemare CREATE-only into the dedicatedmcp-agent-createdcollection
Note: Actual
{{vault:NAME}}placeholder resolution in tool call arguments happens in the AIWerk hosted bridge, not in this server. The bridge's resolution uses the same BYOC credentials. See the bridge-patch companion document for details.
License
MIT — AIWerk [email protected]
Homepage: https://aiwerkmcp.com
Установить Server Vault в Claude Desktop, Claude Code, Cursor
unyly install mcp-server-vaultСтавит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.
Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh
Или настроить вручную
Выполни в терминале:
claude mcp add mcp-server-vault -- npx -y @aiwerk/mcp-server-vaultFAQ
Server Vault MCP бесплатный?
Да, Server Vault MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Server Vault?
Нет, Server Vault работает без API-ключей и переменных окружения.
Server Vault — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Server Vault в Claude Desktop, Claude Code или Cursor?
Открой Server Vault на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Server Vault with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
