Agent Secret Store DocsSign up
🔌 SDKs

MCP Server

Use Agent Secret Store directly from Claude Desktop, Cursor, OpenClaw, and any Model Context Protocol-compatible client.

What is MCP?

The Model Context Protocol (MCP) is an open standard that lets AI models call external tools via a structured JSON-RPC protocol. Instead of writing integration code, you configure an MCP server once and any compatible AI client gains access to its tools.

Agent Secret Store's MCP server exposes vault operations as callable tools. Claude can call get_secret the same way it calls a web search or code execution tool — naturally, in conversation.

Endpoint

https://mcp.agentsecretstore.com/sse

Transport

SSE (Server-Sent Events)

Auth

Bearer token (ASS_AGENT_KEY)

Configuration

Claude Desktop

claude_desktop_config.json
// Claude Desktop: ~/Library/Application Support/Claude/claude_desktop_config.json
{
  "mcpServers": {
    "agent-secret-store": {
      "type": "sse",
      "url": "https://mcp.agentsecretstore.com/sse",
      "headers": {
        "Authorization": "Bearer ass_live_your_key_here"
      }
    }
  }
}

Cursor

.cursor/mcp.json
// Cursor: .cursor/mcp.json (project) or ~/.cursor/mcp.json (global)
{
  "mcpServers": {
    "agent-secret-store": {
      "type": "sse",
      "url": "https://mcp.agentsecretstore.com/sse",
      "headers": {
        "Authorization": "Bearer ass_live_your_key_here"
      }
    }
  }
}

OpenClaw

config.yaml
# OpenClaw config.yaml
mcp_servers:
  - name: agent-secret-store
    transport: sse
    url: https://mcp.agentsecretstore.com/sse
    auth:
      type: bearer
      token: ${ASS_AGENT_KEY}  # reads from environment

Keep your agent key secure

Never commit your ASS_AGENT_KEY to source control. Store it as a system environment variable (export ASS_AGENT_KEY=... in your shell profile) and reference it via ${ASS_AGENT_KEY} in config files.

Available tools

ToolDescription
get_secretRetrieve a secret value by path
set_secretCreate or update a secret
list_secretsList secret metadata in a namespace
rotate_secretRotate a secret to a new value
request_approvalRequest a scoped token (may trigger approval)
check_approval_statusCheck the status of a pending approval

get_secret

JavaScript
// Tool: get_secret
// Retrieve a secret value by path.

// Input schema:
{
  "path": "production/openai/api-key",   // required: secret path
  "version": null,                        // optional: specific version (null = latest)
  "token": null                           // optional: scoped token (null = use agent key)
}

// Example agent conversation:
// User: "Get my OpenAI API key from the vault"
// Agent calls: get_secret({ path: "production/openai/api-key" })
// Response:
{
  "path": "production/openai/api-key",
  "value": "sk-proj-abc123...",
  "version": 1,
  "tier": "sensitive",
  "accessed_at": "2025-01-15T10:30:00Z"
}

set_secret

JavaScript
// Tool: set_secret
// Store a new secret or update an existing one.

// Input schema:
{
  "path": "production/openai/api-key",         // required
  "value": "sk-proj-newvalue...",              // required
  "tier": "sensitive",                          // optional: "standard"|"sensitive"|"critical"
  "description": "OpenAI production key",       // optional
  "tags": { "team": "ml", "env": "prod" }       // optional
}

// Response:
{
  "success": true,
  "path": "production/openai/api-key",
  "version": 2,
  "created_at": "2025-01-15T10:30:00Z"
}

list_secrets

JavaScript
// Tool: list_secrets
// List secrets in a namespace (values not returned for security).

// Input schema:
{
  "namespace": "production/openai",  // required: namespace prefix
  "limit": 50,                        // optional: 1-200 (default: 50)
  "cursor": null                      // optional: pagination cursor
}

// Response:
{
  "items": [
    {
      "path": "production/openai/api-key",
      "version": 1,
      "tier": "sensitive",
      "updated_at": "2025-01-15T10:00:00Z"
    }
  ],
  "total": 1,
  "next_cursor": null
}

rotate_secret

JavaScript
// Tool: rotate_secret
// Rotate a secret to a new value.

// Input schema:
{
  "path": "production/openai/api-key",    // required
  "new_value": "sk-proj-rotated...",      // required
  "grace_period_seconds": 300              // optional: old version overlap window
}

// Response:
{
  "success": true,
  "path": "production/openai/api-key",
  "old_version": 1,
  "new_version": 2,
  "old_expires_at": "2025-01-15T10:35:00Z"
}

request_approval

JavaScript
// Tool: request_approval
// Request a scoped token (may trigger approval flow).

// Input schema:
{
  "scope": "secrets:read:production/stripe/*",  // required
  "ttl_seconds": 3600,                           // optional (default: 3600)
  "description": "Payment batch run #4821",      // optional
  "max_uses": null                               // optional (null = unlimited)
}

// Response (auto-approved):
{
  "status": "approved",
  "token": "ast_tok_abc123...",
  "scope": "secrets:read:production/stripe/*",
  "expires_at": "2025-01-15T11:30:00Z"
}

// Response (pending approval):
{
  "status": "pending",
  "approval_request_id": "apr_01HQKM3N...",
  "message": "Approval required. Notified 2 approvers. Check dashboard.",
  "approve_url": "https://agentsecretstore.com/approvals/apr_01HQKM3N..."
}

check_approval_status

JavaScript
// Tool: check_approval_status
// Check whether a pending approval has been resolved.

// Input schema:
{
  "approval_request_id": "apr_01HQKM3N..."  // required
}

// Response:
{
  "status": "approved",    // "pending" | "approved" | "denied"
  "token": "ast_tok_...", // present if approved
  "approved_by": "will@onefrequency.ai",
  "approved_at": "2025-01-15T10:32:00Z",
  "comment": "Approved for payment batch"
}

Example agent conversation

This is what a complete approval-gated secret retrieval looks like when Claude uses the MCP tools:

conversation.js
// Example agent conversation using MCP tools
// (Claude Desktop with Agent Secret Store MCP configured)

// User: "Run the payment processing job. Get the Stripe key from the vault."

// Claude thinks: I need to get the Stripe API key from the vault.
// Claude calls: get_secret({ path: "production/stripe/api-key" })
// (Tier: critical → triggers approval workflow)

// Tool response:
// {
//   "status": "pending",
//   "approval_request_id": "apr_01HQKM3N...",
//   "message": "This secret requires 2 approvals. Notified approvers."
// }

// Claude responds to user:
// "I need approval to access the Stripe API key. I've sent a request to your approvers
// (approval ID: apr_01HQKM3N...). I'll check the status — you can also approve at:
// https://agentsecretstore.com/approvals/apr_01HQKM3N..."

// [User or approver approves in dashboard]

// Claude calls: check_approval_status({ approval_request_id: "apr_01HQKM3N..." })
// Tool response: { status: "approved", token: "ast_tok_xyz..." }

// Claude calls: get_secret({ path: "production/stripe/api-key", token: "ast_tok_xyz..." })
// Tool response: { value: "sk_live_...", version: 1 }

// Claude proceeds with payment processing using the retrieved key.

Zero-code integration

With MCP, you don't write any integration code. Just configure the server once and Claude handles all tool calls, approval flows, and error messages automatically in natural language.

OpenClaw Skill

Native skill integration for OpenClaw agents.

REST API

Build your own integration with raw HTTP.