MCP Server — Quick Start
Connect Agent Secret Store to Claude Desktop, Cursor, or any MCP-compatible AI client. Your AI assistant can read, write, and manage secrets directly.
Choose your integration path
npx (local)
RecommendedZero install — npx fetches the latest MCP server on each launch. Best for Claude Desktop and Cursor.
Remote SSE
CloudConnect directly to our hosted MCP endpoint over SSE. No local process needed.
Self-hosted
DockerRun the MCP server in your own infrastructure. Full control, air-gapped compatible.
- 1
Get your agent key
Log in to the dashboard and copy your agent API key from the Agents page. It starts with
ass_. - 2
Configure your MCP client
Choose the configuration for your client:
Claude Desktop — via npx (recommended)
Edit
~/Library/Application Support/Claude/claude_desktop_config.jsonclaude_desktop_config.json{ "mcpServers": { "agent-secret-store": { "command": "npx", "args": ["-y", "@agentsecretstore/mcp"], "env": { "ASS_AGENT_KEY": "ass_your_agent_key_here" } } } }Cursor — via npx
Edit
~/.cursor/mcp.json(or use Cursor Settings → MCP)~/.cursor/mcp.json{ "mcpServers": { "agent-secret-store": { "command": "npx", "args": ["-y", "@agentsecretstore/mcp"], "env": { "ASS_AGENT_KEY": "ass_your_agent_key_here" } } } }Remote SSE — hosted endpoint
JSON{ "mcpServers": { "agent-secret-store": { "transport": "sse", "url": "https://mcp.agentsecretstore.com/sse", "headers": { "x-agent-key": "ass_your_agent_key_here" } } } }Self-hosted — Docker
Shelldocker run -d \ --name ass-mcp \ -p 3001:3001 \ -e ASS_AGENT_KEY=ass_your_agent_key_here \ -e PORT=3001 \ ghcr.io/agentsecretstore/mcp-server:latest - 3
Restart your client
After saving the config, fully quit and reopen your AI client. The MCP server connection is established at launch. In Claude Desktop, you should see the Agent Secret Store tools listed in the tool panel.
- 4
Test the connection
Ask your AI assistant to list your secrets:
Text"List my Agent Secret Store secrets in the production namespace"If connected correctly, the assistant will call
list_secretsand show your vault contents.
Available MCP tools
The Agent Secret Store MCP server exposes these tools to connected AI clients:
get_secretRetrieve the value of a secret by path. Logged in audit trail.
set_secretCreate or update a secret. Supports tier, description, and tags.
list_secretsList all secrets in a namespace with metadata (no values).
list_namespacesList all available namespaces in the vault.
delete_secretReturn dashboard instructions because deletion requires human auth.
rotate_secretReturn dashboard instructions because rotation requires human auth.
request_tokenIssue a scoped, short-lived token for an agent or pipeline.
get_approval_statusCheck the status of a pending approval request.
Example conversations
Retrieve a secret
# Ask Claude:
"Get the value of my GEMINI_API_KEY secret from the production namespace"
# Claude calls get_secret with:
# namespace: "production/gemini"
# key: "GEMINI_API_KEY"
# Response:
# I retrieved your Gemini API key from the vault.
# Value: gemini-api-key-example (retrieved securely, not stored in this conversation)List secrets
# Ask Claude:
"List all my production secrets"
# Claude calls list_secrets with:
# namespace: "production"
# Response shows:
# production/gemini/GEMINI_API_KEY sensitive v3
# production/stripe/STRIPE_SECRET_KEY critical v1
# production/database/DATABASE_URL standard v2Store a new secret
# Ask Claude:
"Store this new API key: gemini-new-key-example as production/gemini/GEMINI_API_KEY with sensitive tier"
# Claude calls set_secret with:
# namespace: "production/gemini"
# key: "GEMINI_API_KEY"
# value: "gemini-new-key-example"
# secret_type: "api_key"
# access_tier: "sensitive"
# Response:
# ✓ Secret stored at production/gemini/GEMINI_API_KEY (version 4)Issue a scoped token
# Ask Claude:
"Issue a 1-hour read-only token for my inference agent scoped to production/gemini/*"
# Claude calls request_token with:
# scopes: ["secrets:read:production/gemini/*"]
# ttl: "1h"
# Response:
# Token issued: eyJhbGciOi...
# Scopes: secrets:read:production/gemini/*
# Expires: 2026-06-02T13:30:00ZScope your agent key
The agent key used in your MCP config has full vault access by default. For production AI clients, create a dedicated agent with only the scopes it needs — use the CLI or dashboard to create a scoped agent and use that key instead.