playbooks

home / mcp / secret mcp server

Secret MCP Server

Provides a local MCP server and desktop UI to manage secrets, enabling safe AI-assisted .env file creation without exposing secret values.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "akarenin-secret-mcp": {
      "command": "npx",
      "args": [
        "secret-mcp"
      ]
    }
  }
}

Secret MCP provides a desktop app to manage secrets locally and an MCP server that lets AI coding assistants write and read environment files without ever exposing secret values. This setup keeps your credentials secure while streamlining the process of integrating secrets into your codebase.

How to use

You use Secret MCP by running the local MCP server alongside the desktop app. Secrets are stored on your machine and are only exposed to helper tools when you explicitly request an operation. Two MCP tools are exposed to AI assistants: search_secrets for locating secret names and descriptions, and write_env for safely exporting selected secrets to a .env file. When coding with AI, the assistant will query for secret names or write values directly to your .env file without seeing the secret values themselves.

How to install

Prerequisites: you need Node.js and npm installed on your computer.

# Install and build the desktop app (Tauri-based)
npm install
npm run tauri build
```

```
# MCP client configuration snippet to enable the secret MCP server
# Use this in your MCP client config
{
  "secret-mcp": {
    "command": "npx",
    "args": ["secret-mcp"]
  }
}

Additional notes

  • Secrets are stored locally on your machine using SQLite, with platform-specific paths.
  • The MCP server exposes two tools to AI assistants: search_secrets and write_env. Values are never exposed to the AI when using search_secrets, and final .env writes go directly from your local store to disk.
  • The .env files are created with restrictive permissions (600) to ensure only you can read them.
  • There is no build requirement for the MCP client; you can run the server and client independently on your workstation.

Data storage and security

All secrets are kept on your local device. Secret values never leave your machine except when explicitly written to a .env file you specify. The MCP server only returns secret names and descriptions to the AI. When writing a .env file, the operation writes values directly from your local store to the file and does not pass them through the AI.

What you get and how it helps

With Secret MCP you can quickly locate which secrets exist by name or description, and then safely export the exact keys you need into your project’s .env file. This reduces the risk of leaking secrets to AI tools while maintaining a smooth development workflow.

Available tools

search_secrets

Find secrets by name or description; returns names and descriptions only, never exposing values.

write_env

Write selected secrets to a .env file directly from the local store, ensuring values are not sent to the AI.