@akeyless-community/devin-connector
v0.1.0
Published
Akeyless Agentic Runtime Authority MCP connector for Devin Desktop (Windsurf) — SDK-based, no CLI required
Maintainers
Readme
Akeyless Connector for Devin Desktop
An SDK-based MCP connector that brings Akeyless Agentic Runtime Authority (ARA) to Devin Desktop (formerly Windsurf) — without installing the Akeyless CLI.
Cascade orchestrates. Akeyless holds the credentials. Secret values never enter the model context.
Install
One-click (after marketplace listing)
Open in Devin Desktop:
windsurf://windsurf-mcp-registry?serverName=akeyless-rtaOr: Cascade panel → MCPs icon → Marketplace → search "Akeyless" → Install
Configure your Gateway URL and credentials when prompted, then refresh MCP servers.
npm / npx (manual config)
Published on npm as @akeyless-community/devin-connector:
npm install -g @akeyless-community/devin-connectorOr use npx without a global install — see MCP configuration below.
Install script
# Pre-publish local testing (uses dist/index.js on this machine)
./scripts/install-devin-mcp.sh --local
# After npm publish
./scripts/install-devin-mcp.shMerges the template into ~/.codeium/windsurf/mcp_config.json.
Validate your config:
./scripts/validate-mcp-config.shHow to use it (after install)
- Add or enable the MCP server in Devin Desktop (marketplace or config below).
- Set
AKEYLESS_*env vars inmcp_config.jsonor your shell. - Refresh MCP in Cascade (MCPs icon → Refresh).
- Ask Cascade in natural language. The agent calls the connector tools automatically.
Example prompts:
"List my Akeyless ARA secrets."
"Run
SELECT count(*) FROM customersagainst/prod/db/postgres-readonly."
"Use service-execute on
/prod/aws/devopsto list S3 buckets."
What happens under the hood
| Step | Tool | What you see |
|---|---|---|
| 1 | list-secrets | Secret paths and target types (no credentials) |
| 2 | query-db or service-execute | Query/action results only |
| 3 | ARA audit | Session recorded in Akeyless with your Agent ID |
Cascade may ask you to approve tool calls before they run — that is expected for infrastructure access.
First-time SAML/OIDC login
If you configured saml or oidc as the authentication method, the first tool call opens your browser for login. Complete the IdP sign-in, then return to Devin Desktop — subsequent calls reuse the cached session until it expires.
Universal Identity
Set AKEYLESS_ACCESS_TYPE=universal_identity and point AKEYLESS_UID_TOKEN_FILE at the auto-rotated token path (default: ~/.akeyless/uid_rotator/uid-token).
Why this exists
Devin Desktop natively supports MCP, but connecting to Akeyless ARA still requires knowing the right mcp_config.json shape and auth env vars. The CLI-based akeyless mcp-runtime-authority path also requires installing and maintaining the Akeyless CLI.
This connector uses the official Akeyless Node.js SDK (akeyless npm package) and ships as a stdio MCP server for one-click marketplace install or manual configuration.
Architecture
sequenceDiagram
participant User as User
participant Cascade as Cascade Agent
participant MCP as akeyless-devin-mcp
participant API as Akeyless API
participant GW as Akeyless Gateway
participant Target as Database / Cloud
User->>Cascade: "Query prod postgres for user count"
Cascade->>MCP: list-secrets
MCP->>API: list-items via gw:8000/api/v2
API-->>MCP: secret paths + target types
MCP-->>Cascade: /prod/db/postgres-ro
Cascade->>MCP: query-db
MCP->>GW: POST gw:8000/config/target_query
GW->>Target: execute with JIT credentials
Target-->>GW: query results
GW-->>MCP: JSON results (no credentials)
MCP-->>Cascade: { count: 42 }MCP tools
| Tool | Purpose |
|---|---|
| list-secrets | List ARA-enabled dynamic, rotated, and custom-MCP secrets your role can access |
| query-db | Run database queries (MySQL, PostgreSQL, MongoDB, Redis, etc.) |
| service-execute | Run AWS, GCP, Azure, Kubernetes, GitHub, or custom MCP actions |
| list-sub-tools | Optional: discover a service secret's sub-tool names/parameters before calling service-execute |
These match the tools exposed by akeyless mcp-runtime-authority, but run through the SDK instead of the CLI.
MCP configuration
Global config path:
| OS | Path |
|---|---|
| macOS / Linux | ~/.codeium/windsurf/mcp_config.json |
| Windows | %USERPROFILE%\.codeium\windsurf\mcp_config.json |
Add to mcp_config.json:
{
"mcpServers": {
"akeyless-rta": {
"command": "npx",
"args": ["-y", "@akeyless-community/devin-connector"],
"env": {
"AKEYLESS_GATEWAY_URL": "${env:AKEYLESS_GATEWAY_URL}",
"AKEYLESS_ACCESS_TYPE": "access_key",
"AKEYLESS_ACCESS_ID": "${env:AKEYLESS_ACCESS_ID}",
"AKEYLESS_ACCESS_KEY": "${env:AKEYLESS_ACCESS_KEY}",
"AKEYLESS_AGENT_ID": "devin-desktop"
}
}
}
}See examples/mcp_config.json for a copy-paste template.
Devin Desktop supports ${env:VAR} interpolation in env fields — keep secrets in your shell or a .env file, not hardcoded in the config.
CLI alternative
devin mcp add akeyless-rta -- npx -y @akeyless-community/devin-connectorTroubleshooting
MCP server does not appear in Devin
Validate JSON — one typo makes Devin ignore the whole file:
./scripts/validate-mcp-config.shCommon mistake:
""https://...(double quote before the URL).Check Devin logs:
~/Library/Application Support/Devin/logs/*/window*/exthost/codeium.windsurf/Devin.logPre-publish testing — use local install (npm package not published yet):
npm run build ./scripts/install-devin-mcp.sh --localRefresh MCP — Cascade panel → MCPs icon → Refresh.
Where in UI — look for MCP server
akeyless-rtain the Cascade MCP panel (MCPs icon). Devin’s settings UI varies by version; if you do not see a Tools list, the server can still work when configured correctly.macOS PATH — GUI apps may not find
npx. Use absolutenode+dist/index.jspaths (seemcp_config.local.json).
Marketplace submission
To get a one-click install in the default Devin Desktop MCP Marketplace:
- Publish
@akeyless-community/devin-connectorto npm - Publish
server.jsonto the official MCP Registry - Submit listing request using docs/MARKETPLACE.md and docs/SUBMISSION.md
Target server ID: akeyless-rta
Install deeplink: windsurf://windsurf-mcp-registry?serverName=akeyless-rta
Development
Requirements
- Node.js >= 18
- Devin Desktop with MCP support (for end-to-end testing)
Build and test
npm ci
npm run build
npm test
npm startLocal MCP override (before npm publish)
{
"mcpServers": {
"akeyless-rta": {
"command": "node",
"args": ["/absolute/path/to/devin-akeyless-connector/dist/index.js"],
"env": { "...": "..." }
}
}
}Comparison with CLI-based setup
| | CLI (mcp-runtime-authority) | This connector |
|---|---|---|
| Runtime | Akeyless CLI binary | Node.js + akeyless SDK |
| Auth | CLI profile (--profile) | Env vars in mcp_config.json |
| Gateway config | --gateway-url (ARA port) | Single AKEYLESS_GATEWAY_URL (derives /api/v2 + config port) |
| Install | Install CLI + configure profile | npx or marketplace one-click |
| Tools | list-secrets, query-db, service-execute, list-sub-tools | Same four tools |
Related projects
claude-akeyless-connector— SDK-based MCP for Claude Desktop (.mcpbextension)cursor-akeyless-connector— SDK-based MCP for Cursor (plugin marketplace)codex-akeyless-integration— SDK-based MCP for OpenAI Codex
License
MIT — see LICENSE.
Privacy Policy
This connector runs locally on your machine as a stdio MCP server. It does not send conversation content to Akeyless.
What the connector accesses
- Your configured Akeyless Gateway for authentication, secret listing, and ARA execution
- Environment variables you provide for auth (
AKEYLESS_ACCESS_ID,AKEYLESS_ACCESS_KEY, etc.)
What leaves your machine
- API calls to your Akeyless Gateway only (auth, list-items, target_query, service execution)
- Query and action results returned to Cascade (never raw secret values from the vault)
What is not collected
- No telemetry or analytics from this connector
- No conversation logs sent to Akeyless
- Secret values are resolved server-side by the Gateway and are not included in MCP tool responses
For Akeyless platform privacy terms, see https://www.akeyless.io/privacy-policy/
