npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@keywaysh/mcp

v1.0.0

Published

MCP server for Keyway secrets management - let AI manage your secrets securely

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

nicolasrttnicolasrtt

Keywords

mcpsecretskeywayclaudellm

Readme

Keyway MCP Server

Let AI manage your secrets securely

npm version License: MIT

Keyway is a GitHub-native secrets manager. This MCP server lets AI assistants like Claude securely access your secrets without ever exposing them in conversation.

Installation · Tools · Security · Development

Why Keyway MCP?

Traditional secret management with AI is risky: copying secrets into chat exposes them in logs and context. Keyway MCP solves this:

| Without Keyway | With Keyway MCP | |----------------|-----------------| | Copy secrets into chat | Secrets stay in vault | | Visible in conversation history | Never exposed to AI | | Manual secret creation | Generate securely, never exposed | | Hope AI doesn't leak them | Cryptographically protected |

Key features:

  • Zero exposure — Generate, validate, and use secrets without the AI ever seeing them
  • Pre-deployment validation — Check all required secrets exist before shipping
  • Secret scanning — Detect leaked credentials in your codebase
  • Environment diffing — Compare secrets across dev/staging/prod

Quick Install

Prerequisites

First, authenticate with Keyway CLI:

npx @keywaysh/cli login

Claude Code

claude mcp add keyway -- npx @keywaysh/mcp

VS Code / Cursor

code --add-mcp '{"name":"keyway","command":"npx","args":["-y","@keywaysh/mcp"]}'

Or click: Install in VS Code

Other IDEs

Add to your MCP config:

{
  "mcpServers": {
    "keyway": {
      "command": "npx",
      "args": ["-y", "@keywaysh/mcp"]
    }
  }
}

SettingsAIManage MCP ServersAdd:

{
  "mcpServers": {
    "keyway": {
      "command": "npx",
      "args": ["-y", "@keywaysh/mcp"]
    }
  }
}
/mcp add

Then enter npx -y @keywaysh/mcp when prompted.

Advanced settingsExtensionsAdd custom extension

Select STDIO type, command: npx -y @keywaysh/mcp

Available Tools

keyway_generate

Generate secure secrets and store them directly in the vault. The value is never exposed to the AI.

"Generate a new JWT secret for production"
{
  "name": "JWT_SECRET",
  "type": "jwt-secret",
  "environment": "production"
}

Types: password | uuid | api-key | jwt-secret | hex | base64

Response:

{
  "success": true,
  "action": "created",
  "name": "JWT_SECRET",
  "type": "jwt-secret",
  "length": 43,
  "preview": "eyJh**********************************MDkz",
  "message": "Secret created. The actual value was never exposed in this conversation."
}

keyway_validate

Validate required secrets exist before deployment. Supports auto-detection from code.

"Check if production has all required secrets"
{
  "environment": "production",
  "required": ["DATABASE_URL", "STRIPE_SECRET_KEY", "JWT_SECRET"]
}

Or auto-detect from your codebase:

{
  "environment": "production",
  "autoDetect": true
}

Response:

{
  "valid": false,
  "missing": ["STRIPE_SECRET_KEY"],
  "present": ["DATABASE_URL", "JWT_SECRET"],
  "stats": {
    "requiredCount": 3,
    "presentCount": 2,
    "coverage": "66.7%"
  },
  "message": "✗ Missing 1 required secret in production: STRIPE_SECRET_KEY"
}

keyway_scan

Scan your codebase for leaked secrets. Detects 18+ secret types.

"Scan the codebase for leaked credentials"
{
  "path": "./src"
}

Detects: AWS keys, GitHub tokens, Stripe keys, Slack webhooks, private keys, and more.

Response:

{
  "filesScanned": 142,
  "findingsCount": 2,
  "findings": [
    {
      "file": "src/config.ts",
      "line": 23,
      "type": "GitHub PAT",
      "preview": "ghp_********************************xyz"
    }
  ]
}

keyway_diff

Compare secrets between environments.

"What's different between staging and production?"
{
  "env1": "staging",
  "env2": "production"
}

Response:

{
  "onlyInEnv1": ["DEBUG_MODE"],
  "onlyInEnv2": ["REDIS_CLUSTER_URL"],
  "different": [
    {
      "key": "DATABASE_URL",
      "preview1": "**st (45 chars)",
      "preview2": "**db (52 chars)"
    }
  ],
  "same": ["API_KEY", "JWT_SECRET"],
  "stats": {
    "totalEnv1": 10,
    "totalEnv2": 11,
    "different": 1
  }
}

keyway_inject_run

Run commands with secrets injected as environment variables.

"Run the test suite with production secrets"
{
  "command": "npm",
  "args": ["test"],
  "environment": "production"
}

Secrets are injected into the command's environment and masked in any output.

keyway_list_secrets

List secret names (not values) in an environment.

{
  "environment": "production"
}

keyway_set_secret

Create or update a secret manually.

{
  "name": "WEBHOOK_URL",
  "value": "https://hooks.example.com/abc123",
  "environment": "production"
}

keyway_list_environments

List available environments for the repository.

Security

Keyway MCP is designed with security as the primary concern:

| Feature | How it works | |---------|--------------| | Token encryption | Uses AES-256-GCM, same as Keyway CLI | | No secret logging | Values never appear in logs or output | | Output masking | inject_run redacts secrets from stdout/stderr | | Shell injection prevention | Commands run with shell: false | | File permissions | Validates ~/.keyway/.key is 0600 | | Generate, don't expose | keyway_generate creates secrets without revealing them |

What the AI can see

| Tool | AI sees value? | |------|----------------| | keyway_generate | No — only masked preview | | keyway_validate | No — only key names | | keyway_scan | No — only masked previews | | keyway_diff | No — only masked previews | | keyway_inject_run | No — values masked in output | | keyway_list_secrets | No — only key names | | keyway_set_secret | Yes — value provided by user |

Development

# Install dependencies
pnpm install

# Run in development
pnpm dev

# Build
pnpm build

# Run tests
pnpm test

# Lint & format
pnpm lint
pnpm format

Environment Variables

| Variable | Description | |----------|-------------| | KEYWAY_API_URL | Override API URL (default: https://api.keyway.sh) |

License

MIT — see LICENSE

keyway.sh · Built for developers who care about security