@meowlabs/meowpass-mcp

MCP server for MeowPass — E2E encrypted secret management for developers. 14 tools with multi-environment support. Use with Claude Code, Cursor, Windsurf, or any MCP-compatible AI agent.

Quick Start

1. Install the CLI and log in

brew install meowrithm/tap/meowpass
mp login

mp is a shorthand for meowpass. Both work.

2. Generate an API key

mp apikey create my-mcp-key

Copy the mp_... key — it's shown only once.

3. Configure your agent

Claude Code (one-liner):

claude mcp add meowpass -e MEOWPASS_API_KEY=mp_your_key -- npx -y @meowlabs/meowpass-mcp

Claude Code / Cursor / Windsurf (manual config):

{
  "mcpServers": {
    "meowpass": {
      "command": "npx",
      "args": ["-y", "@meowlabs/meowpass-mcp"],
      "env": {
        "MEOWPASS_API_KEY": "mp_your_api_key_here"
      }
    }
  }
}

Config file locations:

• Claude Code: ~/.claude/settings.json
• Cursor: .cursor/mcp.json
• Windsurf: .windsurf/mcp.json

4. Verify

> list my meowpass vaults
> show secrets in vault abc123
> is my .env in sync with the vault?

Available Tools (14)

| Tool | Description | Env support | |------|-------------|-------------| | meowpass_whoami | Current user, email, plan | — | | meowpass_list_vaults | List all vaults | — | | meowpass_list_secrets | List keys (names, envs, versions — no values) | env optional | | meowpass_get_secret | Fetch encrypted secret | env optional | | meowpass_set_secret | Create or update a secret | env optional | | meowpass_delete_secret | Remove a secret | env optional | | meowpass_create_vault | Create a new vault | — | | meowpass_delete_vault | Delete vault and all secrets | — | | meowpass_pull | Pull secrets (filter by env) | env optional | | meowpass_decrypt | Decrypt with master password | — | | meowpass_diff | Compare local .env with vault | env optional | | meowpass_init | Scan .env files + detect .meowpass.yaml | — | | meowpass_run | Run command with injected secrets | env optional | | meowpass_run_redacted | Run — scrubs secrets from output | env optional |

Multi-Environment Support (v0.3.0)

MeowPass supports multiple .env files per project. Each file maps to an environment:

• .env → env: default
• .env.local → env: local
• .env.production → env: production

Pass the env parameter to any tool that supports it:

> list secrets in vault abc123 for the local environment
> pull production secrets from vault abc123
> is my .env.local in sync with the vault?

Redacted Mode

meowpass_run_redacted injects secrets into a subprocess but scrubs all secret values from the output before returning to the LLM. The AI orchestrates the action without seeing any secret values.

> deploy with production secrets (redacted)
→ { secrets_injected: 12, exit_code: 0, values_exposed: false }

Example Conversations

Drift detection:

"Is my .env up to date?" → Claude calls meowpass_diff → "Your .env is missing 2 keys: REDIS_URL, NEW_FLAG"

Multi-env pull:

"Pull the local secrets for this project" → Claude calls meowpass_pull({ vault_id, env: "local" })

Safe deployment:

"Deploy with production secrets" → Claude calls meowpass_run_redacted({ vault_id, env: "production", command: "npm run deploy" })

Project scan:

"Does this project use MeowPass?" → Claude calls meowpass_init → checks for .meowpass.yaml

Managing API Keys

mp apikey create my-key       # Create new key
mp apikey list                # List active keys
mp apikey revoke <id>         # Revoke a key

Security

• API key authenticates requests — never commit it to repos
• Secrets are E2E encrypted — server returns encrypted values by default
• meowpass_decrypt requires master password per-call (never stored)
• meowpass_run_redacted scrubs all secret values from output
• Every MCP access is logged in the audit trail

Links

• Website: meowpass.dev
• Docs: meowpass.dev/docs
• AI Integration Docs: meowpass.dev/docs/ai
• CLI: brew install meowrithm/tap/meowpass
• Node.js SDK: @meowlabs/meowpass
• GitHub: github.com/meowrithm
• Discord: discord.gg/GTZcZKRQu7