npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

secure-vault-mcp

v0.1.1

Published

MCP server for agent-native secrets management — store, rotate, and inject secrets without agents seeing raw values

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

md.fiftymd.fifty

Keywords

mcpmcp-serversecrets-managementvaultapi-keystoken-brokeragent-securitycredential-rotationleak-detectionmodel-context-protocol

Readme

secure-vault-mcp

MCP server for agent-native secrets management. 24,008 secrets have been found in MCP config files on public GitHub. This server solves that.

Agents need secrets to call APIs, but they shouldn't see raw values. secure-vault-mcp stores secrets encrypted with AES-256-GCM, issues short-lived scoped tokens, and injects secrets into requests server-side so the agent never handles plaintext credentials.

Install

npx secure-vault-mcp

Claude Desktop

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "secure-vault": {
      "command": "npx",
      "args": ["secure-vault-mcp"]
    }
  }
}

From source

git clone https://github.com/mdfifty50-boop/secure-vault-mcp.git
cd secure-vault-mcp
npm install
node src/index.js

Tools

store_secret

Store an encrypted secret with optional rotation policy.

| Param | Type | Default | Description | |-------|------|---------|-------------| | name | string | required | Secret name (e.g. "openai_api_key") | | value | string | required | Secret value — encrypted immediately | | service | string | "default" | Service this secret belongs to | | rotation_policy | string | "none" | "none", "daily", "weekly", "monthly" |

get_agent_token

Issue a short-lived, scoped token. The agent receives an opaque token ID, never the raw secret.

| Param | Type | Default | Description | |-------|------|---------|-------------| | agent_id | string | required | Requesting agent identifier | | service | string | required | Service to get a token for | | scope | string | "read" | "read", "write", "admin" | | ttl_seconds | number | 300 | Token TTL (10s to 86400s) |

rotate_secrets

Rotate all secrets for a service. Old tokens are invalidated.

| Param | Type | Description | |-------|------|-------------| | service | string | Service whose secrets to rotate | | new_value | string | New secret value |

audit_secret_access

View who accessed what secrets over a time range.

| Param | Type | Default | Description | |-------|------|---------|-------------| | time_range | string | "24h" | "1h", "6h", "24h", "7d", "all" | | agent_id | string | optional | Filter by agent | | secret_name | string | optional | Filter by secret |

scan_config_for_leaks

Scan config text for exposed secrets. Detects AWS keys, GitHub tokens, OpenAI/Anthropic keys, Slack tokens, Stripe keys, private key blocks, bearer tokens, and generic credentials using 12 regex patterns.

| Param | Type | Default | Description | |-------|------|---------|-------------| | config_text | string | required | Config content to scan | | source_label | string | "unknown" | Label for audit trail |

inject_secret_to_request

Return a request with the secret injected server-side. The agent provides a template with {{SECRET}} placeholder and a valid token ID.

| Param | Type | Description | |-------|------|-------------| | token_id | string | Token from get_agent_token | | request_template | string | Template with {{SECRET}} placeholder |

Resources

| URI | Description | |-----|-------------| | secure-vault://secrets | All stored secret names with metadata (no raw values) |

Usage Pattern

1. store_secret — store credentials at setup time
2. get_agent_token — agent requests a scoped, time-limited token
3. inject_secret_to_request — inject secret into API call template
4. rotate_secrets — rotate when needed, old tokens auto-invalidate
5. scan_config_for_leaks — check config files before committing
6. audit_secret_access — review access trail

Security Model

  • Secrets encrypted at rest with AES-256-GCM using a server-generated key
  • Agents receive opaque token IDs, never raw secret values
  • Tokens are scoped (read/write/admin) and time-limited (default 5 minutes)
  • Token rotation invalidates all outstanding tokens for the rotated secret
  • Full audit trail of every store, token issuance, and injection
  • In-memory storage — secrets exist only for the server session lifetime

Tests

npm test

License

MIT