If you're tired of hardcoding API keys in MCP configs or passing them through Claude as plaintext, this server gives agents a token-based secrets flow. Store credentials encrypted with AES-256-GCM, then issue short-lived scoped tokens that agents exchange for injected requests. The agent never sees the raw secret. You get store_secret, get_agent_token, inject_secret_to_request for the core workflow, plus rotate_secrets to invalidate old tokens, audit_secret_access for a full access trail, and scan_config_for_leaks to catch AWS keys, GitHub tokens, and other credentials before they hit version control. Secrets live in memory for the session. Useful when you're building multi-agent systems that need to call external APIs without leaking credentials in logs or prompts.
claude mcp add --transport stdio io.github.mdfifty50-boop-secure-vault -- npx -y secure-vault-mcp