keyper
Encrypts and stores API keys and environment variables locally, providing them to AI agents via MCP with tools for listing, describing, getting secrets, and running commands with secret values redacted.
README
<div align="center">
<img src="assets/hero.png" alt="keyper — an encrypted local secrets vault that serves your API keys to your AI over MCP" width="820">
██╗ ██╗███████╗██╗ ██╗██████╗ ███████╗██████╗
██║ ██╔╝██╔════╝╚██╗ ██╔╝██╔══██╗██╔════╝██╔══██╗
█████╔╝ █████╗ ╚████╔╝ ██████╔╝█████╗ ██████╔╝
██╔═██╗ ██╔══╝ ╚██╔╝ ██╔═══╝ ██╔══╝ ██╔══██╗
██║ ██╗███████╗ ██║ ██║ ███████╗██║ ██║
╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝
your keys, kept — encrypted, local, MCP-native
Stop pasting sk-... into your AI. keyper keeps your API keys and env vars
encrypted at rest on your own machine and hands them to your AI agent on demand
over the Model Context Protocol.
</div>
Why
Every time you paste an API key into a chat, it lands in a transcript, maybe a log, maybe a
training set. keyper breaks that habit. Your secrets live in one AES-256-GCM–encrypted file
that only unlocks with your OS keychain or a passphrase. Your AI asks keyper for what it
needs — and for the common case (calling an API, running a deploy) the value never even
enters the conversation.
- 🔐 Encrypted at rest — AES-256-GCM, per-secret nonce, secret-name bound as AAD.
- 🗝️ Unlocks your way — OS keychain (silent) or a scrypt-derived passphrase.
- 🤖 MCP-native — works with Claude Desktop, Claude Code, Cowork, or any MCP client.
- 🧾 Redacted execution —
run_with_secretsuses a key without ever showing it. - 🖥️ Local web UI — add and name keys with a click; nothing leaves
127.0.0.1. - 📄 One auditable file — ~800 lines of Python, two real dependencies.
Quickstart
git clone https://github.com/sharziki/keyper
cd keyper
bash quickstart.sh
That installs the deps, creates your vault, prints your MCP config line, and opens the web UI to add keys. Prefer to do it by hand? Read on.
Install
pip install cryptography "mcp[cli]" keyring
# keyring is only needed for keychain mode; skip it if you'll use --passphrase
Create a vault
python keyper.py init # keychain mode (master key in your OS keychain)
python keyper.py init --passphrase # or derive the key from a passphrase (scrypt)
Add secrets
python keyper.py set OPENAI_API_KEY -d "personal key" # prompts (not in shell history)
echo -n 'sk-...' | python keyper.py set STRIPE_KEY # or pipe it in
python keyper.py import-env ./.env # or bulk-import a .env
python keyper.py list # names only, no values
…or skip the terminal entirely:
python keyper.py ui # opens http://127.0.0.1:8765/?token=…
<div align="center">
add · name · describe · delete — all over localhost, token-gated, values encrypted the instant you save
</div>
Connect it to your AI
All clients run the same stdio command: python keyper.py serve. Use absolute paths.
<details> <summary><b>Claude Code</b></summary>
claude mcp add keyper -- /usr/bin/python3 /abs/path/keyper.py serve
# passphrase mode:
claude mcp add keyper -e KEYPER_PASSPHRASE=your-passphrase -- /usr/bin/python3 /abs/path/keyper.py serve
</details>
<details> <summary><b>Claude Desktop / Cowork</b> (<code>claude_desktop_config.json</code> → <code>mcpServers</code>)</summary>
{
"mcpServers": {
"keyper": {
"command": "/usr/bin/python3",
"args": ["/abs/path/keyper.py", "serve"],
"env": { "KEYPER_PASSPHRASE": "your-passphrase" }
}
}
}
Drop the env block if you use keychain mode. Restart the app afterward.
</details>
Then ask your AI things like "use run_with_secrets with OPENAI_API_KEY to list my models."
Tools the AI gets
| Tool | Returns the value? | Use it for |
|---|---|---|
list_secrets |
❌ names + descriptions | Discovering what's in the vault |
describe_secret(name) |
❌ metadata only | Details on one secret |
get_secret(name) |
✅ plaintext into context | When the AI must read the raw value |
run_with_secrets(command, secret_names[]) |
❌ redacted from output | Using a key without exposing it |
The one tradeoff:
get_secretputs a plaintext value into the model's context, where it could be logged. Preferrun_with_secrets— it injects secrets as environment variables into a subprocess and redacts any occurrence from the output. Treat aget_secretresult as you would the key itself.
How it protects your secrets
- AES-256-GCM authenticated encryption; a fresh random 96-bit nonce per secret.
- The secret's name is bound in as Additional Authenticated Data, so a ciphertext can't be silently moved onto another name without decryption failing.
- Master key: 32 random bytes in your OS keychain, or scrypt (n=2¹⁵) from a passphrase. The vault file alone is useless without it.
- Plaintext is never written to disk or to the audit log.
- Vault file and
access.logare created0600. - The web UI binds to 127.0.0.1, requires a per-launch token, and rejects any request
whose
Hostheader isn't localhost (blocks DNS-rebinding from malicious sites).
Threat model, briefly
keyper protects secrets at rest and keeps them out of your shell history and out of
chat when you use run_with_secrets. It does not defend against malware already running
as your user, or against you asking the AI to get_secret and pasting the result somewhere
public.
Configuration
| Variable | Purpose |
|---|---|
KEYPER_VAULT |
Vault file path (default ~/.config/keyper/vault.json) |
KEYPER_PASSPHRASE |
Passphrase for passphrase-mode vaults (required by the server) |
KEYPER_VALUE |
Value source for non-interactive set (scripting) |
KEYPER_NO_AUDIT |
Set to disable the access log |
CLI: init · set · get · list · rm · rotate · import-env · ui · serve — run keyper <cmd> -h.
Contributing
Issues and PRs welcome — see CONTRIBUTING.md. keyper is intentionally small and auditable; changes that touch crypto or the UI's auth must spell out their threat-model impact.
License
MIT © 2026 Sharvil Saxena
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.