MCP Servers

Keyway MCP Server

A GitHub-native secrets manager that allows AI assistants to securely manage, generate, and validate credentials without exposing sensitive values in conversation history. It supports secret scanning, environment diffing, and secure command execution by injecting masked variables directly into the runtime environment.

README

Keyway MCP Server

Let AI manage your secrets securely

Keyway is a GitHub-native secrets manager. This MCP server lets AI assistants like Claude securely access your secrets without ever exposing them in conversation.

Installation · Tools · Security · Development

</div>

Why Keyway MCP?

Traditional secret management with AI is risky: copying secrets into chat exposes them in logs and context. Keyway MCP solves this:

Without Keyway	With Keyway MCP
Copy secrets into chat	Secrets stay in vault
Visible in conversation history	Never exposed to AI
Manual secret creation	Generate securely, never exposed
Hope AI doesn't leak them	Cryptographically protected

Key features:

Zero exposure — Generate, validate, and use secrets without the AI ever seeing them
Pre-deployment validation — Check all required secrets exist before shipping
Secret scanning — Detect leaked credentials in your codebase
Environment diffing — Compare secrets across dev/staging/prod

Quick Install

Prerequisites

First, authenticate with Keyway CLI:

npx @keywaysh/cli login

Claude Code

claude mcp add keyway -- npx @keywaysh/mcp

VS Code / Cursor

code --add-mcp '{"name":"keyway","command":"npx","args":["-y","@keywaysh/mcp"]}'

Or click: Install in VS Code

Other IDEs

<details> <summary><b>Windsurf</b></summary>

Add to your MCP config:

{
  "mcpServers": {
    "keyway": {
      "command": "npx",
      "args": ["-y", "@keywaysh/mcp"]
    }
  }
}

</details>

Settings → AI → Manage MCP Servers → Add:

{
  "mcpServers": {
    "keyway": {
      "command": "npx",
      "args": ["-y", "@keywaysh/mcp"]
    }
  }
}

</details>

<details> <summary><b>GitHub Copilot</b></summary>

/mcp add

Then enter npx -y @keywaysh/mcp when prompted. </details>

<details> <summary><b>Goose</b></summary>

Advanced settings → Extensions → Add custom extension

Select STDIO type, command: npx -y @keywaysh/mcp </details>

Available Tools

`keyway_generate`

Generate secure secrets and store them directly in the vault. The value is never exposed to the AI.

"Generate a new JWT secret for production"

{
  "name": "JWT_SECRET",
  "type": "jwt-secret",
  "environment": "production"
}

Response:

{
  "success": true,
  "action": "created",
  "name": "JWT_SECRET",
  "type": "jwt-secret",
  "length": 43,
  "preview": "eyJh**********************************MDkz",
  "message": "Secret created. The actual value was never exposed in this conversation."
}

`keyway_validate`

Validate required secrets exist before deployment. Supports auto-detection from code.

"Check if production has all required secrets"

{
  "environment": "production",
  "required": ["DATABASE_URL", "STRIPE_SECRET_KEY", "JWT_SECRET"]
}

Or auto-detect from your codebase:

{
  "environment": "production",
  "autoDetect": true
}

Response:

{
  "valid": false,
  "missing": ["STRIPE_SECRET_KEY"],
  "present": ["DATABASE_URL", "JWT_SECRET"],
  "stats": {
    "requiredCount": 3,
    "presentCount": 2,
    "coverage": "66.7%"
  },
  "message": "✗ Missing 1 required secret in production: STRIPE_SECRET_KEY"
}

`keyway_scan`

Scan your codebase for leaked secrets. Detects 18+ secret types.

"Scan the codebase for leaked credentials"

{
  "path": "./src"
}

Detects: AWS keys, GitHub tokens, Stripe keys, Slack webhooks, private keys, and more.

Response:

{
  "filesScanned": 142,
  "findingsCount": 2,
  "findings": [
    {
      "file": "src/config.ts",
      "line": 23,
      "type": "GitHub PAT",
      "preview": "ghp_********************************xyz"
    }
  ]
}

`keyway_diff`

Compare secrets between environments.

"What's different between staging and production?"

{
  "env1": "staging",
  "env2": "production"
}

Response:

{
  "onlyInEnv1": ["DEBUG_MODE"],
  "onlyInEnv2": ["REDIS_CLUSTER_URL"],
  "different": [
    {
      "key": "DATABASE_URL",
      "preview1": "**st (45 chars)",
      "preview2": "**db (52 chars)"
    }
  ],
  "same": ["API_KEY", "JWT_SECRET"],
  "stats": {
    "totalEnv1": 10,
    "totalEnv2": 11,
    "different": 1
  }
}

`keyway_inject_run`

Run commands with secrets injected as environment variables.

"Run the test suite with production secrets"

{
  "command": "npm",
  "args": ["test"],
  "environment": "production"
}

Secrets are injected into the command's environment and masked in any output.

`keyway_list_secrets`

List secret names (not values) in an environment.

{
  "environment": "production"
}

`keyway_set_secret`

Create or update a secret manually.

{
  "name": "WEBHOOK_URL",
  "value": "https://hooks.example.com/abc123",
  "environment": "production"
}

`keyway_list_environments`

List available environments for the repository.

Security

Keyway MCP is designed with security as the primary concern:

Feature	How it works
Token encryption	Uses AES-256-GCM, same as Keyway CLI
No secret logging	Values never appear in logs or output
Output masking	`inject_run` redacts secrets from stdout/stderr
Shell injection prevention	Commands run with `shell: false`
File permissions	Validates `~/.keyway/.key` is `0600`
Generate, don't expose	`keyway_generate` creates secrets without revealing them

What the AI can see

Tool	AI sees value?
`keyway_generate`	No — only masked preview
`keyway_validate`	No — only key names
`keyway_scan`	No — only masked previews
`keyway_diff`	No — only masked previews
`keyway_inject_run`	No — values masked in output
`keyway_list_secrets`	No — only key names
`keyway_set_secret`	Yes — value provided by user

Development

# Install dependencies
pnpm install

# Run in development
pnpm dev

# Build
pnpm build

# Run tests
pnpm test

# Lint & format
pnpm lint
pnpm format

Environment Variables

Variable	Description
`KEYWAY_API_URL`	Override API URL (default: `https://api.keyway.sh`)

License

MIT — see LICENSE

keyway.sh · Built for developers who care about security

</div>

Recommended Servers

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official

Featured

TypeScript

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official

Featured

Local

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official

Featured

Python

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official

Featured

TypeScript

E2B

Using MCP to run code via e2b.

Official

Featured

Neon Database

MCP server for interacting with Neon Management API and databases

Official

Featured

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official

Featured

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official

Featured