@securecode/mcp-server
MCP Server for SecureCodeHQ. Lets Claude Code access your secrets securely without ever seeing them.
Quick Start
claude mcp add securecode -- npx -y @securecode/mcp-server
Then tell Claude Code:
Set up SecureCode in this project
The onboard tool walks you through account creation, secret import, and configuration. Takes about 2 minutes.
What It Does
Your secrets (API keys, tokens, passwords) are encrypted with AES-256 and stored in SecureCode. Claude Code accesses them via MCP, but the actual values never appear in the chat.
When Claude reads a secret, the value is written to a local file on your machine. The AI gets the file path but never sees the raw value. This is inject mode, the default.
Tools
| Tool | What it does |
|---|---|
onboard | Guided setup: signup, import, API key, config, SDK |
get-secret | Get a secret (injected to file by default, reveal: true to show to AI) |
list-secrets | List all secrets with tags and expiry status |
create-secret | Create a new secret |
update-secret | Update value, description, or tags |
delete-secret | Delete a secret |
renew-secret | Renew expired secrets or change TTL |
import-env | Import .env via secure web window (values never pass through AI) |
export-env | Export secrets as .env or CSV |
get-status | Check plan, usage, and MCP server version |
wake-session | Unlock session with optional scope and auto-sleep timer |
sleep-session | Lock session and clean injected files |
session-status | Check session state and time remaining |
byebye | Lock session + clean all secrets from disk |
get-active-rules | List active MCP access rules (read-only) |
security-check | Post-setup security hardening checks |
help | Docs: tools, SDK, sessions, rules, troubleshooting |
MCP Access Rules
Control how AI agents access your secrets with tag-based policies. Created from the dashboard, enforced server-side.
| Action | Effect |
|---|---|
| Block Always | Secret only accessible from the dashboard |
| Require Confirmation | Agent must acknowledge before accessing |
| Require Session | Requires active session (wake-session) |
| Block Models | Only allows specific AI models |
| Notify | Sends email on access (non-blocking) |
Session Lock
You: "Wake my session for acme staging"
Claude: Session unlocked. Only acme/staging secrets accessible.
You: "byebye"
Claude: Session locked & secrets cleaned from disk.
Sessions auto-sleep after configurable inactivity (default: 2 hours).
How It Works
- Secret values are written to a local file, the AI never sees them (inject mode)
- Explicit
reveal: truereturns value to AI (audited) - Injected files are removed on sleep, byebye, or process exit
- Multiple Claude Code instances don't collide (hash based on API key + PID)
- Encrypted with AES-256-GCM using envelope encryption (Cloud KMS)
- Every access is logged with AI model, IP, machine identity, and timestamp
- Runs locally via stdio transport, secrets never pass through third parties
- Device approval required on first use from each machine
SDK
The companion SDK lets your app load secrets at runtime:
npm install @securecode/sdk
import { loadEnv } from '@securecode/sdk';
await loadEnv(); // all secrets loaded into process.env
Links
- Website: https://securecodehq.com
- npm: https://www.npmjs.com/package/@securecode/mcp-server
- SDK: https://www.npmjs.com/package/@securecode/sdk
Requirements
- Node.js >= 18
- A SecureCodeHQ account (free tier: 50 secrets, 10K accesses/month)
License
MIT