MCP implementation using Keeper Secrets Manager and Node
Keeper MCP Server
A Model Context Protocol (MCP) server that provides secure access to Keeper Secrets Manager. This server allows MCP-compatible clients (like Claude Desktop, Postman, or other AI assistants) to retrieve specific assigned secrets from the Keeper vault.
Features
- ๐ Secure Access: Connect to your Keeper vault using official Keeper Secrets Manager SDK
- ๐ Search Capabilities: Search secrets by title or content
- ๐ Field Access: Retrieve specific fields from secrets (passwords, URLs, custom fields)
- ๐ Easy Setup: Simple configuration with support for multiple authentication methods
- ๐ก๏ธ Zero Knowledge: Your secrets remain encrypted and secure
Prerequisites
- Node.js 18 or higher
- A Keeper Security account with Secrets Manager enabled
- An application configured in Keeper Secrets Manager
Installation
From npm (coming soon)
npm install -g @keeper/mcp-server
From source
git clone https://github.com/Keeper-Security/keeper-mcp-node.git
cd keeper-mcp-node
npm install
npm run build
Setup
Step 1: Configure Keeper Secrets Manager
- Log into your Keeper Vault
- Navigate to Secrets Manager โ Applications
- Create a new application or select an existing one
- Add the secrets/folders you want to access
- Go to the Devices tab and create a new device
- Download the configuration file
Step 2: Configure the MCP Server
You have two options for providing your Keeper configuration:
Option A: Configuration File (Recommended)
Place your downloaded configuration file in one of these locations:
~/.keeper/ksm-config.json(recommended)./ksm-config.json(in the current directory)
Option B: One-Time Token
If you have a one-time token instead:
export KSM_TOKEN="US:YOUR_ONE_TIME_TOKEN_HERE"
The server will use this token to generate and save a configuration file automatically.
Step 3: Test the Server
Run the server directly to test:
npm start
You should see: Keeper MCP server is running
Usage with MCP Clients
Claude Desktop
Add to your Claude Desktop configuration (~/Library/Application Support/Claude/claude_desktop_config.json):
{
"mcpServers": {
"keeper": {
"command": "node",
"args": ["/path/to/keeper-mcp-node/dist/index.js"]
}
}
}
Postman
- In Postman, go to the API Network tab
- Create or select an MCP request
- Configure the stdio connection:
- Command:
node - Arguments:
/path/to/keeper-mcp-node/dist/index.js
- Command:
Other MCP Clients
The server communicates via stdio, so you can integrate it with any MCP-compatible client by running:
node /path/to/keeper-mcp-node/dist/index.js
Available Tools
Secret Operations
ksm_list_secrets
List all secrets accessible to your application (metadata only).
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_list_secrets",
"arguments": {}
}
}
Response:
[
{
"uid": "XXXXXXXXXXXXXXXXXXXXXX",
"title": "My Secret",
"type": "login"
}
]
ksm_get_secret
Retrieve a complete secret by UID or title (sensitive fields masked by default).
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_get_secret",
"arguments": {
"identifier": "My Secret",
"unmask": false
}
}
}
ksm_search_secrets
Search for secrets by title, notes, or other field content.
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_search_secrets",
"arguments": {
"query": "database"
}
}
}
ksm_create_secret
Create a new secret in Keeper Secrets Manager (requires confirmation).
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_create_secret",
"arguments": {
"title": "New Database Credentials",
"type": "login",
"fields": {
"login": "admin",
"password": "secure_password",
"url": "https://db.example.com"
},
"notes": "Production database",
"folderId": "FOLDER_UID"
}
}
}
ksm_update_secret
Update an existing secret (requires confirmation).
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_update_secret",
"arguments": {
"identifier": "My Secret",
"updates": {
"title": "Updated Title",
"fields": {
"password": "new_password"
}
}
}
}
}
ksm_delete_secret
Delete a secret from Keeper Secrets Manager (requires confirmation).
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_delete_secret",
"arguments": {
"identifier": "My Secret"
}
}
}
ksm_get_field
Get a specific field value from a secret.
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_get_field",
"arguments": {
"identifier": "My Secret",
"field": "password"
}
}
}
Common field names:
password- The password fieldlogin- Username/emailurl- Website URL- Custom field labels
Folder Operations
ksm_list_folders
List all accessible folders in Keeper Secrets Manager.
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_list_folders",
"arguments": {}
}
}
ksm_create_folder
Create a new folder (requires confirmation; must specify a parent shared folder).
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_create_folder",
"arguments": {
"name": "Development Secrets",
"parentFolderId": "PARENT_FOLDER_UID"
}
}
}
ksm_delete_folder
Delete a folder (requires confirmation).
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_delete_folder",
"arguments": {
"folderId": "FOLDER_UID",
"force": false
}
}
}
File Management
ksm_upload_file
Upload a file attachment to a secret (requires confirmation).
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_upload_file",
"arguments": {
"identifier": "My Secret",
"filePath": "/path/to/certificate.pem",
"fileName": "server-cert.pem"
}
}
}
ksm_download_file
Download a file attachment from a secret.
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_download_file",
"arguments": {
"identifier": "My Secret",
"fileId": "certificate.pem",
"outputPath": "/tmp/downloaded-cert.pem"
}
}
}
Utilities
ksm_generate_password
Generate a secure password. Can optionally save directly to a new secret without exposing it to the AI.
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_generate_password",
"arguments": {
"length": 24,
"includeUppercase": true,
"includeLowercase": true,
"includeNumbers": true,
"includeSpecial": true,
"saveToSecret": {
"title": "Generated API Key",
"login": "api-user",
"url": "https://api.example.com",
"notes": "Auto-generated API key"
}
}
}
}
ksm_get_totp_code
Get the current TOTP code for a secret that has TOTP configured.
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_get_totp_code",
"arguments": {
"identifier": "My 2FA Secret"
}
}
}
ksm_get_server_version
Get the current version of the KSM MCP server.
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_get_server_version",
"arguments": {}
}
}
ksm_health_check
Check the operational status of the MCP server and its connection to KSM.
Request:
{
"method": "tools/call",
"params": {
"name": "ksm_health_check",
"arguments": {}
}
}
Troubleshooting
"No Keeper Secrets Manager configuration found"
- Ensure your configuration file is in one of the supported locations
- Check that the file has proper JSON formatting
- Verify file permissions (should be readable by your user)
"Failed to initialize KSM"
- Verify your configuration file contains all required fields
- Check that your application has access to the shared folders/secrets
- Ensure your device hasn't been revoked in Keeper
Connection Issues
- Verify you have internet connectivity
- Check if your organization has IP restrictions enabled
- Ensure your Keeper subscription includes Secrets Manager
Development
Building from source
npm install
npm run build
Running in development mode
npm run dev
Running tests
npm test
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Acknowledgments
- Built on the Model Context Protocol
- Powered by Keeper Security
Support
- For issues with the MCP server: GitHub Issues
- For Keeper-specific questions: Keeper Support
- For MCP protocol questions: MCP Documentation