Skip to content

Keeper-Security/keeper-mcp-node

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
src
src
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

Keeper MCP Server

A Model Context Protocol (MCP) server that provides secure access to Keeper Secrets Manager. This server allows MCP-compatible clients (like Claude Desktop, Postman, or other AI assistants) to retrieve specific assigned secrets from the Keeper vault.

Features

  • 🔐 Secure Access: Connect to your Keeper vault using official Keeper Secrets Manager SDK
  • 🔍 Search Capabilities: Search secrets by title or content
  • 📝 Field Access: Retrieve specific fields from secrets (passwords, URLs, custom fields)
  • 🚀 Easy Setup: Simple configuration with support for multiple authentication methods
  • 🛡️ Zero Knowledge: Your secrets remain encrypted and secure

Prerequisites

  • Node.js 18 or higher
  • A Keeper Security account with Secrets Manager enabled
  • An application configured in Keeper Secrets Manager

Installation

From npm (coming soon)

npm install -g @keeper/mcp-server

From source

git clone https://github.com/Keeper-Security/keeper-mcp-node.git
cd keeper-mcp-node
npm install
npm run build

Setup

Step 1: Configure Keeper Secrets Manager

  1. Log into your Keeper Vault
  2. Navigate to Secrets ManagerApplications
  3. Create a new application or select an existing one
  4. Add the secrets/folders you want to access
  5. Go to the Devices tab and create a new device
  6. Download the configuration file

Step 2: Configure the MCP Server

You have two options for providing your Keeper configuration:

Option A: Configuration File (Recommended)

Place your downloaded configuration file in one of these locations:

  • ~/.keeper/ksm-config.json (recommended)
  • ./ksm-config.json (in the current directory)

Option B: One-Time Token

If you have a one-time token instead:

export KSM_TOKEN="US:YOUR_ONE_TIME_TOKEN_HERE"

The server will use this token to generate and save a configuration file automatically.

Step 3: Test the Server

Run the server directly to test:

npm start

You should see: Keeper MCP server is running

Usage with MCP Clients

Claude Desktop

Add to your Claude Desktop configuration (~/Library/Application Support/Claude/claude_desktop_config.json):

{
  "mcpServers": {
    "keeper": {
      "command": "node",
      "args": ["/path/to/keeper-mcp-node/dist/index.js"]
    }
  }
}

Postman

  1. In Postman, go to the API Network tab
  2. Create or select an MCP request
  3. Configure the stdio connection:
    • Command: node
    • Arguments: /path/to/keeper-mcp-node/dist/index.js

Other MCP Clients

The server communicates via stdio, so you can integrate it with any MCP-compatible client by running:

node /path/to/keeper-mcp-node/dist/index.js

Available Tools

Secret Operations

ksm_list_secrets

List all secrets accessible to your application (metadata only).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_list_secrets",
    "arguments": {}
  }
}

Response:

[
  {
    "uid": "XXXXXXXXXXXXXXXXXXXXXX",
    "title": "My Secret",
    "type": "login"
  }
]

ksm_get_secret

Retrieve a complete secret by UID or title (sensitive fields masked by default).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_get_secret",
    "arguments": {
      "identifier": "My Secret",
      "unmask": false
    }
  }
}

ksm_search_secrets

Search for secrets by title, notes, or other field content.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_search_secrets",
    "arguments": {
      "query": "database"
    }
  }
}

ksm_create_secret

Create a new secret in Keeper Secrets Manager (requires confirmation).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_create_secret",
    "arguments": {
      "title": "New Database Credentials",
      "type": "login",
      "fields": {
        "login": "admin",
        "password": "secure_password",
        "url": "https://db.example.com"
      },
      "notes": "Production database",
      "folderId": "FOLDER_UID"
    }
  }
}

ksm_update_secret

Update an existing secret (requires confirmation).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_update_secret",
    "arguments": {
      "identifier": "My Secret",
      "updates": {
        "title": "Updated Title",
        "fields": {
          "password": "new_password"
        }
      }
    }
  }
}

ksm_delete_secret

Delete a secret from Keeper Secrets Manager (requires confirmation).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_delete_secret",
    "arguments": {
      "identifier": "My Secret"
    }
  }
}

ksm_get_field

Get a specific field value from a secret.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_get_field",
    "arguments": {
      "identifier": "My Secret",
      "field": "password"
    }
  }
}

Common field names:

  • password - The password field
  • login - Username/email
  • url - Website URL
  • Custom field labels

Folder Operations

ksm_list_folders

List all accessible folders in Keeper Secrets Manager.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_list_folders",
    "arguments": {}
  }
}

ksm_create_folder

Create a new folder (requires confirmation; must specify a parent shared folder).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_create_folder",
    "arguments": {
      "name": "Development Secrets",
      "parentFolderId": "PARENT_FOLDER_UID"
    }
  }
}

ksm_delete_folder

Delete a folder (requires confirmation).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_delete_folder",
    "arguments": {
      "folderId": "FOLDER_UID",
      "force": false
    }
  }
}

File Management

ksm_upload_file

Upload a file attachment to a secret (requires confirmation).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_upload_file",
    "arguments": {
      "identifier": "My Secret",
      "filePath": "/path/to/certificate.pem",
      "fileName": "server-cert.pem"
    }
  }
}

ksm_download_file

Download a file attachment from a secret.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_download_file",
    "arguments": {
      "identifier": "My Secret",
      "fileId": "certificate.pem",
      "outputPath": "/tmp/downloaded-cert.pem"
    }
  }
}

Utilities

ksm_generate_password

Generate a secure password. Can optionally save directly to a new secret without exposing it to the AI.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_generate_password",
    "arguments": {
      "length": 24,
      "includeUppercase": true,
      "includeLowercase": true,
      "includeNumbers": true,
      "includeSpecial": true,
      "saveToSecret": {
        "title": "Generated API Key",
        "login": "api-user",
        "url": "https://api.example.com",
        "notes": "Auto-generated API key"
      }
    }
  }
}

ksm_get_totp_code

Get the current TOTP code for a secret that has TOTP configured.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_get_totp_code",
    "arguments": {
      "identifier": "My 2FA Secret"
    }
  }
}

ksm_get_server_version

Get the current version of the KSM MCP server.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_get_server_version",
    "arguments": {}
  }
}

ksm_health_check

Check the operational status of the MCP server and its connection to KSM.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_health_check",
    "arguments": {}
  }
}

Troubleshooting

"No Keeper Secrets Manager configuration found"

  • Ensure your configuration file is in one of the supported locations
  • Check that the file has proper JSON formatting
  • Verify file permissions (should be readable by your user)

"Failed to initialize KSM"

  • Verify your configuration file contains all required fields
  • Check that your application has access to the shared folders/secrets
  • Ensure your device hasn't been revoked in Keeper

Connection Issues

  • Verify you have internet connectivity
  • Check if your organization has IP restrictions enabled
  • Ensure your Keeper subscription includes Secrets Manager

Development

Building from source

npm install
npm run build

Running in development mode

npm run dev

Running tests

npm test

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/AmazingFeature)
  3. Commit your changes (git commit -m 'Add some AmazingFeature')
  4. Push to the branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

Acknowledgments

Support

About

MCP implementation using Keeper Secrets Manager and Node

www.keepersecurity.com/secrets-manager.html

Topics

ai mcp-server

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages