Summary
Connects Claude or any MCP client to your Obsidian vault with eight tools for reading, writing, editing, moving, and deleting notes, plus listing folders, tags, and backlinks. Runs in filesystem mode against local markdown files or CouchDB mode with Self-hosted LiveSync for always-on cloud access. Deploy it on Fly.io with the included setup script for about $2-4/month, or run it locally with npx. Every response includes an Obsidian deep link so you can jump straight from Claude's answer into the note on Mac or iOS. Built-in OAuth provider handles authentication when you expose it over HTTPS.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Obsidian Sync MCP
Give any AI agent access to your Obsidian vault over MCP. Run it locally against your vault files, or pair it with Self-hosted LiveSync and deploy to the cloud so it works even when your machine is off.
Example: From your phone, ask your AI: "What's in my daily note for today?" — and get the full content back, with a link to open it in Obsidian.
How it works
The server connects to your vault in two ways:
- Filesystem mode — reads
.mdfiles directly from your vault folder. No database needed. - CouchDB mode — reads from a CouchDB database, locally or in the cloud. Your vault syncs to CouchDB via Self-hosted LiveSync, the community Obsidian plugin (600k+ downloads). The MCP server reads from CouchDB directly using livesync-commonlib — the same library that powers the plugin — for proper chunk handling and E2E encryption support.
Both modes expose the same MCP tools over HTTP, so any MCP-compatible agent can connect: Claude, Copilot, custom agents, anything that speaks the Model Context Protocol.
Choose your setup
| Need it always available? | Have LiveSync? | Go to |
|---|---|---|
| Yes | Yes | Setup A — add MCP alongside your existing CouchDB |
| Yes | No | Setup B — CouchDB + MCP + LiveSync from scratch |
| No | — | Setup C — filesystem or CouchDB, npx or Docker |
A. Deploy MCP to the cloud
You already have LiveSync and CouchDB on an always-on server. You just need the MCP server deployed alongside it.
Using Fly.io setup script (macOS/Linux, or WSL on Windows):
git clone https://github.com/es617/obsidian-sync-mcp.git
cd obsidian-sync-mcp
./deploy/setup.sh # choose option 2 (MCP only)
The script asks for your CouchDB connection details, vault name, and encryption passphrase.
Or run the Docker image on any always-on server:
docker run -p 8787:8787 \
-v mcp-data:/data -e DATA_DIR=/data \
-e COUCHDB_URL=https://your-couchdb:5984 \
-e COUCHDB_USER=admin -e COUCHDB_PASSWORD=yourpassword \
-e COUCHDB_DATABASE=obsidian -e VAULT_NAME=MyVault \
-e COUCHDB_PASSPHRASE=your-encryption-passphrase \
-e COUCHDB_OBFUSCATE_PROPERTIES=false \
-e MCP_AUTH_TOKEN=yourpassword \
-e BASE_URL=https://your-server-url \
ghcr.io/es617/obsidian-sync-mcp:latest
Set COUCHDB_PASSPHRASE if you use E2E encryption in LiveSync. Set COUCHDB_OBFUSCATE_PROPERTIES=true only if "Obfuscate Properties" is also enabled in your LiveSync settings — must match, or writes will silently fail to sync. Set BASE_URL to your public URL (required for OAuth callbacks when agents connect over HTTPS).
Your MCP endpoint is https://your-app.fly.dev/mcp (Fly.io) or https://your-server:8787/mcp (Docker behind HTTPS).
See Cost for Fly.io pricing.
Requires flyctl for the Fly.io path:
curl -L https://fly.io/install.sh | sh
export PATH="$HOME/.fly/bin:$PATH" # add to ~/.zshrc or ~/.bashrc
fly auth login
B. Deploy everything to the cloud
Starting fresh — no LiveSync yet. Deploy CouchDB and MCP together, then set up LiveSync in Obsidian.
Using Fly.io setup script (macOS/Linux, or WSL on Windows):
git clone https://github.com/es617/obsidian-sync-mcp.git
cd obsidian-sync-mcp
./deploy/setup.sh # choose option 1 (CouchDB + MCP)
The script generates credentials, creates the database, and deploys. Save the credentials it prints.
Or with Docker Compose on any always-on server:
git clone https://github.com/es617/obsidian-sync-mcp.git
cd obsidian-sync-mcp
cat > .env <<EOF
COUCHDB_PASSWORD=changeme
VAULT_NAME=MyVault
EOF
docker compose up -d
After deployment:
- In Obsidian, install Self-hosted LiveSync and configure it with the credentials from the setup output
- Your MCP endpoint is
https://your-app.fly.dev/mcp(Fly.io) orhttp://your-server:8787/mcp(Docker) - The
MCP_AUTH_TOKENis the password you enter when an agent connects
Always-on server
├── CouchDB + persistent storage
└── MCP server
↑ ↑
Obsidian + LiveSync AI agents
Requires flyctl for the Fly.io path:
curl -L https://fly.io/install.sh | sh
export PATH="$HOME/.fly/bin:$PATH" # add to ~/.zshrc or ~/.bashrc
fly auth login
Cost (Fly.io)
Applies to both Setup A and Setup B.
| Component | Cost |
|---|---|
| CouchDB + MCP VM (shared, 512MB) | ~$3-4/month (kept alive by LiveSync) |
| MCP-only VM (shared, 256MB) | ~$0-2/month (suspends when idle) |
| 1GB persistent volume | ~$0.15/month |
As of March 2026, Fly.io may waive charges under $5/month, which could make this effectively free with a shared IPv4. Either way, cheaper than Obsidian Sync ($4/month) and you own the data.
C. Run on your machine
Run the MCP server locally. Works with filesystem mode (reads vault files directly) or CouchDB mode (if you have LiveSync). Machine must stay on for agents to reach it.
Filesystem mode (simplest):
VAULT_PATH=~/Documents/MyVault \
VAULT_NAME=MyVault \
npx obsidian-sync-mcp
CouchDB mode (if you have LiveSync):
COUCHDB_URL=http://localhost:5984 \
COUCHDB_USER=admin \
COUCHDB_PASSWORD=yourpassword \
COUCHDB_DATABASE=obsidian \
COUCHDB_PASSPHRASE=your-encryption-passphrase \
COUCHDB_OBFUSCATE_PROPERTIES=false \
VAULT_NAME=MyVault \
npx obsidian-sync-mcp
Omit COUCHDB_PASSPHRASE if you don't use E2E encryption in LiveSync. Set COUCHDB_OBFUSCATE_PROPERTIES=true only if "Obfuscate Properties" is also enabled in your LiveSync settings — must match, or writes will silently fail to sync.
Or with Docker:
docker run -p 8787:8787 \
-v mcp-data:/data -e DATA_DIR=/data \
-e VAULT_PATH=/vault -v ~/Documents/MyVault:/vault \
-e VAULT_NAME=MyVault \
ghcr.io/es617/obsidian-sync-mcp:latest
Your MCP endpoint is http://localhost:8787/mcp.
Want remote access? Add a tunnel (machine must stay on):
cloudflared tunnel --url http://localhost:8787 # free
tailscale funnel 8787 # or Tailscale
ngrok http 8787 # or ngrok
Set BASE_URL to the tunnel URL when using authentication.
Tools
| Tool | Description |
|---|---|
read_note | Read a note's markdown content by path |
write_note | Create or overwrite a note (replaces entire content) |
edit_note | Edit a note without rewriting it — append, prepend (after frontmatter), or replace exact text |
list_folders | List all folders in the vault with note counts — use to discover folder names |
list_tags | List all tags in the vault with counts — use to discover tags before filtering |
list_notes | List notes with timestamps. Filter by folder, name, tag, or date. Sort by name or modified. |
delete_note | Delete a note |
move_note | Move or rename a note — works across folders, creates destination folders automatically |
get_note_metadata | Get frontmatter, tags, outgoing links, backlinks, size, and timestamps — navigate the knowledge graph |
Every tool response includes an Obsidian deep link (obsidian://open?vault=...&file=...) that works on Mac and iOS.
"Add a bullet point to my daily note." "Find my notes about the MCP server and fix the typo in the second one."
Authentication
Set MCP_AUTH_TOKEN to a password to enable authentication:
MCP_AUTH_TOKEN=mysecretpassword npx obsidian-sync-mcp
The server includes a self-contained OAuth 2.1 provider. When an agent connects:
- A browser window opens with a password page
- Enter the
MCP_AUTH_TOKENpassword - The agent gets an access token and refreshes it transparently
The session is shared across all your Claude interfaces (Desktop, Web, Mobile) and persists across server restarts. You'll need to re-enter the password after 14 days of inactivity (configurable via MCP_REFRESH_DAYS).
For non-OAuth clients (curl, MCP Inspector, custom agents), you can also pass the token directly as Authorization: Bearer <MCP_AUTH_TOKEN>.
Without MCP_AUTH_TOKEN, the server runs without authentication — suitable for local use or behind a private network.
Environment variables
| Variable | Required | Default | Description |
|---|---|---|---|
VAULT_PATH | Filesystem mode | — | Path to your Obsidian vault directory |
COUCHDB_URL | CouchDB mode | — | CouchDB server URL |
COUCHDB_USER | CouchDB mode | admin | CouchDB username |
COUCHDB_PASSWORD | CouchDB mode | — | CouchDB password (required) |
COUCHDB_DATABASE | CouchDB mode | obsidian | CouchDB database name |
COUCHDB_PASSPHRASE | CouchDB mode | — | LiveSync E2E encryption passphrase (must match plugin setting) |
COUCHDB_OBFUSCATE_PROPERTIES | CouchDB mode | false | Set to true if "Obfuscate Properties" is enabled in LiveSync (obfuscates file paths, sizes, dates in the database) |
VAULT_NAME | Both | MyVault | Vault name (used for deep links and index storage) |
MCP_AUTH_TOKEN | Optional | — | Password for authentication |
BASE_URL | Optional | http://localhost:PORT | Public URL (for OAuth callbacks when using a tunnel) |
PORT | Optional | 8787 | HTTP port |
HOST | Optional | 0.0.0.0 | Bind address (127.0.0.1 to restrict to localhost) |
DATA_DIR | Optional | ~/.obsidian-mcp | Directory for persisted data (metadata index, auth tokens) |
LOG_LEVEL | Optional | — | Set to debug for verbose logging (library logs, change feed, index sync) |
MCP_REFRESH_DAYS | Optional | 14 | Days before auth session expires |
READ_ONLY | Optional | false | Set to true to disable all write tools (write_note, edit_note, delete_note, move_note). Only read tools are exposed via MCP. Useful when sharing the server with multiple AI clients and write access should be opt-in. |
MCP_INSTRUCTIONS | Optional | — | Extra text appended to the server's MCP instructions (the string clients inject into the system prompt). Use this to bake vault-specific conventions into the server — e.g. folder structure, naming rules, folders to avoid — so they apply across every MCP client without per-client config. Best-effort: not all clients respect instructions. |
MCP_INSTRUCTIONS_FILE | Optional | — | Path to a file (e.g. markdown) whose contents are appended to the MCP instructions. Easier than MCP_INSTRUCTIONS for multi-line conventions. If both are set, the file wins and MCP_INSTRUCTIONS is ignored (with a startup warning). Missing/unreadable file or files larger than 32 KB are fatal startup errors. Store this file somewhere only the service user can write (e.g. chmod 600) — its contents land in every MCP session's system prompt, so write access to it = prompt-injection access to every client. |
Set VAULT_PATH for filesystem mode or COUCHDB_URL for CouchDB mode.
Try without an agent
Test the server interactively using the MCP Inspector:
VAULT_PATH=~/Documents/MyVault npx obsidian-sync-mcp &
npx @modelcontextprotocol/inspector
Set transport to Streamable HTTP, enter http://localhost:8787/mcp, and connect.
How to update
| How you run it | How to update |
|---|---|
npx obsidian-sync-mcp | Automatic — npx pulls latest |
| Fly.io | From the same directory where you ran setup: fly deploy. If you lost the fly.toml, run fly config save --app your-app-name to restore it. |
| Docker | docker pull ghcr.io/es617/obsidian-sync-mcp:latest and restart |
Known limitations
- Single vault per instance. Each server connects to one vault. For multiple vaults, run multiple instances on different ports.
- Single machine on Fly.io. Auth state is in-memory, so multiple machines break the OAuth flow. The setup script enforces this automatically.
- No conflict resolution. If an agent and Obsidian edit the same note simultaneously, last write wins.
- Text only. Binary attachments are not exposed through MCP tools.
- Deep links depend on the client. Obsidian
obsidian://deep links are included in every tool response. They work on Claude Mobile and in browsers, but some clients (Claude Desktop) may not render them as clickable links. - Node 22+ required.
- Setup script requires bash. The
deploy/setup.shscript works on macOS and Linux. On Windows, use WSL or Git Bash.
Safety
This server gives an AI agent read/write access to your Obsidian vault.
Agents can modify and delete notes. Keep backups. Use tool approval deliberately.
Authentication is optional. Always set MCP_AUTH_TOKEN when exposing to the internet.
Use HTTPS in production. Use a tunnel or deploy behind a reverse proxy.
This software is provided as-is under the MIT license. You are responsible for what agents do with your vault.
Development
git clone --recursive https://github.com/es617/obsidian-sync-mcp.git
cd obsidian-sync-mcp
npm install && npm run build
npm test # unit tests
npm run test:e2e # integration tests
License
MIT — see LICENSE.
Acknowledgements
- Self-hosted LiveSync by vrtmrz — the Obsidian plugin and CouchDB sync protocol
- livesync-commonlib by vrtmrz — the shared library for reading/writing the LiveSync document format
- FastMCP — TypeScript MCP framework
- CouchDB — document database
- Fly.io — deployment platform
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Configuration
VAULT_PATHPath to your Obsidian vault directory (filesystem mode)
COUCHDB_URLCouchDB server URL (CouchDB mode)
COUCHDB_USERCouchDB username
COUCHDB_PASSWORDsecretCouchDB password (required in CouchDB mode)
COUCHDB_DATABASECouchDB database name
COUCHDB_PASSPHRASEsecretLiveSync E2E encryption passphrase (must match plugin setting)
COUCHDB_OBFUSCATE_PROPERTIESSet to 'true' if 'Obfuscate Properties' is enabled in LiveSync (obfuscates file paths, sizes, dates)
VAULT_NAMEVault name for deep links and index storage
MCP_AUTH_TOKENsecretPassword for OAuth authentication
BASE_URLPublic URL for OAuth callbacks (required when using a tunnel)
PORTHTTP port
Categories
Registryactive
Packageobsidian-sync-mcp
TransportHTTP
AuthRequired
UpdatedMar 30, 2026
