Summary
A secrets vault that keeps API keys and credentials out of Claude's context window. Instead of pasting secrets into chat, Claude fetches them through MCP and they're injected into local files on your machine, never appearing in the conversation. You get tag-based access rules enforced server-side, session locks that auto-expire after inactivity, and audit logs for every access showing which model touched what and when. The onboard tool walks you through account setup and secret import in a couple minutes. Secrets are encrypted with AES-256-GCM using envelope encryption. There's a companion SDK for runtime loading in your actual applications. Useful if you're pair programming with Claude on projects that touch production systems and want granular control over what gets accessed when.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
@securecode/mcp-server
MCP Server for SecureCodeHQ. Lets Claude Code access your secrets securely without ever seeing them.
Quick Start
claude mcp add securecode -- npx -y @securecode/mcp-server
Then tell Claude Code:
Set up SecureCode in this project
The onboard tool walks you through account creation, secret import, and configuration. Takes about 2 minutes.
What It Does
Your secrets (API keys, tokens, passwords) are encrypted with AES-256 and stored in SecureCode. Claude Code accesses them via MCP, but the actual values never appear in the chat.
When Claude reads a secret, the value is written to a local file on your machine. The AI gets the file path but never sees the raw value. This is inject mode, the default.
Tools
| Tool | What it does |
|---|---|
onboard | Guided setup: signup, import, API key, config, SDK |
get-secret | Get a secret (injected to file by default, reveal: true to show to AI) |
list-secrets | List all secrets with tags and expiry status |
create-secret | Create a new secret |
update-secret | Update value, description, or tags |
delete-secret | Delete a secret |
renew-secret | Renew expired secrets or change TTL |
import-env | Import .env via secure web window (values never pass through AI) |
export-env | Export secrets as .env or CSV |
get-status | Check plan, usage, and MCP server version |
wake-session | Unlock session with optional scope and auto-sleep timer |
sleep-session | Lock session and clean injected files |
session-status | Check session state and time remaining |
byebye | Lock session + clean all secrets from disk |
get-active-rules | List active MCP access rules (read-only) |
security-check | Post-setup security hardening checks |
help | Docs: tools, SDK, sessions, rules, troubleshooting |
MCP Access Rules
Control how AI agents access your secrets with tag-based policies. Created from the dashboard, enforced server-side.
| Action | Effect |
|---|---|
| Block Always | Secret only accessible from the dashboard |
| Require Confirmation | Agent must acknowledge before accessing |
| Require Session | Requires active session (wake-session) |
| Block Models | Only allows specific AI models |
| Notify | Sends email on access (non-blocking) |
Session Lock
You: "Wake my session for acme staging"
Claude: Session unlocked. Only acme/staging secrets accessible.
You: "byebye"
Claude: Session locked & secrets cleaned from disk.
Sessions auto-sleep after configurable inactivity (default: 2 hours).
How It Works
- Secret values are written to a local file, the AI never sees them (inject mode)
- Explicit
reveal: truereturns value to AI (audited) - Injected files are removed on sleep, byebye, or process exit
- Multiple Claude Code instances don't collide (hash based on API key + PID)
- Encrypted with AES-256-GCM using envelope encryption (Cloud KMS)
- Every access is logged with AI model, IP, machine identity, and timestamp
- Runs locally via stdio transport, secrets never pass through third parties
- Device approval required on first use from each machine
SDK
The companion SDK lets your app load secrets at runtime:
npm install @securecode/sdk
import { loadEnv } from '@securecode/sdk';
await loadEnv(); // all secrets loaded into process.env
Links
- Website: https://securecodehq.com
- npm: https://www.npmjs.com/package/@securecode/mcp-server
- SDK: https://www.npmjs.com/package/@securecode/sdk
Requirements
- Node.js >= 18
- A SecureCodeHQ account (free tier: 50 secrets, 10K accesses/month)
License
MIT
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Categories
Registryactive
Package@securecode/mcp-server
TransportSTDIO
UpdatedMar 17, 2026
