MCP Server Overview
Manage your SikkerKey vault from Claude Code, Codex, Cursor, and other MCP-compatible AI clients.
The SikkerKey MCP server is a local binary that lets an AI client manage your vault through structured tool calls. It speaks the Model Context Protocol over stdio and exposes 16 tools for everything an AI agent should be allowed to touch: projects, secrets metadata, rotation schedules, access policies, canaries, machines, AI agents, audit log, alerts, webhooks, support, and trash.
The MCP server runs locally next to the AI client. It authenticates to SikkerKey using an Ed25519 keypair bound to a per-vault AI agent identity, the same signed-request scheme the SDK and CLI use for machine identities. The agent's private key never leaves the machine running the MCP server.
When to use it
Use the MCP server when you want an AI client (Claude Code, Codex, Cursor, etc.) to act as an operator on your vault: provision machines, plant canaries, configure policies, audit recent activity, set up alerts, draft support tickets. It is the management plane.
Use the SDKs or CLI when an application or human needs to read plaintext secret values at runtime. The MCP server cannot read plaintext. Those flows are bound to machine identities, which are a separate identity class.
What it can do
| Tool | Purpose |
|---|---|
manage_projects | Create, update, delete projects. Inspect permissions. |
manage_secrets | Create / update / rotate / rollback secrets. List metadata. Manage dynamic-rotation schedules. |
manage_temporary_secrets | Create one-shot self-destructing share links. |
manage_policies | Create access policies and bind them to secrets. |
manage_canaries | Plant defensive canary secrets that freeze a project on unauthorized read. |
manage_machines | List, approve, rename, revoke machines. View name history. |
manage_ai_agents | Manage other AI agents on the vault (lifecycle only; scope-set mutation is dashboard-only). |
manage_project_machines | Attach machines to projects, set per-secret grants. |
manage_enrollment | Issue and revoke enrollment tokens for ephemeral machines. |
manage_team | Invite / remove team members. Adjust per-project permissions. |
manage_trash | List, restore, or purge soft-deleted secrets. |
manage_alerts | Configure which audit actions trigger alert dispatch. |
manage_webhooks | Manage outbound webhook delivery channels. |
manage_ipallowlist | Configure machine-auth IP allowlist. |
read_audit | Query the audit log, export CSV, view stats and recent activity. |
support | Open and reply to support tickets, manage attachments. |
What it cannot do
The MCP surface is read-blind on stored secret values. None of these are reachable through any tool:
- Read the plaintext of an existing secret.
- Authenticate as a machine identity to read secrets via the SDK/CLI surface.
- Modify another AI agent's scope set or project allowlist (dashboard-only, to prevent privilege escalation between agents).
- Provision new machines via the keypair-bundle download flow (token issuance is exposed; bundle download is a higher trust class and remains dashboard-only).
- Issue new AI-agent bootstrap tokens (also dashboard-only).
- Destroy a vault, manage billing, change account auth, or accept invitations on someone else's vault.
Write actions like manage_secrets.create and update_value accept a plaintext input from the AI, encrypt it server-side with envelope encryption, and never round-trip the value back. The response carries only an id and a version. See Security Model for the full plaintext contract.
Compatibility
The MCP server speaks protocol version 2025-11-25 and works with any client that implements MCP over stdio. Tested clients:
- Claude Code (Anthropic CLI)
- Codex CLI (OpenAI)
- Cursor
- Continue
The binary ships as a single statically-linked Go executable, no runtime dependencies. See Setup to install it and register it with your client.
How an AI agent differs from a machine
A SikkerKey vault has two identity classes that authenticate with Ed25519 signed requests:
- Machines consume secrets. They live in the machines table, are added to projects, granted access to specific secrets, and authenticate against the SDK / CLI surface to read plaintext at runtime.
- AI agents manage the vault. They live in a separate AI-agents table, hold a flat set of scopes (and an optional project allowlist), and authenticate against
/v1/ai/...routes which never return plaintext.
The two tables are physically distinct in the database. There is no path through the MCP surface to authenticate as a machine, and the machine-auth lookups don't see AI agents. Compromising an AI agent's identity gives the attacker the agent's management capabilities. It does not give them any path to read stored secret values.
Next steps
- Setup: install the binary, provision an AI agent, register with your AI client.
- Tools Reference: every tool, action, and scope.
- Security Model: authentication, authorization, plaintext contract, audit.