MCP Tools Reference
Every tool exposed by the SikkerKey MCP server, the actions each one supports, and the scopes they require.
The MCP server exposes 16 tools. Each tool is grouped by domain (secrets, machines, projects, etc.) and dispatches on an action parameter so the AI client picks the operation by name. This page is the authoritative reference for what's available.
For the call-time contract (auth, plaintext, audit) see the Security Model. For setup and registration see Setup.
Action dispatch
Every tool takes an action argument plus action-specific arguments. The tool's JSON schema uses a discriminated oneOf so each action declares its own required fields. AI clients see this and surface only the relevant fields per action.
Example call shape:
{
"name": "manage_secrets",
"arguments": {
"action": "list",
"projectId": "proj_abc123"
}
}
The action is always required. Per-action requirements are listed in the tables below.
manage_secrets
Manage secrets within a project. The agent never sees plaintext secret values: rotate / create / update_value take inputs but don't echo them back, and reads return only metadata.
| Action | Required | Scope | What it does |
|---|---|---|---|
list | projectId | projects.secrets.read | List secrets in a project. Returns id, name, type, fieldNames, note, version, timestamps. |
get | projectId, secretId | projects.secrets.read | Single-secret metadata. Same shape as one list row. |
create | projectId, name, value | projects.secrets.write | Create a new secret. Value is encrypted server-side. Optional fieldNames makes it structured. |
update_value | projectId, secretId, value | projects.secrets.write | Replace plaintext. Bumps version. Refused on secrets with active rotation or canaries. |
rename | projectId, secretId, name | projects.secrets.write | Change display name. Per-machine grants are by id and unaffected. |
update_note | projectId, secretId | projects.secrets.write | Set / clear the secret's description. |
rotate | projectId, secretId | projects.secrets.write | Server-generates a new value. Optional length / charset / fields. |
rollback | projectId, secretId, version | projects.secrets.write | Restore an earlier version's encrypted value as the current one. |
delete | projectId, secretId | projects.secrets.write | Soft-delete (recoverable from trash for 30 days). |
versions | projectId, secretId | projects.secrets.read | Version numbers and timestamps. No values. |
dynamic_list | (none) | projects.secrets.read | List every secret with a server-side rotation schedule across allowed projects. |
dynamic_get | secretId | projects.secrets.read | Schedule config + last/next rotation. |
dynamic_create | intervalSeconds plus either (projectId, name) or existingSecretId | projects.secrets.write | Create a new secret with rotation, or attach a schedule to an existing secret. Initial value is server-generated. |
dynamic_update | secretId | projects.secrets.write | Change interval / length / charset / fields / enabled state. |
dynamic_delete | secretId | projects.secrets.write | Remove the rotation schedule. The secret itself is not deleted. |
manage_temporary_secrets
One-shot self-destructing share links. Server-encrypts the value, hashes the passphrase with Argon2id, destroys on first reveal (right or wrong) or expiry.
| Action | Required | Scope | What it does |
|---|---|---|---|
list | projectId | projects.secrets.read | Status (pending / viewed / destroyed / expired), expiry, creation time. No values, tokens, or passphrases. |
create | projectId, name, expiresInSeconds (60 to 86400) | projects.secrets.write | Returns { id, token, passphrase, expiresAt, url }. Either supply value or set generateRandom=true with length / charset. |
manage_projects
| Action | Required | Scope | What it does |
|---|---|---|---|
list | (none) | projects.read | List every project the agent can act on. |
get_permissions | projectId | projects.read | Dashboard-style permissions summary for one project. |
create | name | projects.write | Create a new project. If the agent has a non-empty allowlist, the new project is auto-added. |
update | projectId | projects.write | Update name / description. |
delete | projectId, confirmName | projects.write | Delete a project. Cascades through secrets, machines, policies. The confirmName must match the project's current name. |
manage_policies
Access policies are layered constraints (time window, IP allowlist, rate cap, co-sign, TTL, rotate-after-N) that apply on top of the base six-requirement gate.
| Action | Required | Scope | What it does |
|---|---|---|---|
list | projectId | projects.policies.read | List every policy in a project. |
get | projectId, policyId | projects.policies.read | Policy detail with bound-secrets list. |
create | projectId, name | projects.policies.write | Create a new policy. Every enabled axis must be fully specified. |
update | projectId, policyId | projects.policies.write | Update a policy. Bound secrets see new constraints on their next fetch. |
delete | projectId, policyId | projects.policies.write | Refused if any secrets are still bound. |
binding_get | secretId | projects.policies.read | Current policy bound to a secret (or unbound). |
binding_bind | secretId, policyId | projects.policies.write | Bind a secret to a policy. Replaces any existing binding. |
binding_unbind | secretId | projects.policies.write | Detach. Reverts to base gate only. |
manage_canaries
Defensive trip-wires. A canary is a secret whose unauthorized read freezes the project (and optionally related projects) so the attacker still gets a response but cannot take any further action.
| Action | Required | Scope | What it does |
|---|---|---|---|
list | projectId | projects.policies.read | Every canary in a project: arming state, trigger config, last trip, fire count. |
get | canaryId | projects.policies.read | One canary's trigger configuration and trip history. |
create | projectId, name | projects.policies.write | Plant a new canary. Server-generates a 64-char value. Optional triggerFreeze toggles. |
config | canaryId | projects.policies.write | Update trigger toggles. Use enable / disable for arming. |
enable / disable | canaryId | projects.policies.write | Arm / disarm without deleting. |
unfreeze_project | projectId | projects.policies.write | Clear a canary-triggered freeze. Does not disarm; another read against the same trip-wire fires it again. |
manage_machines
Machines are secret consumers (SDK / CLI). This tool manages the machine identities; per-project attachment and grants live in manage_project_machines.
| Action | Required | Scope | What it does |
|---|---|---|---|
list | (none) | machines.read | Every machine in the vault. |
get | machineId | machines.read | Detail: list-row fields plus ephemeral lifecycle, project memberships, total secret-grant count. |
name_history | machineId | machines.read | Rename history. |
approve | machineId | machines.write | Approve a pending machine. |
deny | machineId | machines.write | Deny and remove a pending machine. |
rename | machineId, name | machines.write | Change name. Recorded in name history. |
revoke | machineId | machines.write | Revoke an approved machine. Drops grants and project memberships. |
manage_ai_agents
Lifecycle of AI agents on the vault. Scope-set and project-allowlist mutation are deliberately not exposed (privilege escalation), and remain dashboard-only.
| Action | Required | Scope | What it does |
|---|---|---|---|
list | (none) | aiagents.read | Every AI agent. Includes scope and allowlist counts. |
get | agentId | aiagents.read | Detail with full scope set and project allowlist. |
name_history | agentId | aiagents.read | Rename history. |
approve | agentId | aiagents.write | Approve a pending agent. |
deny | agentId | aiagents.write | Deny and remove. Refused on self. |
disable | agentId | aiagents.write | Block requests. Scopes preserved. Refused on self. |
enable | agentId | aiagents.write | Re-enable a disabled agent. |
rename | agentId, name | aiagents.write | Change name. Recorded in name history. |
revoke | agentId | aiagents.write | Hard-delete with cascade. Refused on self. |
manage_project_machines
Per-project machine membership and per-secret grants.
| Action | Required | Scope | What it does |
|---|---|---|---|
query | projectId | projects.machines.read | Paginated list of machines in a project, with per-machine grant count. Supports search and sort. |
attach | projectId, machineId | projects.machines.write | Attach a machine to a project. Machine must be owned by the same vault. |
detach | projectId, machineId | projects.machines.write | Remove a machine from a project. Cascades through grants. |
grants_get | projectId, machineId | projects.machines.read | Current per-secret grants for a machine in this project. |
grants_set | projectId, machineId, secretIds | projects.machines.write | Replace per-secret grants. Pass the complete desired set. |
manage_enrollment
Bootstrap tokens for ephemeral machines (CI/CD runners, auto-scaling workers).
| Action | Required | Scope | What it does |
|---|---|---|---|
list | (none) | enrollment.read | All issued tokens with usage and expiry. |
get | tokenId | enrollment.read | One token's detail. |
create | name, projectIds, secretIds, tokenLifetimeSeconds, machineLifetimeSeconds, maxUses | enrollment.write | Issue a token. Optional sourceCidr, hostnamePattern, namePattern constrain who can redeem it. Returns the token plaintext once. |
revoke | tokenId | enrollment.write | Revoke. Already-redeemed machines keep working until their machineLifetimeSeconds expires. |
manage_team
Team members on the vault. Does not expose external-vault membership (membership in someone else's vault).
| Action | Required | Scope | What it does |
|---|---|---|---|
list_members | (none) | team.read | Every team member with their per-project permission summary. |
member_permissions | memberId | team.read | Detailed per-project permission breakdown for one member. |
invites_sent | (none) | team.read | Pending invitations sent from this vault. |
invite | email | team.write | Invite a user by email. |
remove | memberId | team.write | Remove a member. Cascades through their machines' project memberships and grants. |
permissions_set | memberId, projectId | team.write | Replace a member's permissions for one project. Pass the complete desired set; project_access is auto-added. |
invite_revoke | inviteId | team.write | Cancel a pending invite. |
manage_alerts
Which audit actions trigger alert dispatch (email + webhook).
| Action | Required | Scope | What it does |
|---|---|---|---|
list | (none) | alerts.read | Currently enabled alert actions. |
actions | (none) | alerts.read | Every action available to subscribe to, with severity. |
set | enabledActions | alerts.write | Replace the set wholesale. Empty array disables all. |
manage_webhooks
Outbound delivery channels for alerts. Each webhook subscribes to a subset of audit actions; SikkerKey signs and POSTs the payload via HMAC-SHA256.
| Action | Required | Scope | What it does |
|---|---|---|---|
list | (none) | alerts.read | All webhooks with delivery health. Does not return signing secrets. |
get | webhookId | alerts.read | One webhook's detail. Same fields as list. |
create | url, actions | alerts.write | Returns the signing secret in plaintext once. URL must be HTTPS and pass SSRF guard. |
update | webhookId | alerts.write | Change url / actions / enabled. Re-enabling resets health. |
delete | webhookId | alerts.write | Permanently delete. |
test | webhookId | alerts.write | Send a test payload to verify delivery and signature handling. |
manage_ipallowlist
Machine-auth IP allowlist (gates the runtime SDK / CLI surface, not dashboard sessions).
| Action | Required | Scope | What it does |
|---|---|---|---|
list | (none) | ipallowlist.read | All entries plus the global enabled flag. |
add | cidr | ipallowlist.write | Add a CIDR with optional label. |
update | entryId, label | ipallowlist.write | Update label. |
delete | entryId | ipallowlist.write | Remove one entry. |
bulk_delete | ids | ipallowlist.write | Remove many at once. |
enable / disable | (none) | ipallowlist.write | Toggle global enforcement. |
manage_trash
Soft-deleted secrets sit in trash for 30 days before automatic hard-delete.
| Action | Required | Scope | What it does |
|---|---|---|---|
list | (none) | trash.read | Every soft-deleted secret. |
restore | secretId | trash.write | Restore to its previous project. Subject to plan limits. |
purge | secretId | trash.write | Hard-delete now. Irreversible; version history goes too. |
read_audit
Audit log, activity feed, and usage stats.
| Action | Required | Scope | What it does |
|---|---|---|---|
list | (none) | audit.read | Recent entries, no filters. Honors page / pageSize (default 50, max 200). |
query | (none) | audit.read | Filtered query: actions, severities, sourceIp, search, from, to, sortBy, sortDir, page, pageSize. |
actions | (none) | audit.read | Every audit action with its severity. |
activity | (none) | audit.read | Last 20 events, lightweight feed. |
export | (none) | audit.read | CSV export. Same filter shape as query. Capped at 10,000 rows. |
stats | (none) | audit.read | Vault-level counters (machines, projects, secrets, reads). |
reads_over_time | (none) | audit.read | Time-bucketed secret-read counts. |
usage | (none) | audit.read | Subscription / plan-limit snapshot. |
support
Support tickets. Read access is implicit with write — there's no flow where an agent can create tickets but not see the ticket it just opened.
| Action | Required | Scope | What it does |
|---|---|---|---|
categories | (none) | support.write | Ticket categories visible on the vault owner's plan. |
list | (none) | support.write | All tickets. |
get | ticketId | support.write | Ticket detail with messages and attachments. |
create | categoryId, priority, title, body | support.write | Open a ticket. |
reply | ticketId, body | support.write | Add a message to a ticket. |
rate | ticketId, rating | support.write | Rate a resolved ticket. |
attachment | attachmentId | support.write | Download an attachment by id. |