What is Keeper Mcp Node

Keeper-mcp-node is a Model Context Protocol (MCP) server that facilitates secure access to the Keeper Secrets Manager. It allows MCP-compatible clients to retrieve specific secrets stored in the Keeper vault.

Use cases

Use cases for keeper-mcp-node include integrating with AI assistants to retrieve secrets, enabling secure access for applications like Postman, and providing developers with a way to manage and access secrets programmatically.

How to use

To use keeper-mcp-node, first configure the Keeper Secrets Manager by creating an application and adding the necessary secrets. Then, set up the MCP server by providing the configuration file or a one-time token. Finally, run the server to start retrieving secrets.

Key features

Key features include secure access through the Keeper SDK, search capabilities for secrets by title or content, field access for retrieving specific data from secrets, easy setup with multiple authentication methods, and a zero-knowledge architecture ensuring secrets remain encrypted.

Where to use

Keeper-mcp-node can be used in various fields where secure secret management is essential, including software development, IT security, and any application requiring secure access to sensitive information.

Keeper MCP Server

A Model Context Protocol (MCP) server that provides secure access to Keeper Secrets Manager. This server allows MCP-compatible clients (like Claude Desktop, Postman, or other AI assistants) to retrieve specific assigned secrets from the Keeper vault.

Features

• 🔐 Secure Access: Connect to your Keeper vault using official Keeper Secrets Manager SDK
• 🔍 Search Capabilities: Search secrets by title or content
• 📝 Field Access: Retrieve specific fields from secrets (passwords, URLs, custom fields)
• 🚀 Easy Setup: Simple configuration with support for multiple authentication methods
• 🛡️ Zero Knowledge: Your secrets remain encrypted and secure

Prerequisites

• Node.js 18 or higher
• A Keeper Security account with Secrets Manager enabled
• An application configured in Keeper Secrets Manager

Installation

From npm (coming soon)

npm install -g @keeper/mcp-server

From source

git clone https://github.com/Keeper-Security/keeper-mcp-node.git
cd keeper-mcp-node
npm install
npm run build

Setup

Step 1: Configure Keeper Secrets Manager

1. Log into your Keeper Vault
2. Navigate to Secrets Manager → Applications
3. Create a new application or select an existing one
4. Add the secrets/folders you want to access
5. Go to the Devices tab and create a new device
6. Download the configuration file

Step 2: Configure the MCP Server

You have two options for providing your Keeper configuration:

Option A: Configuration File (Recommended)

Place your downloaded configuration file in one of these locations:

• ~/.keeper/ksm-config.json (recommended)
• ./ksm-config.json (in the current directory)

Option B: One-Time Token

If you have a one-time token instead:

export KSM_TOKEN="US:YOUR_ONE_TIME_TOKEN_HERE"

The server will use this token to generate and save a configuration file automatically.

Step 3: Test the Server

Run the server directly to test:

npm start

You should see: Keeper MCP server is running

Usage with MCP Clients

Claude Desktop

Add to your Claude Desktop configuration (~/Library/Application Support/Claude/claude_desktop_config.json):

{
  "mcpServers": {
    "keeper": {
      "command": "node",
      "args": [
        "/path/to/keeper-mcp-node/dist/index.js"
      ]
    }
  }
}

Postman

1. In Postman, go to the API Network tab
2. Create or select an MCP request
3. Configure the stdio connection:
   • Command: node
   • Arguments: /path/to/keeper-mcp-node/dist/index.js

Other MCP Clients

The server communicates via stdio, so you can integrate it with any MCP-compatible client by running:

node /path/to/keeper-mcp-node/dist/index.js

Available Tools

Secret Operations

ksm_list_secrets

List all secrets accessible to your application (metadata only).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_list_secrets",
    "arguments": {}
  }
}

Response:

[
  {
    "uid": "XXXXXXXXXXXXXXXXXXXXXX",
    "title": "My Secret",
    "type": "login"
  }
]

ksm_get_secret

Retrieve a complete secret by UID or title (sensitive fields masked by default).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_get_secret",
    "arguments": {
      "identifier": "My Secret",
      "unmask": false
    }
  }
}

ksm_search_secrets

Search for secrets by title, notes, or other field content.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_search_secrets",
    "arguments": {
      "query": "database"
    }
  }
}

ksm_create_secret

Create a new secret in Keeper Secrets Manager (requires confirmation).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_create_secret",
    "arguments": {
      "title": "New Database Credentials",
      "type": "login",
      "fields": {
        "login": "admin",
        "password": "secure_password",
        "url": "https://db.example.com"
      },
      "notes": "Production database",
      "folderId": "FOLDER_UID"
    }
  }
}

ksm_update_secret

Update an existing secret (requires confirmation).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_update_secret",
    "arguments": {
      "identifier": "My Secret",
      "updates": {
        "title": "Updated Title",
        "fields": {
          "password": "new_password"
        }
      }
    }
  }
}

ksm_delete_secret

Delete a secret from Keeper Secrets Manager (requires confirmation).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_delete_secret",
    "arguments": {
      "identifier": "My Secret"
    }
  }
}

ksm_get_field

Get a specific field value from a secret.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_get_field",
    "arguments": {
      "identifier": "My Secret",
      "field": "password"
    }
  }
}

Common field names:

• password - The password field
• login - Username/email
• url - Website URL
• Custom field labels

Folder Operations

ksm_list_folders

List all accessible folders in Keeper Secrets Manager.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_list_folders",
    "arguments": {}
  }
}

ksm_create_folder

Create a new folder (requires confirmation; must specify a parent shared folder).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_create_folder",
    "arguments": {
      "name": "Development Secrets",
      "parentFolderId": "PARENT_FOLDER_UID"
    }
  }
}

ksm_delete_folder

Delete a folder (requires confirmation).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_delete_folder",
    "arguments": {
      "folderId": "FOLDER_UID",
      "force": false
    }
  }
}

File Management

ksm_upload_file

Upload a file attachment to a secret (requires confirmation).

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_upload_file",
    "arguments": {
      "identifier": "My Secret",
      "filePath": "/path/to/certificate.pem",
      "fileName": "server-cert.pem"
    }
  }
}

ksm_download_file

Download a file attachment from a secret.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_download_file",
    "arguments": {
      "identifier": "My Secret",
      "fileId": "certificate.pem",
      "outputPath": "/tmp/downloaded-cert.pem"
    }
  }
}

Utilities

ksm_generate_password

Generate a secure password. Can optionally save directly to a new secret without exposing it to the AI.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_generate_password",
    "arguments": {
      "length": 24,
      "includeUppercase": true,
      "includeLowercase": true,
      "includeNumbers": true,
      "includeSpecial": true,
      "saveToSecret": {
        "title": "Generated API Key",
        "login": "api-user",
        "url": "https://api.example.com",
        "notes": "Auto-generated API key"
      }
    }
  }
}

ksm_get_totp_code

Get the current TOTP code for a secret that has TOTP configured.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_get_totp_code",
    "arguments": {
      "identifier": "My 2FA Secret"
    }
  }
}

ksm_get_server_version

Get the current version of the KSM MCP server.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_get_server_version",
    "arguments": {}
  }
}

ksm_health_check

Check the operational status of the MCP server and its connection to KSM.

Request:

{
  "method": "tools/call",
  "params": {
    "name": "ksm_health_check",
    "arguments": {}
  }
}

Troubleshooting

“No Keeper Secrets Manager configuration found”

• Ensure your configuration file is in one of the supported locations
• Check that the file has proper JSON formatting
• Verify file permissions (should be readable by your user)

“Failed to initialize KSM”

• Verify your configuration file contains all required fields
• Check that your application has access to the shared folders/secrets
• Ensure your device hasn’t been revoked in Keeper

Connection Issues

• Verify you have internet connectivity
• Check if your organization has IP restrictions enabled
• Ensure your Keeper subscription includes Secrets Manager

Development

Building from source

npm install
npm run build

Running in development mode

npm run dev

Running tests

npm test

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

1. Fork the repository
2. Create your feature branch (git checkout -b feature/AmazingFeature)
3. Commit your changes (git commit -m 'Add some AmazingFeature')
4. Push to the branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

Acknowledgments

• Built on the Model Context Protocol
• Powered by Keeper Security

Support

• For issues with the MCP server: GitHub Issues
• For Keeper-specific questions: Keeper Support
• For MCP protocol questions: MCP Documentation