Back to Browse
Free
Server data from the Official MCP Registry
Centralized secrets manager MCP server. Generate .env files, rotate keys, sync to GitHub Actions.
About
Centralized secrets manager MCP server. Generate .env files, rotate keys, sync to GitHub Actions.
Security Report
9.5
Low Risk9.5Low RiskValid MCP server (5 strong, 10 medium validity signals). 1 known CVE in dependencies Imported from the Official MCP Registry.
12 files analyzed · 1 issue found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
Permissions Required
This plugin requests these system permissions. Most are normal for its category.
What You'll Need
Set these up before or after installing:
Git URL of your private secrets vault. Required on first run.Required
Environment variable: SECENV_REPO_URL
Documentation
View on GitHubFrom the project's GitHub README.
secenv-mcp
MCP (Model Context Protocol) server for centralized secrets management.
Expose secrets.json to Cursor, Claude Desktop, Windsurf, Cline, GitHub
Copilot, Codex, and any MCP-compatible editor. Your AI agent can generate
.env files on demand, rotate shared keys across projects, and sync secrets
to GitHub Actions — without ever exposing plaintext to the model.
Built on top of secenv-cli.
Available on
| Registry | Status | URL |
|---|---|---|
| npm | v1.0.0 | npmjs.com/package/secenv-mcp |
| Smithery | live | smithery.ai/servers/chirag127/secenv-mcp |
| Official MCP Registry | v1.1.3 | io.github.chirag127/secenv-mcp |
| MCP.Directory | submitted | mcp.directory/servers/secenv-mcp |
| Glama | pending OAuth | glama.ai/mcp/servers |
| PulseMCP | auto-crawl | pulsemcp.com/servers |
| MCPB bundle | v1.1.0 | secenv-mcp.mcpb in GitHub Releases |
| GitHub | source | github.com/chirag127/secenv-mcp |
The server.json in .well-known/mcp/ is the source of truth for the official
MCP registry. PulseMCP and MCP.Directory auto-crawl from it; Glama requires a
one-time GitHub OAuth login.
Why?
| Tool | Limit / cost |
|---|---|
| Doppler free | 10 projects — too few for 100+ repos |
| Infisical Cloud free | 3 projects |
| 1Password | $36/year minimum |
| dotenvx / SOPS / git-crypt | per-repo, no shared references |
| GitHub Secrets | no local .env generation for AI agents |
SecEnv: $0, unlimited projects, shared references, one-line rotation, local AI agent integration, no SaaS dependency.
Install
npm install -g secenv-mcp
Or use npx (no install):
npx -y secenv-mcp
Prerequisites
- Private Git repo with
secrets.json(see secenv-cli) - Run
npx secenv-cli --init <repo-url>once to clone the vault locally - GitHub CLI (
gh) — only required for thesync_githubtool
Use with Cursor / Claude Desktop / Windsurf / Cline
Add to your MCP client config:
{
"mcpServers": {
"secenv": {
"command": "npx",
"args": ["-y", "secenv-mcp"]
}
}
}
Config file locations:
- Cursor:
~/.cursor/mcp.json(or Settings → MCP → Add new global MCP server) - Claude Desktop (macOS):
~/Library/Application Support/Claude/claude_desktop_config.json - Claude Desktop (Windows):
%APPDATA%\Claude\claude_desktop_config.json - Windsurf:
~/.codeium/windsurf/mcp_config.json - Cline (VS Code): VS Code
settings.jsonunder"cline.mcpServers" - Continue.dev:
~/.continue/config.jsonunder"experimental.mcpServers"
Per-project config (recommended)
You can scope secenv to a single project by adding the same JSON to
<project>/.cursor/mcp.json or <project>/.vscode/mcp.json. This keeps
~/.secenv/secrets/ isolated to one repo at a time.
Use with Claude Code
Claude Code has built-in MCP support via the claude CLI:
claude mcp add secenv -- npx -y secenv-mcp
Verify with claude mcp list. The server will be available in all
claude sessions.
Use with Smithery
The official installer for MCP servers. One-line install:
npx -y @smithery/cli install secenv-mcp --client claude
# or
npx -y @smithery/cli install secenv-mcp --client cursor
When prompted, paste your private secrets repo URL.
Use with GitHub Copilot CLI / VS Code
GitHub Copilot supports MCP via the official
@github/copilot-cli wrapper and
VS Code's MCP extension.
# .github/copilot/mcp.json or VS Code user settings
{
"mcpServers": {
"secenv": {
"command": "npx",
"args": ["-y", "secenv-mcp"]
}
}
}
For VS Code, install the Copilot MCP extension
and add the same config under mcp.servers in your user settings.json.
Use with OpenAI Codex / ChatGPT
OpenAI's Codex CLI supports MCP since v0.46+:
# ~/.codex/config.toml
[mcp_servers.secenv]
command = "npx"
args = ["-y", "secenv-mcp"]
For ChatGPT (Developer Mode → Apps SDK), see the official Apps SDK docs for connecting remote MCP servers — point it at the HTTP endpoint described below.
Tools
| Tool | Description |
|---|---|
generate_env | Generate .env from .env.example + central secrets |
list_projects | List all projects in secrets.json |
list_shared | List shared secret key names (values redacted) |
add_secret | Add or update a project secret |
rotate_secret | Rotate a shared secret, reports affected projects |
sync_github | Sync secrets to GitHub Actions via gh CLI |
clean_stale_projects | Remove projects whose local directory no longer exists |
delete_project | Remove a project entry from secrets.json |
remove_secret | Remove a single secret key (project or shared) |
The list_shared tool never returns plaintext — only masked values
(e.g., sk-p••••mnop) so the AI cannot exfiltrate your secrets.
Transports
| Mode | Command | Use case |
|---|---|---|
| stdio (default) | npx secenv-mcp | Local AI clients (Cursor, Claude Desktop, Windsurf, Cline, Codex) |
| Streamable HTTP | npx secenv-mcp --http | Remote / hosted / Vercel / Cloudflare / Render |
The MCP server is designed for local stdio as the primary mode. The
secrets vault is read from ~/.secenv/secrets/ which only exists on your
machine.
Remote hosting (free tier)
If you want to expose the server over HTTP (e.g., for a remote LLM or team access), the bundled server supports any Node.js host.
Vercel (Hobby, 1M invocations/month)
npm run build
vercel link
vercel env add SECENV_REPO_URL production
# paste your private repo URL
vercel --prod
Endpoint: https://<your-deployment>.vercel.app/mcp
Health: https://<your-deployment>.vercel.app/health
Cloudflare Workers (100K requests/day)
wrangler secret put SECENV_REPO_URL
# paste your private repo URL
wrangler deploy
Render (750 free hours/month)
Click "New Web Service" on Render, import this repo. The included
render.yaml configures everything automatically.
Build a Smithery MCPB bundle
npm run build # produces dist/index.js (768KB single file)
npm run pack # produces dist/secenv-mcp.mcpb
npx -y @anthropic-ai/mcpb validate dist/secenv-mcp.mcpb
Security
- Secret values are never returned by
list_shared— only key names with masked values - All git operations use your local SSH keys
gh secret setuses stdin — values never appear in process args or shell history- The MCP server runs locally — your secrets never leave your machine
- For remote deployments, set
MCP_API_KEYto require Bearer auth
Requirements
- Node.js >= 18
- Git
secenv-cli(installed automatically as a dependency)- GitHub CLI (
gh) — only for thesync_githubtool
Development
npm install
npm test # run unit tests
npm run test:tools # MCP tool tests only
npm run build # bundle to dist/index.js
npm run pack # bundle + zip to .mcpb
License
MIT
Reviews
No reviews yet
Be the first to review this server!
More Developer Tools MCP Servers
Git
Freeby Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
80.0K
Stars
4
Installs
6.5
Security
No ratings yet
Local
Fetch
Freeby Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
80.0K
Stars
4
Installs
5.3
Security
No ratings yet
Local
Toleno
Freeby Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
137
Stars
493
Installs
8.0
Security
4.8
Local