Is Obsidian Mcp Secure free?

Yes, Obsidian Mcp Secure is free to use.

How do I install Obsidian Mcp Secure?

Obsidian Mcp Secure is a local plugin. Install it using npm package: obsidian-mcp-secure and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Obsidian Mcp Secure need?

Obsidian Mcp Secure requires the following credentials or environment variables: OBSIDIAN_API_KEY, OBSIDIAN_HOST, OBSIDIAN_PORT, LOG_DIR. You can find setup instructions on the server detail page.

What AI apps work with Obsidian Mcp Secure?

Obsidian Mcp Secure uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Obsidian Mcp Secure MCP Server

by Dewtech Technologies

ProductivityModerate7.0MCP RegistryLocal

Free

Server data from the Official MCP Registry

Secure MCP server for Obsidian with OWASP Top 10 controls and full audit logging.

About

Secure MCP server for Obsidian with OWASP Top 10 controls and full audit logging.

Security Report

7.0

Moderate7.0Low Risk

Valid MCP server (2 strong, 4 medium validity signals). 3 known CVEs in dependencies (0 critical, 3 high severity) Package registry verified. Imported from the Official MCP Registry.

3 files analyzed · 4 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

file_system

Check that this permission is expected for this type of plugin.

HTTP Network Access

Connects to external APIs or services over the internet.

env_vars

Check that this permission is expected for this type of plugin.

What You'll Need

Set these up before or after installing:

API Key generated by Obsidian's Local REST API plugin (Settings -> Local REST API -> API Key)Required

Environment variable: OBSIDIAN_API_KEY

Host of the Local REST API (default: http://127.0.0.1)Optional

Environment variable: OBSIDIAN_HOST

Port of the Local REST API (default: 27123)Optional

Environment variable: OBSIDIAN_PORT

Directory for audit logs (default: ./logs)Optional

Environment variable: LOG_DIR

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-dewtech-technologies-obsidian-mcp-secure": {
      "env": {
        "LOG_DIR": "your-log-dir-here",
        "OBSIDIAN_HOST": "your-obsidian-host-here",
        "OBSIDIAN_PORT": "your-obsidian-port-here",
        "OBSIDIAN_API_KEY": "your-obsidian-api-key-here"
      },
      "args": [
        "-y",
        "obsidian-mcp-secure"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

obsidian-mcp-secure

Secure Model Context Protocol server that turns your Obsidian vault into a reliable data source for any MCP-compatible AI client — built from scratch with OWASP Top 10 controls and full audit logging.

Listed on the official Anthropic MCP Registry as io.github.dewtech-technologies/obsidian-mcp-secure.

🧭 Positioning — this is NOT a plugin for Obsidian

It's the opposite: it's a bridge that lets Claude Desktop (or any MCP client) read and write inside Obsidian safely. Your AI assistant stays where it lives; your vault becomes a structured, auditable datasource it can reach.

┌─────────────────┐   MCP    ┌──────────────────────┐   HTTP   ┌────────────────────┐   FS   ┌─────────────┐
│                 │  stdio   │                      │  :27123  │                    │        │             │
│ Claude Desktop  │ ───────▶ │ obsidian-mcp-secure  │ ───────▶ │  Local REST API    │ ─────▶ │  Vault .md  │
│  (AI client)    │          │  (this package)      │          │ (Obsidian plugin)  │        │             │
└─────────────────┘          └──────────────────────┘          └────────────────────┘        └─────────────┘

Role in the pipeline	Component
Where you talk	Claude Desktop (or any MCP client)
Bridge / access control	`obsidian-mcp-secure` (this package)
Data gateway inside Obsidian	Local REST API plugin (by Adam Coddington)
Your knowledge	`.md` files in your vault

One-liner: Claude is the brain, this MCP is the arm, Obsidian is the memory.

Why another Obsidian + AI integration?

There are plugins that put Claude inside Obsidian. This is the inverse, and it exists because:

Your assistant is Claude Desktop — that's where the general-purpose conversations happen. Your notes become one of many contexts Claude can reach, alongside web, GitHub, filesystems, etc.
Security is a first-class concern — deliberate attack surface, no shell access, path traversal blocked, inputs validated with Zod, every call audited.
Zero build, zero account — npx obsidian-mcp-secure and done. Works on Windows, macOS, Linux the same way.
Composability — combine this MCP with fetch, filesystem, git, GitHub, etc., and Claude can cross-reference your vault with external sources in a single conversation.

🛠️ Available Tools

Tool	Purpose
`read_note`	Read a note by path
`list_notes`	List files/folders in the vault or a subdirectory
`create_note`	Create a new `.md` note
`edit_note`	Overwrite an existing note (previous content goes to the audit log)
`delete_note`	Delete a note — requires `confirm: true` (Zod rejects otherwise)
`search_notes`	Full-text / tag search using Obsidian's own search engine

🔒 Security — OWASP Top 10

Control	Implementation
A01 — Broken Access Control	Path traversal blocked (`../`, `..\\`, encoded variants); `.md` extension enforced
A02 — Cryptographic Failures	API key read from `.env` or process env; never hardcoded, never logged
A03 — Injection	All inputs validated with Zod schemas; no `eval`, no `exec`, no shell
A04 — Insecure Design	512 KB max note size; 50-result cap on search; destructive ops require explicit `confirm: true`
A05 — Security Misconfiguration	Only `127.0.0.1` / `localhost` accepted as host
A09 — Logging & Monitoring	Full audit log via winston with size-based rotation (5 MB / 10 files)

Every tool call emits an audit line with action, params (sanitized), success, error, and timestamp.

⚡ Installation

Prerequisites

Obsidian Desktop with a vault open
The Local REST API plugin (by Adam Coddington) — install from Community Plugins, enable it, and:
- Turn on "Enable Non-encrypted (HTTP) Server" (simpler than HTTPS self-signed certs)
- Copy the API Key shown in the plugin settings
Node.js 18+
Claude Desktop (or another MCP-compatible client)

Configure Claude Desktop

Open %APPDATA%\Claude\claude_desktop_config.json on Windows (or ~/Library/Application Support/Claude/claude_desktop_config.json on macOS) and add:

{
  "mcpServers": {
    "obsidian-secure": {
      "command": "npx",
      "args": ["-y", "obsidian-mcp-secure"],
      "env": {
        "OBSIDIAN_API_KEY": "your-api-key-from-the-plugin",
        "OBSIDIAN_HOST": "http://127.0.0.1",
        "OBSIDIAN_PORT": "27123",
        "LOG_DIR": "C:/path/to/your/logs"
      }
    }
  }
}

Windows tip: if npx fails silently, switch "command": "npx" to "command": "npx.cmd". Some Claude Desktop builds don't resolve bare npx on PATH.

Restart Claude Desktop (tray → Quit, then reopen) and the 6 tools will show up under obsidian-secure.

🤝 Recommended companions

The real power of MCPs is composability. To reproduce the "read my note → fetch a URL → tell me if I'm applying it correctly" workflow, add the official fetch MCP alongside this one:

{
  "mcpServers": {
    "obsidian-secure": { "...": "as above" },
    "fetch": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-fetch"]
    }
  }
}

Now Claude has both your vault and the live web in a single conversation.

💬 Example prompts

With obsidian-secure + fetch enabled:

"Read my note Projeto API Atendimento.md, then fetch https://developers.facebook.com/docs/whatsapp and tell me if my implementation matches the latest best practices."

"Search my vault for the tag #ideia and summarize the three ideas that appear most often. Then create a new note called Ideias recorrentes.md with the summary."

"Read Atomic Habits - Resumo.md, fetch https://jamesclear.com/atomic-habits, and point out where my notes drifted from the original."

Claude will orchestrate the tool calls automatically — no manual chaining.

🧩 Comparison with in-Obsidian plugins

If your workflow lives inside Obsidian's sidebar, plugins like obsidian-claude-code are the right fit. This MCP targets a different shape:

Dimension	`obsidian-claude-code` (in-Obsidian)	`obsidian-mcp-secure` (this)
Where the AI lives	Sidebar inside Obsidian	Claude Desktop (or any MCP client)
Setup	`git clone` + `bun build`	`npx obsidian-mcp-secure`
Tools	Read/Write/Edit + Bash + Grep + Glob + WebFetch	6 purpose-built, Zod-validated tools
Security posture	Full shell access to dev machine	Tight allowlist, audited, OWASP Top 10
Distribution	Manual clone, requires Bun	npm + official MCP Registry
Composability with other sources	Inside its own sandbox	Any MCP-compatible client can mix it with fetch, GitHub, filesystem, etc.
Best for	Dev who lives in Obsidian	Professional whose main surface is Claude Desktop

Both are valid — they occupy different niches.

🔧 Environment variables

Variable	Required	Default	Description
`OBSIDIAN_API_KEY`	✅	—	API key from the Local REST API plugin
`OBSIDIAN_HOST`		`http://127.0.0.1`	Host (only `127.0.0.1` and `localhost` are accepted)
`OBSIDIAN_PORT`		`27123`	Port of the plugin's HTTP server
`LOG_DIR`		`./logs`	Directory for the audit log files

🗺️ Roadmap

find_note_by_name — fuzzy match when the user says "my note about API" without knowing the exact path
create_backlinks — connect related notes automatically (explicit, auditable)
list_tags — enumerate all tags in the vault
DXT package for one-click install in Claude Desktop
Smithery listing
Read-only mode flag for shared / multi-user setups

Ideas and PRs welcome — see CONTRIBUTING.md.

📜 License

MIT — see LICENSE.

🙏 Credits

Model Context Protocol by Anthropic
Local REST API plugin by Adam Coddington — the foundation that makes this possible
Built at Dewtech by Wanderson Leandro

Security issues? See SECURITY.md for disclosure instructions.

Reviews

No reviews yet

Be the first to review this server!

More Productivity MCP Servers

Memory

Free

by Modelcontextprotocol · Productivity

Knowledge graph-based persistent memory across sessions

Time

Free

by Modelcontextprotocol · Productivity

Time and timezone conversion capabilities for your AI assistant

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

Obsidian Mcp Secure MCP Server

About

Security Report

Findings (4)Action required

Permissions Required

What You'll Need

How to Install

Documentation

obsidian-mcp-secure

🧭 Positioning — this is NOT a plugin for Obsidian

Why another Obsidian + AI integration?

🛠️ Available Tools

🔒 Security — OWASP Top 10

⚡ Installation

Prerequisites

Configure Claude Desktop

🤝 Recommended companions

💬 Example prompts

🧩 Comparison with in-Obsidian plugins

🔧 Environment variables

🗺️ Roadmap

📜 License

🙏 Credits

Reviews

No reviews yet

More Productivity MCP Servers

Memory

Time

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript