How do I install Safehold?

Safehold is a local plugin. Install it using npm package: safehold and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What AI apps work with Safehold?

Safehold uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Safehold MCP Server

by Spacetime Technology

Developer ToolsModerate7.0MCP RegistryLocal

Free

Server data from the Official MCP Registry

Local, encrypted MCP vault for passports, IDs, visas and photos. You control access.

About

Local, encrypted MCP vault for passports, IDs, visas and photos. You control access.

Security Report

7.0

Moderate7.0Low Risk

Valid MCP server (8 strong, 2 medium validity signals). 3 known CVEs in dependencies (0 critical, 3 high severity) Package registry verified. Imported from the Official MCP Registry.

11 files analyzed · 4 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

file_system

Check that this permission is expected for this type of plugin.

env_vars

Check that this permission is expected for this type of plugin.

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-spacetime-technology-safehold": {
      "args": [
        "-y",
        "safehold"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

Safehold

Your identity documents, on your machine, shared only when you say so.

What it is

Safehold is a local MCP server that stores passports, visas, driving licences, and other identity documents. When an AI agent needs your passport number to book a flight, it asks Safehold. You see what's being requested and why, then approve or deny. Nothing leaves your device.

Why it exists

Your identity data is scattered across dozens of services you don't control: banks, airlines, government portals, SaaS products. Each one holds a copy and decides for itself how to store it, whether to sell it, and how long it'll stick around. AI agents make this worse. Anything an agent can access, every API it touches can reach too.

Safehold is the alternative. The agent gets a field value. You get a consent prompt instead of a privacy policy. Your files stay where they are.

Open source, so none of this requires trust.

What it isn't

A few things that get confused with safehold but solve a different problem.

1Password, Bitwarden, op CLI

You can stuff a passport into 1Password. The op CLI can read specific fields. There's even an official 1Password MCP server now. So yes, parts of this overlap.

What's different is the trust model. Once your 1Password vault is unlocked, anything with that session can read anything in it. No per-field consent, no "why are you asking for this?" prompt. The vault is built for humans typing passwords, not for agents pulling structured fields with a stated reason.

Safehold gates each field individually, every time, with a purpose attached.

Browser autofill, Apple Passwords, iCloud Keychain

Works fine if your agent is a browser filling a form. Doesn't help when it isn't. Agents working over APIs, CLI tools, or other MCP servers never see the autofill layer, so you end up copy-pasting from a passwords app into a chat anyway. Safehold gives a non-browser agent a way to request a passport number without that detour.

Apple Wallet, Google Wallet, government digital ID apps

Locked to the platform. Apple Wallet won't hand your boarding pass to a third-party agent. mDL pilots and the EU eIDAS wallet are issuer-controlled and narrow in scope. None of them speak MCP, and none will let an agent on your laptop request a field from your driving licence.

Pasting it into the chat

People do this. They drop their passport number into a system prompt, or type it into a message and trust the agent to handle it. The number then lives in chat history, gets shipped to the model provider, and sticks around in their logs. You also have no record of which agent used it for what.

Safehold keeps the document on disk, encrypted, and only releases the one field the agent asked for. Nothing extra ends up in the conversation.

A plain JSON file plus the filesystem MCP

Tempting if you're a developer. ~/identity.json plus the filesystem MCP is three lines of config and done. It also gives every other agent on the box the same access, with no encryption at rest, no logging, and no consent step. The first time that file shows up in a backup or a screen share, you have a problem.

Persona, Stripe Identity, Onfido, Plaid

KYC vendors. You send them your documents, they store them, and partner services query them on your behalf. The model assumes you don't hold the keys. Safehold takes the other direction: documents stay on your machine and you approve every release.

HashiCorp Vault, AWS Secrets Manager, Doppler, Infisical

Built for service secrets, not personal identity. No human-facing consent flow, no schema for documents, and operationally heavy for someone who just wants their passport readable by an agent on their laptop.

How it works

Safehold runs as a stdio MCP server. Documents go into ~/.safehold/vault/ as individual encrypted files. Every retrieval is logged to ~/.safehold/access-log.enc.

Encryption is XChaCha20-Poly1305 via @noble/ciphers, audited by Cure53, no external dependencies. On first run a 32-byte key is written to ~/.safehold/master.key (mode 0600).

Other MCP clients can request specific fields from your documents. You control what gets shared, every time.

Tools (v1)

Tool	Description
`add_document`	Add a document to the vault
`list_documents`	List stored documents (metadata only)
`update_document`	Update fields on an existing document
`delete_document`	Permanently delete a document
`get_passport`	Retrieve specific fields from a passport
`get_national_id`	Retrieve specific fields from a national ID
`get_driving_license`	Retrieve specific fields from a driving licence
`get_visa`	Retrieve specific fields from a visa
`get_photo`	Retrieve a stored photo (passport style, selfie, or signature)
`get_document`	Retrieve fields from any document type
`get_access_log`	View what was accessed, by which client, and when

Every retrieval tool accepts a purpose parameter. That purpose is shown to you at consent time so you always know why a field is being requested.

Prompts (v1)

Safehold also ships ready-made workflow prompts. These show up as slash commands in MCP clients (Claude Desktop, Cursor, Claude Code, Zed) so common tasks don't have to be re-prompted from scratch.

Prompt	Description
`onboard_document`	Guided intake to add or update a passport, national ID, driving licence, or visa
`travel_preflight`	Check passport and visa validity for an upcoming trip
`selective_share`	Share the minimum a service actually needs, with an explicit consent purpose
`expiry_audit`	Surface anything expiring soon (metadata only, no consent prompts)

Prompts don't access your data themselves. They tell the calling agent which Safehold tools to call, in what order, and with what purpose. Every retrieval still goes through the normal consent flow.

Skills

safehold-skills is a companion package of Claude Code skills that turn Safehold from a vault into finished workflows: airline check-in, ESTA applications, KYC forms, and so on. Each skill pairs Safehold with a browser MCP and asks for fields one at a time with a precise purpose string.

npx safehold-skills install

Quick Install

Requires Node.js >=20. No build step.

Most clients use the same JSON config — just the file path differs:

{
  "mcpServers": {
    "safehold": {
      "command": "npx",
      "args": ["-y", "safehold@latest"]
    }
  }
}

Client	Config file
Claude Desktop (macOS)	`~/Library/Application Support/Claude/claude_desktop_config.json`
Claude Desktop (Windows)	`%APPDATA%\Claude\claude_desktop_config.json`
Cursor (project)	`.cursor/mcp.json`
Cursor (global)	`~/.cursor/mcp.json`
Windsurf	`~/.codeium/windsurf/mcp_config.json`
Amazon Q Developer (global)	`~/.aws/amazonq/mcp.json`
Amazon Q Developer (project)	`.amazonq/mcp.json`

Clients with slightly different config formats:

Claude Code (CLI)

claude mcp add safehold npx -- -y safehold@latest

VS Code (GitHub Copilot) — uses "servers" key, enable Agent mode in Copilot Chat. Edit .vscode/mcp.json (project) or ~/Library/Application Support/Code/User/mcp.json (global, macOS):

{
  "servers": {
    "safehold": {
      "command": "npx",
      "args": ["-y", "safehold@latest"]
    }
  }
}

Zed — uses "context_servers" key in ~/.config/zed/settings.json:

{
  "context_servers": {
    "safehold": {
      "command": "npx",
      "args": ["-y", "safehold@latest"]
    }
  }
}

OpenAI Codex CLI — TOML format in ~/.codex/config.toml:

[mcp_servers.safehold]
command = "npx"
args = ["-y", "safehold@latest"]

Continue.dev — create .continue/mcpServers/safehold.json (enable Agent mode):

{
  "command": "npx",
  "args": ["-y", "safehold@latest"]
}

Hermes (Nous Research) — YAML format in ~/.hermes/config.yaml:

mcp_servers:
  safehold:
    command: npx
    args: ["-y", "safehold@latest"]

OpenClaw — uses "servers" key in ~/.openclaw/mcp.json:

{
  "servers": {
    "safehold": {
      "command": "npx",
      "args": ["-y", "safehold@latest"]
    }
  }
}

Roadmap

get_travel_authorization - ESTA, eTA, UK ETA, and similar
get_vaccination_certificate - international vaccination records
get_residency_permit - BRP, Green Card, and equivalents
get_birth_certificate
get_tax_id - NI number, SSN, TFN, and equivalents
get_proof_of_address - utility bills, bank letters
get_travel_insurance

Development

npm install
npm test          # run tests
npm run typecheck # type check
npm run build     # compile to dist/
npm run dev       # run directly with tsx (no build step)

Releasing

npm version patch   # bug fix  (0.1.0 → 0.1.1)
npm version minor   # feature  (0.1.0 → 0.2.0)
npm version major   # breaking (0.1.0 → 1.0.0)

Checks that you're on a clean, up-to-date main branch, bumps the version, commits, tags, and pushes. CI publishes to npm.

Built by

Spacetime Technology

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Git

Free

by Modelcontextprotocol · Developer Tools

Read, search, and manipulate Git repositories programmatically

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

Safehold MCP Server

About

Security Report

Findings (4)Action required

Permissions Required

How to Install

Documentation

Safehold

What it is

Why it exists

What it isn't

1Password, Bitwarden, op CLI

Browser autofill, Apple Passwords, iCloud Keychain

Apple Wallet, Google Wallet, government digital ID apps

Pasting it into the chat

A plain JSON file plus the filesystem MCP

Persona, Stripe Identity, Onfido, Plaid

HashiCorp Vault, AWS Secrets Manager, Doppler, Infisical

How it works

Tools (v1)

Prompts (v1)

Skills

Quick Install

Roadmap

Development

Releasing

Built by

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Git

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript