How to Share Secrets Securely with AI Agents
By Maxim Novak
When you ask Claude to help configure a server, where do the passwords go?
If you type them directly into the chat — "here's my database password: ..." — they're in the conversation history. They're in the model's context. They may be stored on the AI provider's servers. For an API key you'll use once, that's a bigger blast radius than the sharing itself.
Developers are already using AI assistants to set up infrastructure, debug deployments, and rotate credentials. The missing piece is a secure handoff layer — something that keeps secrets out of LLM context while still letting the agent act on them.
That's what the Vaulted MCP server is for.
What it is
The Vaulted MCP server (@vaulted/mcp-server) is a Model Context Protocol server that gives AI assistants four tools for working with encrypted secrets:
| Tool | What it does |
|---|---|
create_secret | Encrypt and store a secret, returns a shareable one-time link |
view_secret | Retrieve and decrypt a secret from a Vaulted URL |
check_status | Check if a secret exists and how many views remain (non-consuming) |
list_secrets | Show locally tracked secrets with their current status |
It works with Claude Desktop, Cursor, Windsurf, and any stdio MCP client. Installation is a single config block.
The agent-blind differentiator
The feature most developers don't expect: you don't have to give the agent the secret value directly.
Vaulted MCP supports agent-blind input sources. Instead of passing the raw value, you pass a reference:
env:STRIPE_KEY— reads the value from an environment variablefile:/path/to/api-key.txt— reads from a filedotenv:.env.local:DATABASE_URL— reads a specific key from a.envfile
The MCP server resolves the reference server-side (locally, in your terminal process). The resolved value is encrypted immediately and never enters the LLM context. The agent completes the task without ever seeing the credential.
So instead of:
"Share my Stripe key: sk_live_abc123..."
You say:
"Share my STRIPE_KEY env var securely"
The agent passes env:STRIPE_KEY to create_secret. The key never appears in the conversation.
This is what "agent-blind" means: the agent handles the workflow without the secret passing through its context window.
Zero-knowledge encryption
The underlying encryption is the same AES-256-GCM used by the Vaulted web app and CLI. The encryption key lives only in the URL fragment — it's never sent to Vaulted's servers. When a recipient opens the link, their browser decrypts it locally.
The server stores ciphertext it cannot decrypt. Your AI assistant doesn't see the plaintext. The Vaulted API doesn't see the plaintext. Only the person with the link can read it.
Getting started
Add Vaulted to Claude Desktop's config file (~/Library/Application Support/Claude/claude_desktop_config.json):
{
"mcpServers": {
"vaulted": {
"command": "npx",
"args": ["-y", "@vaulted/mcp-server"]
}
}
}
The same config format works in Cursor (~/.cursor/mcp.json) and Windsurf (~/.codeium/windsurf/mcp_config.json).
Restart your AI client and the four tools are available immediately. No accounts required.
Real examples
Share an API key directly:
"Share this securely: sk-abc123"
The agent calls create_secret with the value. You get back a Vaulted link to send over Slack or email.
Share from an environment variable:
"Share my STRIPE_KEY env var securely"
The agent calls create_secret with env:STRIPE_KEY. The actual key value never appears in the conversation.
Retrieve to clipboard:
"Retrieve that secret to my clipboard"
The agent calls view_secret with output mode clipboard. The decrypted value lands on your clipboard without printing to the terminal.
Check if a secret was viewed:
"Has my secret been viewed yet?"
The agent calls check_status. You see how many views remain without consuming one.
Under the hood
When you run npx @vaulted/mcp-server, it starts a local process that speaks the MCP stdio transport. Your AI client connects to it like any other MCP server.
For agent-blind sources, the server reads the value from your local environment (env vars, files, .env keys) before encryption. The value never leaves the local process unencrypted. It's sent to Vaulted's API as ciphertext — same as if you'd used the web app.
Secrets self-destruct: you can set view limits (1, 3, 5, or 10 views) and expiry (1 hour to 30 days). After the limit is reached, the ciphertext is deleted from the server.
The pattern here is small: add one config block, and your AI assistant gains the ability to handle credentials responsibly — without ever needing to see them.
Get started on the MCP page → · Install from npm · View on GitHub