Keiko
Secure secrets manager for AI agents. Keiko lets AI tools like Claude Code use API tokens, passwords, and credentials without ever seeing the actual values.
The Problem
AI agents need API tokens to do useful work — calling APIs, deploying code, managing infrastructure. But passing secret values through an AI's context window is a security risk: they appear in conversation logs, tool responses, and potentially in training data.
How Keiko Solves It
Keiko uses a proxy pattern. The AI agent tells Keiko what command to run and which secrets it needs, but never sees the secret values themselves:
AI Agent ──► Keiko MCP Server ──► Keiko Backend
│ │
resolves secrets ◄── HTTPS ──┘
│
spawns: bash -c "your command"
with secrets as env vars
│
captures output
sanitizes (redacts leaked values)
│
AI Agent ◄── clean output onlyThe AI says "run this curl command with my API token" — Keiko injects the token as an environment variable, runs the command, scans the output for any leaked values, redacts them, and returns clean output.
Quick Start
1. Deploy the backend
The backend stores secrets encrypted (AES-256-GCM) and serves them over HTTPS. Deploy with Docker to any platform with persistent storage:
# Generate an encryption key
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
# Deploy (Railway, Render, Fly, Docker Compose, etc.)
# See docs/setup-guide.md for full instructions2. Set up the MCP server
The MCP server runs on each machine that needs access to secrets. It's a standalone package with only 2 dependencies — no native compilation needed.
cd packages/mcp
npm install
npm run build
node dist/index.js --store-token YOUR_TOKEN3. Connect to Claude Code
Add to ~/.mcp.json:
{
"mcpServers": {
"keiko": {
"command": "node",
"args": ["/absolute/path/to/keiko/packages/mcp/dist/index.js"],
"env": {
"KEIKO_URL": "https://your-keiko-backend.example.com"
}
}
}
}Restart Claude Code. Ask "Check Keiko session status" to verify.
How the AI Uses It
Once connected, the AI discovers available secrets and uses them in commands — without ever seeing the values:
AI: list_secrets
→ my_api_token [Bearer token in Authorization header]
AI: run_with_secrets
command: curl -s -H "Authorization: Bearer $API_TOKEN" https://api.example.com/data
secrets: [{env: "API_TOKEN", name: "my_api_token"}]
→ {"data": [...]} (secret values redacted from output)Each secret includes auth_pattern and auth_instructions metadata, so the AI knows how to use it without external documentation.
MCP Tools
| Tool | Purpose | |------|---------| | run_with_secrets | Run a command with secrets injected as env vars | | list_secrets | Discover available secrets (names and auth patterns only) | | session_status | Check authentication state | | lock | Kill switch — revoke all active sessions | | set_ttl | Configure session expiry (0.5–24 hours) | | add_secret | Create a new secret | | update_secret | Replace an existing secret's value | | get_guide | Fetch the usage guide |
Security
- Encryption at rest — AES-256-GCM with per-secret random IV, plus versioned keys (
ENCRYPTION_KEY,ENCRYPTION_KEY_V2, …) and an in-place rotation endpoint so the key can be rotated without downtime - Hashed auth tokens — 64-char hex tokens, SHA-256 hashed in the database, plaintext shown once
- Token scoping — each token is restricted to a set of secret-name glob patterns (e.g.
railway_*), so a leaked token only exposes the slice of the vault it actually needs - Output sanitization — command output scanned for secret values in raw, base64, base64url, URL-encoded, hex, JSON-string-escaped, and HTML-entity-escaped forms
- Per-token rate limit — independent of per-IP, caps abuse from a single token routed through multiple IPs
- CSRF protection —
X-CSRF-Tokenheader required on every mutating admin-UI endpoint - Session management — configurable TTL, auto-refresh, global kill switch
- Audit trail — every action logged with token ID, session ID, IP, and timestamp
Secret values never appear in AI tool responses, conversation logs, or on disk on client machines. See GET /api/guide for the full threat model — what the proxy pattern does and does not prevent.
Architecture
keiko/
├── packages/mcp/ # MCP server (runs on your machine)
│ ├── src/
│ │ ├── server.ts # 7 tool registrations
│ │ ├── client.ts # HTTPS client to backend
│ │ ├── executor.ts # Shell spawner + env var injection
│ │ ├── sanitizer.ts # Output redaction
│ │ └── keychain.ts # OS keychain (Win/Mac/Linux)
│ └── package.json # 2 deps: @modelcontextprotocol/sdk + zod
│
├── src/ # Backend API (runs on your server)
│ ├── api/ # Express routes, auth, crypto
│ └── ui/ # EJS admin templates
│
└── Dockerfile # Multi-stage production buildThe MCP server and backend are fully independent packages. The MCP server has zero native dependencies — npm install works everywhere without compilers or --ignore-scripts.
Platform Support
| Environment | Token Storage | Notes | |------------|---------------|-------| | Windows | Windows Credential Manager | Commands run via Git Bash (not WSL) | | macOS | macOS Keychain | System bash | | Linux | libsecret | Requires secret-tool | | Docker / CI | KEIKO_TOKEN env var | No keychain needed |
Documentation
- Setup Guide — Full setup instructions for all environments, backend deployment, troubleshooting, API reference, and configuration options
Tech Stack
Backend: Node.js 20, TypeScript, Express, SQLite (better-sqlite3), EJS, Google OAuth
MCP Server: Node.js 20, TypeScript, MCP SDK v1.x, Zod
Deployment: Docker (multi-stage build), any platform with persistent volumes. Tested with Railway.
