Supabase
Read-only project + SQL access
list_projectsrun_sqllist_tablesget_logslist_organizations
One vault. Every account.Switchedby your agent.
A local, encrypted credential store for any MCP-compatible AI agent. Works with Claude Desktop, Cursor, Cline, Windsurf, Continue and Zed. Keep many accounts per service. Switch between them from natural language.
$ npm install -g @elraian/mcpvault · macOS · Windows · Linux · from AISIDE
agent / mcpvault
live
You
Hop over to my work Supabase and show me what's deployed in production.
find_account("supabase", "work")→work
activate_account("supabase", "work")→✓
supabase_list_projects()
You're on work. Production projects:
api, dashboard, billing.~/.mcpvault
unlocked
$mcpvault list supabase
●work· Day job, prod + staging
○personal· My side projects
○consulting· Freelance client
○demo· Throwaway demo org
$mcpvault active
supabaseworkgithubpersonalvercelpersonalstripework-live
$
vault.enc · 12 accounts · 4 servicesargon2id m=64MiB·aes-256-gcm
Works with your agent
Claude Desktop
Cursor
Cline
Windsurf
Continue
Zed
Any MCP client
Claude Desktop
Cursor
Cline
Windsurf
Continue
Zed
Any MCP client
Wraps services you already use
Supabase
GitHub
Vercel
Stripe
Supabase
GitHub
Vercel
Stripe
Supabase
GitHub
Vercel
Stripe
›
Quick Start
Pick your install method and platform. Copy the command, run it, you're unlocked in under a minute.
β beta
🦊
$npm install -g @elraian/mcpvault && mcpvault init
Works on macOS, Linux, and Windows. The installer puts the mcpvault binary on your PATH (with mvault and mcp-vault as aliases) and stores the encrypted vault at ~/.mcpvault. Upgrade later with npm i -g @elraian/mcpvault@latest.
The problem
One agent. Five clients. Twenty tokens in a notes app.
Every MCP server expects one set of credentials in env vars. So you either restart your agent every time you change clients, or you give one agent access to everything at once. Neither is fine.
Before
- Edit your agent's MCP config, swap a token, restart it.
- Or paste the same PAT into every wrapper and pray you're hitting the right project.
- Tokens scattered across 1Password, .env files, Notion, Slack DMs.
- No record of which account the agent used when it ran a query.
With mcpvault
- One encrypted file. Many accounts per service. Personal, three clients, a demo org.
- "Switch me to the Acme Supabase". Your agent does it. Instant. No restart.
- Credentials never leave the wrapper process. Your agent only sees results.
- Append-only audit log: who-was-used-when, never the secret itself.
How it works
Three pieces. Two are invisible.
A CLI to manage accounts, a vault MCP server your agent can call, and per-service wrappers that re-read the active account on every request.
01 · CLI
Drop credentials into the vault
mcpvault add supabase walks you through label, description and PAT. The description is what fuzzy search matches.
$mcpvault add supabase
Labelclient-acme
DescriptionAcme Corp prod
PAT••••••••••••••
✓ Added.
02 · MCP
Point your agent at the wrappers
Add four lines to your agent's MCP config (claude_desktop_config.json, .cursor/mcp.json, Cline settings, etc.). mcpvault becomes both the control plane and every per-service wrapper.
"mcpServers": {
"vault":{ "args": ["server"] },
"supabase":{ "args": ["wrap", "supabase"] },
"github":{ "args": ["wrap", "github"] }
}03 · Agent
Ask in plain language
Your agent finds the right account, activates it, runs the tool. Each wrapper re-reads the active label on every call, so switching is instant.
› "Switch to my personal Supabase and list recent migrations"
activate_account(personal)✓
supabase_list_migrations()
→ 4 migrations on personal/main
What's in the box
Built for agents that actually do work.
Many accounts per service
Personal Supabase, work Supabase, a freelance client, a demo org. All live side by side. Labels stay alphanumeric; descriptions feed fuzzy search.
Switch in real time
Wrappers re-read the active label on every tool call. Going from personal to work is one MCP call. Zero restart.
Fuzzy find by description
Write project or client names into descriptions. Your agent calls find_account("supabase", "work") and gets back the right label.
AES-256-GCM at rest
Argon2id KDF (m=64 MiB, t=3, p=1) from your master password. Vault file lives at ~/.mcpvault/vault.enc. The password never touches disk.
Unlock once, stay unlocked
Derived session key cached in OS keychain (DPAPI on Windows, Keychain on macOS, Secret Service on Linux). Survives reboots until you explicitly lock.
Append-only audit log
Records which account was used per request, never the credential. Answer "what did the agent touch on Tuesday?" without exposing keys.
Security model
Your credentials don't go to the model.
Wrappers decrypt the active credential in-process, call the upstream API, and return the result to your agent. The PAT never crosses the MCP wire. Stripe's wrapper is read-only by design. No create_charge, no refund.
- 01
AES-256-GCM, Argon2id KDF
m=64 MiB, t=3, p=1. The vault file is meaningless without the master password.
- 02
Session key in OS keychain
Protected by your OS login. Lock at any time to invalidate it.
- 03
Credentials stay in the wrapper
Tools return API responses to your agent. Never the bearer token itself.
- 04
Auditable by default
Append-only log of which label served which call. Easy to grep, easy to ship.
~/.mcpvault/
read-only diagram
├──
vault.encencrypted
AES-256-GCM ciphertext, Argon2id-derived key
├──
active.jsonpublic
Plain JSON: only labels, no secrets
└──
vault.logappend-only
Append-only audit trail of account use
OS keychain
●
mcp-vault.sessionephemeral
DPAPI / Keychain / Secret Service. Cleared on lock.
Request path
agent→wrapper→decrypt in-process→upstream API→result → agent
The credential never crosses the dotted line back to the agent.
Wrappers
Four services on day one.
Each wrapper exposes a small, opinionated set of tools that match the way you actually use the API from a chat, not the full surface area.
GitHub
Repos, issues, PRs, code search
list_reposget_repolist_issuescreate_issuelist_pullsget_filesearch_code
Vercel
Projects, deployments, domains
list_projectslist_deploymentsget_deploymentlist_domains
Stripe
read-onlyCustomers, charges, subscriptions
list_customersretrieve_customerlist_chargeslist_subscriptionsretrieve
v2Coming next: OAuth services (Gmail, Drive, Slack), 1Password / Bitwarden adapters, and project contexts. Switch Supabase, GitHub, Vercel and Stripe at once.
Install
Up in under five minutes.
Three commands and a config snippet. Works the same on macOS, Windows and Linux.
Step 01·Install & init
zsh·local
$ npm install -g @elraian/mcpvault
$ mcpvault init
→ set master password
✓ ~/.mcpvault/vault.enc
Step 02·Add accounts
zsh·repeat per service
$ mcpvault add supabase
$ mcpvault add github
$ mcpvault add vercel
$ mcpvault add stripe
Step 03·Wire to your MCP client
criticalJSON·your agent's MCP config
{
"mcpServers": {
"vault": {
"command": "mcpvault",
"args": ["server"]
},
"supabase": {
"command": "mcpvault",
"args": ["wrap", "supabase"]
},
"github": {
"command": "mcpvault",
"args": ["wrap", "github"]
}
}
}Drop intoClaude Desktop
claude_desktop_config.jsonCursor.cursor/mcp.jsonClinecline_mcp_settings.jsonWindsurfmcp_config.jsonSame MCP block works for any MCP-compatible client. Restart the agent and you're live.
FAQ
Questions worth answering.
Which agents does this work with?+
Anything that speaks MCP. Tested with Claude Desktop, Claude Code, Cursor, Cline, Windsurf, Continue and Zed. If your tool can spawn an MCP server, mcpvault drops in.
Does my agent ever see the actual tokens?+
No. Wrappers decrypt the active credential in their own process and call the upstream API. The agent only sees what the API returned: project lists, query results, deployments. The PAT never crosses the MCP wire.
What if my laptop is stolen?+
The vault file is AES-256-GCM with an Argon2id-derived key. The session key cached in the OS keychain is protected by your OS login (DPAPI on Windows, Keychain on macOS). Without your OS password, neither file is useful.
Do I have to re-enter my master password every day?+
No. The derived key is cached in your OS keychain across reboots. If you'd rather have it expire, run
mcpvault lock before shutting down (or call lock_vault through your agent).Why is the Stripe wrapper read-only?+
Because money moves are not the kind of thing you want a chat interface to be one prompt away from. No
create_charge, no refund, by design.Can I add more services?+
v1 covers bearer-token / API-key auth: Supabase, GitHub, Vercel, Stripe. v2+ brings OAuth services (Gmail, Drive, Slack) with refresh logic, plus 1Password / Bitwarden adapters and multi-service contexts.
Is this hosted anywhere?+
No. mcpvault is local-first by design. There is no server, no account, no telemetry. The vault file lives on your machine; that's it.
Stop pasting tokens.
Start switching contexts.
mcpvault is open source, MIT-licensed, and runs entirely on your machine. Get it running in five minutes.