mcpvault
Install
← back to mcpvault
Docs menu+

Every mcpvault subcommand, flag, and environment variable in one page.

#CLI reference

Every mcpvault subcommand, in one place. Run mcpvault --help or mcpvault <cmd> --help for the same content from your terminal.

#Vault lifecycle

#mcpvault init

Create a new encrypted vault at ~/.mcpvault/vault.enc. Prompts for a master password (twice) and derives the encryption key with Argon2id.

bash
mcpvault init
mcpvault init --vault-dir /custom/path   # override the default location

Fails if a vault already exists at the target path.

#mcpvault unlock

Re-prompt for the master password and re-cache the derived key in the OS keyring. Idempotent.

bash
mcpvault unlock

#mcpvault lock

Zero the cached key. Next command re-prompts.

bash
mcpvault lock
mcpvault lock --purge   # also remove the entry from the OS keyring entirely

#mcpvault status

One-line summary: vault path, locked / unlocked, account count, active labels per service.

bash
mcpvault status

#mcpvault doctor

Run every health check in sequence. Tells you what's wrong and how to fix it.

bash
mcpvault doctor                 # everything
mcpvault doctor --vault         # just vault integrity
mcpvault doctor --client cursor # one specific client config
mcpvault doctor --verbose       # full output, useful for issue reports

#Account management

See Accounts for the long-form workflows. Quick reference:

bash
mcpvault add <service>                     # add a new account (interactive)
mcpvault list                              # all accounts, all services
mcpvault list <service>                    # accounts for one service
mcpvault active                            # currently active label per service
mcpvault use <service> <label>             # set the active label
mcpvault rename <service> <old> <new>      # rename an account
mcpvault rotate <service> <label>          # replace the token in place
mcpvault remove <service> <label>          # delete an account (asks for confirmation)
mcpvault describe <service> <label> <text> # change the description fuzzy search uses

#Client wiring

bash
mcpvault setup                       # detect & configure every supported client
mcpvault setup --only cursor         # one client
mcpvault setup --only cursor,cline   # several clients
mcpvault setup --scope project       # write per-project config (Cursor, VS Code) instead of user-level
mcpvault setup --dry-run             # show what would be written, no file changes
mcpvault setup --reset               # remove mcpvault entries from every client config

#MCP servers (run by the chat client)

These are the binaries chat clients spawn. You normally never run them by hand they're invoked from your client's MCP config.

#mcpvault server

Start the vault control-plane MCP server on stdio. Exposes mcpvault_list_accounts, mcpvault_find_account, mcpvault_activate_account, mcpvault_get_active, mcpvault_vault_status.

bash
mcpvault server

#mcpvault wrap <service>

Start a per-service wrapper MCP server on stdio. Re-reads the active label from active.json on every tool call.

bash
mcpvault wrap supabase
mcpvault wrap github
mcpvault wrap vercel
mcpvault wrap stripe

To pin a wrapper to a specific account (instead of following the active label):

bash
mcpvault wrap supabase --account work

#Updates & maintenance

bash
mcpvault --version                                    # current version
mcpvault update                                       # update via npm + re-run setup
mcpvault update --channel dev                         # opt into pre-release builds
mcpvault update --channel stable                      # back to stable
mcpvault migrate                                      # run pending vault migrations
mcpvault migrate --rollback                           # restore vault.enc.bak
mcpvault password rotate                              # change the master password

#Audit & introspection

bash
mcpvault audit                                        # tail the audit log
mcpvault audit --since 24h                            # last 24 hours
mcpvault audit --service supabase                     # one service only
mcpvault export-redacted                              # dump vault structure (no secrets) for support

#Configuration

bash
mcpvault config get <key>
mcpvault config set <key> <value>
mcpvault config list                                  # all keys
mcpvault config unset <key>

Common keys:

| Key | Default | What it does |

|---|---|---|

| channel | stable | Update channel (stable or dev). |

| autolock | off | Idle duration before vault auto-locks (off, 1h, 8h, 24h). |

| <service>.<label>.default_project | unset | Default project ref / team id for a service+account. |

#Global flags

These work on every command:

| Flag | Description |

|---|---|

| --help, -h | Show help for the command. |

| --version, -v | Print mcpvault version. |

| --vault-dir <path> | Override the vault directory (default ~/.mcpvault). |

| --no-color | Disable ANSI colour output. |

| --json | Print machine-readable output (where supported). |

| --quiet, -q | Suppress non-essential output. |

#Environment variables

| Var | Effect |

|---|---|

| MCPVAULT_HOME | Override the vault directory. Same as --vault-dir. |

| MCPVAULT_KEYRING | Set to none to skip OS-keyring caching (re-prompt every command). Useful for headless servers. |

| MCPVAULT_NO_COLOR | Set to any value to disable colour. Same as --no-color. |

CLI reference — mcpvault docs