Docs · MCP integration

Give your AI agent your vault.

API Locker exposes a full Model Context Protocol (MCP) server. Any MCP-compatible client — Claude Desktop, Claude Code, Cursor, Zed, Continue, Cline — can list your credentials, reveal values, run health checks, and proxy API calls, all with one config entry.

Prerequisites

Install the CLI on the same machine as your MCP client: npm install -g apilocker
Register a device: apilocker register (browser-based, one-click)
That's it. The MCP bridge uses your stored master token from ~/.apilocker/config.json automatically.

The 21 tools your agent gets

Every vault operation is exposed as an MCP tool. Your agent can do anything the CLI can do:

list_keys

get_key_metadata

reveal_key

list_providers

get_activity

run_doctor

proxy_request

store_key

store_oauth_credential

rotate_key

rename_key

pause_key

resume_key

delete_key

list_tokens

create_token

pause_token

resume_token

revoke_token

list_devices

revoke_device

Claude Desktop

Paste this into your config file and restart Claude Desktop.

Config location:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "apilocker": {
      "command": "apilocker",
      "args": ["mcp"]
    }
  }
}

Claude Code (CLI)

One command:

claude mcp add apilocker -- apilocker mcp

Verify: claude mcp list. The server appears in the next Claude Code session automatically.

Cursor

Open Cursor Settings → Features → Model Context Protocol, click Add Server, and paste the same config as Claude Desktop. Restart Cursor after saving.

Zed

Open your Zed settings.json and add a context_servers entry:

{
  "context_servers": {
    "apilocker": {
      "command": {
        "path": "apilocker",
        "args": ["mcp"],
        "env": {}
      }
    }
  }
}

Continue (VS Code)

Edit ~/.continue/config.json and add an mcpServers entry (same shape as Claude Desktop).

Security

The MCP bridge reads your master token from ~/.apilocker/config.json. This gives the connected MCP client full vault access — the same permissions you have at the CLI. Only connect MCP clients you own and trust completely (Claude Desktop on your own laptop, your own Cursor instance, etc.).

For more restricted scenarios, use the scoped-token auth path: pass a scoped token in the Authorization header when calling the MCP server directly over HTTP. Scoped tokens can only call read tools (list_keys, reveal_key, proxy_request, etc.) and only for credentials in their pre-approved allowed_keys list. Write tools (store_key, rotate_key, delete_key, device/token management) are rejected for scoped tokens.

Want visual confirmation? The dashboard's MCP panel shows the server status, a test-connection button, and a live feed of recent MCP activity. Check there after connecting a client to verify everything's working.

How the bridge works

apilocker mcp runs as a subprocess of your MCP client, speaking the MCP stdio transport: line-delimited JSON-RPC over stdin/stdout. Every message from the client gets forwarded to the HTTPS backend at https://api.apilocker.app/v1/mcp with your master token as the Authorization header. The backend's response is written back to the client's stdout as a single line.

Startup banners are written to stderr (never stdout) so the protocol stream stays clean. If you want to see what the bridge is doing, run apilocker mcp directly in a terminal — you'll see the startup message, and any messages you paste on stdin will be forwarded.

Troubleshooting

Client can't find the server: make sure apilocker is in your PATH (which apilocker from the shell).
"Not configured" error: run apilocker register first.
Tools don't show up in the client: restart the client after editing its config file. Most MCP clients only read the config on startup.
Verify manually: visit the MCP panel in your dashboard and click Test connection. If that works, the server is healthy.

Open dashboard MCP panel