Docs · MCP integration

Give your AI agent your vault.

API Locker exposes a full Model Context Protocol (MCP) server. Any MCP-compatible client — Claude (web), Claude Code, Claude Desktop, Cursor, Zed, Continue, Cline — can list your credentials, reveal values, run health checks, and proxy API calls, all with one connection.

Two ways to connect

Pick the one that fits your AI client:

Remote MCP (OAuth): For Claude on claude.ai and claude.com. Click Add connector → sign in → approve. No CLI install. Nothing to configure. This is the path most people want.
Local MCP (stdio bridge): For Claude Desktop, Claude Code, Cursor, Zed, and Continue. Install the apilocker CLI, run apilocker register once, then point your client at apilocker mcp. Covered further down this page.

Remote MCP — for Claude web + Claude Code

API Locker is a compliant OAuth 2.1 remote MCP server. When Claude's Connectors Directory supports API Locker, users can add it in three clicks:

Open Claude settings → Connectors → Add connector
Search for API Locker and click Add
Sign in with your API Locker account (GitHub or Google) and click Approve on the consent screen

After approval, Claude has full access to your vault through the same 21 tools listed below. Claude shows a safety label on every tool call (read vs. write vs. external request) before executing. You can revoke the connection at any time from your dashboard.

Is API Locker in the directory yet? Submission is in progress with Anthropic. Until it's listed, you can still add API Locker manually by pasting this URL into Claude's Add custom connector flow: https://api.apilocker.app/v1/mcp — Claude will handle the OAuth handshake and consent screen automatically.

Install in 3 steps — for local MCP clients

1. Install the CLI

npm install -g apilocker

Requires Node 18+. Works on macOS, Linux, Windows.

2. Register your device

apilocker register

Opens your browser, you click Authorize once, done. The CLI stores a per-device master token in ~/.apilocker/config.json (mode 0600). The MCP bridge picks it up automatically — you never paste a token into your AI client's config.

3. Connect your AI client

Pick your tool. Every flow uses the same apilocker mcp stdio bridge; only the config shape differs.

Claude Code — one command

This is the fastest path. Claude Code ships with a built-in MCP add command:

claude mcp add apilocker -- apilocker mcp

That's the entire install. Verify with claude mcp list — you should see apilocker: apilocker mcp - ✓ Connected. The server is available in your next Claude Code session automatically.

Claude Desktop

Paste this into your config file and restart the app.

Config location:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "apilocker": {
      "command": "apilocker",
      "args": ["mcp"]
    }
  }
}

Cursor

Open Cursor Settings → Features → Model Context Protocol, click Add Server, and paste the same config as Claude Desktop. Restart Cursor after saving.

Zed

Open your Zed settings.json and add a context_servers entry:

{
  "context_servers": {
    "apilocker": {
      "command": {
        "path": "apilocker",
        "args": ["mcp"],
        "env": {}
      }
    }
  }
}

Continue (VS Code)

Edit ~/.continue/config.json and add an mcpServers entry (same shape as Claude Desktop).

The 21 tools your agent gets

Every vault operation is exposed as an MCP tool. Your agent can do anything the CLI can do:

list_keys

get_key_metadata

reveal_key

list_providers

get_activity

run_doctor

proxy_request

store_key

store_oauth_credential

rotate_key

rename_key

pause_key

resume_key

delete_key

list_tokens

create_token

pause_token

resume_token

revoke_token

list_devices

revoke_device

Usage examples

Once API Locker is connected, your AI agent can handle credential-related tasks in plain English. Here are three concrete flows, each showing the kinds of prompts that work well and which MCP tools get called under the hood:

Example 1 — Audit my vault health

What you ask Claude:

"Take a look at my API Locker vault. Which keys haven't been rotated in over 90 days, and are any of my scoped tokens close to expiring?"

What Claude does:

Calls list_keys to enumerate every credential you have stored
Calls run_doctor to get the built-in health report (stale rotations, unused keys, expiring tokens, local config permission checks)
Calls list_tokens to see which scoped tokens exist and their rotation cadence
Summarizes the findings: "You have 4 keys over 90 days old (OPENAI_API_KEY last rotated 2025-11-08, ...). Your daily-rotating web-app-prod token expires in 3 days unless refreshed."

All three tools are read-only — no state changes, nothing consumed, nothing charged. This is the safest entry point for a new connection.

Example 2 — Rotate a leaked credential

What you ask Claude:

"I just got an alert that my Stripe live key might be compromised. Generate a new one, store it in the vault, and tell me what to paste into the Stripe dashboard."

What Claude does:

Calls get_key_metadata to confirm the credential alias (STRIPE_SECRET_KEY) and its current provider + rotation history
Generates a new secret value (or prompts you for the one you already created in the Stripe dashboard)
Calls rotate_key to replace the encrypted blob in the vault and stamp rotated_at
Calls get_activity to confirm the rotation event was audit-logged
Reminds you that scoped tokens referencing STRIPE_SECRET_KEY keep working automatically — no app-code changes needed

The rotate_key tool carries destructiveHint: true, so Claude will show a confirmation UI before executing. Your existing Stripe API client code continues to work against the proxied endpoint immediately.

Example 3 — Call a real API without exposing the key

What you ask Claude:

"Use my OpenAI key in API Locker to call gpt-4.1-mini with the prompt 'Write a haiku about vault security.' Don't show me the raw key."

What Claude does:

Calls list_keys filtered by category: "llm" to find the OpenAI credential's key_id
Calls proxy_request with key_id + path: "/v1/chat/completions" + the request body — API Locker's proxy handler injects the raw key into the outbound call server-side, forwards to OpenAI, and returns the response
Shows you the haiku

At no point did Claude see your OpenAI API key. The proxy_request tool carries openWorldHint: true and destructiveHint: true because it makes an outbound call that can affect billing or state on the target service. Every call is audit-logged with the source IP, latency, and response status.

Privacy & data handling

API Locker's MCP server handles sensitive data. Here's exactly what we do and don't store:

Credential values: encrypted with AES-256-GCM before ever touching disk. Stored in Cloudflare KV as ciphertext only. The plaintext is only ever assembled inside the Worker for one of three reasons: an authenticated reveal_key call, an authenticated proxy_request call, or the Worker's own OAuth sign-in flow reading its own credentials from the vault. Plaintext is never logged, cached, or persisted outside of encrypted storage.
Request bodies sent through proxy_request: forwarded to the target upstream API unchanged. We do not log, store, or retain request bodies or responses — only metadata (timestamp, target host, status code, latency, response size).
Audit logs: every credential reveal, rotation, rename, pause/resume, proxy call, and MCP tool invocation is logged with {user_id, timestamp, source_ip, country, status_code, latency_ms}. Logs are retained indefinitely for the user's own visibility (GET /v1/activity, apilocker activity) and are never shared externally.
OAuth session data from MCP clients: when a client like Claude authenticates via the OAuth 2.1 flow, we store a hashed access token and refresh token plus the approved scopes, client ID, and user ID. The refresh token rotates on every use; old tokens are held one rotation back for reuse detection and then discarded. We do not store the access token plaintext.
Conversation content: API Locker does not see, log, or store any conversation history between you and Claude. Only the individual MCP tool calls reach the Worker, and only their arguments (e.g. "rotate key alias OPENAI_API_KEY") — never the surrounding conversation context.

See our full Privacy Policy for the formal version.

Security

The MCP bridge reads your master token from ~/.apilocker/config.json. This gives the connected MCP client full vault access — the same permissions you have at the CLI. Only connect MCP clients you own and trust completely (Claude Desktop on your own laptop, your own Cursor instance, etc.).

For more restricted scenarios, use the scoped-token auth path: pass a scoped token in the Authorization header when calling the MCP server directly over HTTP. Scoped tokens can only call read tools (list_keys, reveal_key, proxy_request, etc.) and only for credentials in their pre-approved allowed_keys list. Write tools (store_key, rotate_key, delete_key, device/token management) are rejected for scoped tokens.

For remote MCP connections (OAuth 2.1), scopes are enforced at the token level: vault:read is required for any MCP call, vault:write is additionally required for tools that modify vault state, and vault:proxy is required for proxy_request. Refresh tokens rotate on use and reuse is treated as token theft (the entire grant family is revoked immediately).

Support

Questions, bug reports, feedback, and security disclosures all have a home:

GitHub Issues: github.com/apilocker/apilocker/issues — preferred for bugs and reproducible issues
Feedback & feature requests: feedback@apilocker.app — ideas, advice, what's missing, what's broken in your workflow
General support: support@apilocker.app — private questions, account help
Security disclosures: security@apilocker.app — please don't open public issues for security findings
Dashboard MCP panel: www.apilocker.app/dashboard#mcp — live server status, test-connection button, and recent MCP activity feed

Want visual confirmation? The dashboard's MCP panel shows the server status, a test-connection button, and a live feed of recent MCP activity. Check there after connecting a client to verify everything's working.

How the bridge works

apilocker mcp runs as a subprocess of your MCP client, speaking the MCP stdio transport: line-delimited JSON-RPC over stdin/stdout. Every message from the client gets forwarded to the HTTPS backend at https://api.apilocker.app/v1/mcp with your master token as the Authorization header. The backend's response is written back to the client's stdout as a single line.

Startup banners are written to stderr (never stdout) so the protocol stream stays clean. If you want to see what the bridge is doing, run apilocker mcp directly in a terminal — you'll see the startup message, and any messages you paste on stdin will be forwarded.

Troubleshooting

Client can't find the server: make sure apilocker is in your PATH (which apilocker from the shell).
"Not configured" error: run apilocker register first.
Tools don't show up in the client: restart the client after editing its config file. Most MCP clients only read the config on startup.
Verify manually: visit the MCP panel in your dashboard and click Test connection. If that works, the server is healthy.

Open dashboard MCP panel