Claude Code Setup

This guide covers how to configure secretctl MCP server with Claude Code and other MCP-compatible AI tools.

Prerequisites

secretctl installed and initialized (secretctl init)
At least one secret stored (secretctl secret add)
Policy file created (see below)

Step 1: Create Policy File

Create ~/.secretctl/mcp-policy.yaml:

mkdir -p ~/.secretctl
cat > ~/.secretctl/mcp-policy.yaml << 'EOF'
version: 1
default_action: deny
allowed_commands:
  # Cloud CLIs
  - aws
  - gcloud
  - az

  # Container tools
  - kubectl
  - docker
  - helm

  # Database tools
  - psql
  - mysql
  - mongosh

denied_commands:
  - env
  - printenv
  - set
  - export
EOF

Step 2: Configure Claude Code

Add to ~/.claude.json:

{
  "mcpServers": {
    "secretctl": {
      "command": "/path/to/secretctl",
      "args": ["mcp", "serve"],
      "env": {
        "SECRETCTL_PASSWORD": "your-master-password"
      }
    }
  }
}

caution

Replace /path/to/secretctl with the actual path to your secretctl binary. You can find it with which secretctl.

Using Homebrew Installation

If installed via Homebrew:

{
  "mcpServers": {
    "secretctl": {
      "command": "/opt/homebrew/bin/secretctl",
      "args": ["mcp", "serve"],
      "env": {
        "SECRETCTL_PASSWORD": "your-master-password"
      }
    }
  }
}

Step 3: Configure Codex CLI

For OpenAI Codex CLI, add to ~/.codex/config.yaml:

mcpServers:
  secretctl:
    command: /path/to/secretctl
    args:
      - mcp
      - serve
    env:
      SECRETCTL_PASSWORD: your-master-password

Step 4: Test the Integration

Start Claude Code or your MCP client
Ask Claude to list your secrets:
```
"List my available secrets"
```
Claude should respond with your secret keys (not values)

Environment Variables

Variable	Description	Default
`SECRETCTL_PASSWORD`	Master password for vault	(required)
`SECRETCTL_VAULT_DIR`	Custom vault directory	`~/.secretctl`

Troubleshooting

Server won't start

Error: "no password provided"

# Verify the password is set correctly
export SECRETCTL_PASSWORD=your-master-password
secretctl mcp serve

Error: "failed to unlock vault"

Check that the password is correct
Verify the vault exists (secretctl list works)

Commands are denied

Error: "command not allowed by policy"

Check ~/.secretctl/mcp-policy.yaml exists
Add the command to allowed_commands
Restart Claude Code to reload the MCP server

Connection Issues

If Claude Code can't connect:

Check the secretctl path is correct
Verify secretctl is executable
Test manually: secretctl mcp serve

Security Recommendations

Don't commit secrets - Never add your Claude config with passwords to git
Use environment variables - Consider using a shell wrapper for the password
Limit permissions - Only allow the commands you need
Review regularly - Check secretctl audit list for unusual activity

Example Workflow

Once configured, you can ask Claude to:

"Run 'aws s3 ls' using my aws/* credentials"

"Deploy to Kubernetes using my k8s/prod/* secrets"

"Connect to the database with db/prod/password"

Claude will use secret_run to execute these commands with secrets injected as environment variables, without ever seeing the actual values.

Prerequisites​

Step 1: Create Policy File​

Step 2: Configure Claude Code​

Using Homebrew Installation​

Step 3: Configure Codex CLI​

Step 4: Test the Integration​

Environment Variables​

Troubleshooting​

Server won't start​

Commands are denied​

Connection Issues​

Security Recommendations​

Example Workflow​