# Model Context Protocol (MCP) for AI Agents (Docker) {% hint style="info" %} To utilize AI Agent integrations with Keeper Secrets Manager (KSM), your role must have the [enforcement setting](/en/keeperpam/privileged-access-manager/getting-started/enforcement-policies.md) “Can create applications and manage secrets” enabled. {% endhint %} {% hint style="danger" %} By enabling this feature, you authorize integration between Keeper and third-party AI tools or services. Keeper maintains its Zero-Trust architecture and does not access or process your vault records. However, any data shared with third-party tools will be governed by those tools’ security, privacy, and compliance practices - not Keeper’s. You are solely responsible for configuring, managing, and auditing these integrations in accordance with your organization’s internal policies and applicable regulations. To reduce exposure, access granted to AI Agents should be limited to only the minimum necessary folders in the Keeper Vault required to accomplish your specific use case. {% endhint %} ## AI Agent Integration with Model Context Protocol (MCP) Keeper Secrets Manager works with AI agents through the Model Context Protocol (MCP), enabling AI Agents to securely interact with specific vault folders. This integration provides a zero-trust architecture where AI agents are explicitly allowed to access designated information from the Keeper Vault. The Model Context Protocol integration acts as a secure bridge between AI assistants and Keeper Secrets Manager. It allows AI tools to help you manage secrets while maintaining the highest security standards through human-in-the-loop confirmations for sensitive operations. **Github:** **Docker Hub:** ### Key Benefits **Zero Trust Architecture**: AI agents are assigned specific folders in the vault\ **Human-in-the-Loop**: Confirmation prompts for sensitive operations\ **Enterprise Ready**: Comprehensive audit logging and compliance features\ **Multi-Platform**: Works on Linux, macOS, and Windows\ **Docker Native**: Easy deployment with container support ### What Can AI Assistants Do? With KSM MCP integration, AI assistants can help you: #### Secret Operations **List secrets** - Browse your accessible secrets\ **Search secrets** - Find secrets by title, URL, username, or other fields\ **Retrieve secrets** - Get specific secret values (with confirmation for unmasked data)\ **Create secrets** - Generate new secret entries\ **Update secrets** - Modify existing secret information\ **Delete secrets** - Remove secrets (with confirmation) #### File Management **List attachments** - View file attachments on secrets\ **Upload files** - Add file attachments to secrets\ **Download files** - Retrieve file attachments\ **Delete files** - Remove file attachments #### Utilities **Generate passwords** - Create secure passwords with customizable parameters\ **Get TOTP codes** - Retrieve current time-based one-time passwords\ **Execute KSM notation queries** - Use Keeper's notation system for complex operations\ **Health checks** - Monitor server status and connectivity ### Setup and Installation #### (1) Create Secrets Manager Application From Keeper Secrets Manager, create an Application or use an existing application.

Create an Application and assign folders

#### (2) Create a Device Token Discard the first Device token, and click on "Add Device" to generate a new Base64 configuration that will be provided to your AI agent.

#### (3) Register the MCP server From your AI Agent configuration screen, register the Keeper Secrets Manager MCP server. The specific details vary between AI agent applications. In Claude Desktop, this can be set up by opening **Settings** > **Developer** and then clicking **Edit Config**. Add the "ksm" server to this file, making sure to include the Base 64 configuration string generated in step 2. ``` { "mcpServers": { "ksm": { "command": "docker", "args": [ "run", "-i", "--rm", "-e", "KSM_CONFIG_BASE64=", "-e", "KSM_MCP_PROFILE=production", "-e", "KSM_MCP_BATCH_MODE=true", "-e", "KSM_MCP_LOG_LEVEL=error", "-v", "ksm-mcp-data:/home/ksm/.keeper/ksm-mcp", "keeper/keeper-mcp-server:latest" ] } } } ```

Once this is set, you can begin interacting with the Keeper Secrets Manager MCP server.

Logs and event reporting are available inside the device logs screen and the Keeper Admin Console screens.

*** For additional setup details, see: To utilize AI Agent integrations with Keeper Secrets Manager (KSM), your role must have the [enforcement setting](https://docs.keeper.io/en/enterprise-guide/secrets-manager) "Can create applications and manage secrets" enabled. {% hint style="warning" %} By enabling this feature, you authorize integration between Keeper and third-party AI tools or services. Keeper maintains its Zero-Trust architecture and does not access or process your vault records. However, any data shared with third-party tools will be governed by those tools' security, privacy, and compliance practices - not Keeper's. You are solely responsible for configuring, managing, and auditing these integrations in accordance with your organization's internal policies and applicable regulations. To reduce exposure, access granted to AI Agents should be limited to only the minimum necessary folders in the Keeper Vault required to accomplish your specific use case. {% endhint %} ### AI Agent Integration with Model Context Protocol (MCP) Keeper Secrets Manager works with AI agents through the Model Context Protocol (MCP), enabling AI Agents to securely interact with specific vault folders. This integration provides a zero-trust architecture where AI agents are explicitly allowed to access designated information from the Keeper Vault. The Model Context Protocol integration acts as a secure bridge between AI assistants and Keeper Secrets Manager. It allows AI tools to help you manage secrets while maintaining the highest security standards through human-in-the-loop confirmations for sensitive operations. **Github:** **Docker Hub:** #### Key Benefits **Zero Trust Architecture**: AI agents are assigned specific folders in the vault **Human-in-the-Loop**: Confirmation prompts for sensitive operations **Enterprise Ready**: Comprehensive audit logging and compliance features **Multi-Platform**: Works on Linux, macOS, and Windows **Docker Native**: Easy deployment with container support ### Setup and Installation #### (1) Create Secrets Manager Application Your Keeper admin must first enable Secrets Manager access via a Role Enforcement Policy. Once enabled, **Secrets Manager** will appear in the left navigation of your Keeper Vault. [Enable Secrets Manager via Role Enforcement Policy](https://docs.keeper.io/en/enterprise-guide/secrets-manager) From the Keeper Vault: 1. Click **Secrets Manager** in the left nav 2. Click the blue **+ Create Application** button (top right) 3. Enter an **Application Name** (e.g. Claude Desktop) 4. Select the **shared folder(s)** this application should have access to under **Folder Access for Application** 5. Set **Record Permissions for Application** (Can Edit, or read-only as appropriate) 6. Click **Generate Access Token** — but **do not use this token**; we will discard it and generate a Base64 config in the next step #### (2) Create a Device Token Discard the first Device token, and click on **Add Device** to generate a new Base64 configuration that will be provided to your AI agent. 1. Click on your newly created application in the list to open the detail panel 2. Click the **Devices** tab in the right-hand panel, then click **+ Add Device** 3. Enter a **Device Name** (e.g. Claude UI) 4. Change the **Method** dropdown from "One-Time Access Token" to **Configuration File** 5. Under **Configuration Type**, select **Base64** (default) 6. Click the **copy icon** to copy the Base64 string to your clipboard {% hint style="warning" %} **Save your config now.** Keeper does not store Configuration Files. Copy or download the Base64 config immediately — you will not be able to retrieve it after closing this window. {% endhint %} [Secrets Manager Configuration reference](https://docs.keeper.io/en/keeperpam/secrets-manager/about/secrets-manager-configuration) #### (3) Register the MCP Server From your AI Agent configuration screen, register the Keeper Secrets Manager MCP server. In Claude Desktop, open **Settings > Developer** and click **Edit Config**. Add the ksm server to this file, making sure to include the Base64 configuration string generated in step 2. {% hint style="warning" %} **Always use Edit Config — never edit the file directly in Finder or File Explorer.** Editing the config file outside of Claude Desktop settings can cause it to be overwritten on next launch. {% endhint %} ```json { "mcpServers": { "ksm": { "command": "docker", "args": [ "run", "-i", "--rm", "-e", "KSM_CONFIG_BASE64=", "-e", "KSM_MCP_PROFILE=production", "-e", "KSM_MCP_BATCH_MODE=true", "-e", "KSM_MCP_LOG_LEVEL=error", "-v", "ksm-mcp-data:/home/ksm/.keeper/ksm-mcp", "keeper/keeper-mcp-server:latest" ] } } } ``` {% hint style="info" %} **macOS — additional step required.** Claude Desktop does not inherit your shell's PATH, so it cannot find docker by its short name. Replace "command": "docker" with the full path: "command": "/usr/local/bin/docker" {% endhint %} {% hint style="info" %} **Windows** — The "command": "docker" value works as-is. No change needed. {% endhint %} ### Verifying the Connection After saving the config and fully restarting Claude Desktop, confirm KSM is connected: 1. Open **Claude Desktop** and click **Connectors** in the left sidebar 2. Look for **ksm** in the list with a blue toggle — if the toggle is on and blue, the connection is active 3. Try asking Claude: "What's in my KSM vault?" — Claude will prompt you to allow the list\_secrets integration. Click **Allow once** or **Allow always** to confirm ### Troubleshooting #### ksm doesn't appear under Connectors after restarting * Make sure **Docker Desktop is running** before launching Claude Desktop * **macOS:** Confirm the command path in your config is /usr/local/bin/docker — not just "docker" * Double-check that you edited the config via **Settings → Developer → Edit Config**, not directly in Finder or File Explorer * Verify your Base64 config string is complete — it should be a long unbroken string with no spaces or line breaks #### "Error connecting to KSM" or connector shows as failed * Open Docker Desktop and confirm the engine is running (green status) * Try pulling the image manually to confirm Docker is working: docker pull keeper/keeper-mcp-server:latest * Check that the shared folder you selected when creating the KSM application actually contains records #### Config file gets reset / changes don't stick This happens when the config file is edited directly in Finder or File Explorer instead of via **Edit Config** in Claude Desktop settings. Always use Edit Config. For additional setup details, see: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/en/keeperpam/secrets-manager/integrations/model-context-protocol-mcp-for-ai-agents-docker.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.