Model Context Protocol (MCP) for AI Agents (Docker)
Integrate Keeper Secrets Manager into AI agents using Docker
To utilize AI Agent integrations with Keeper Secrets Manager (KSM), your role must have the enforcement setting “Can create applications and manage secrets” enabled.
By enabling this feature, you authorize integration between Keeper and third-party AI tools or services. Keeper maintains its Zero-Trust architecture and does not access or process your vault records.
However, any data shared with third-party tools will be governed by those tools’ security, privacy, and compliance practices - not Keeper’s. You are solely responsible for configuring, managing, and auditing these integrations in accordance with your organization’s internal policies and applicable regulations.
To reduce exposure, access granted to AI Agents should be limited to only the minimum necessary folders in the Keeper Vault required to accomplish your specific use case.
AI Agent Integration with Model Context Protocol (MCP)
Keeper Secrets Manager works with AI agents through the Model Context Protocol (MCP), enabling AI Agents to securely interact with specific vault folders. This integration provides a zero-trust architecture where AI agents are explicitly allowed to access designated information from the Keeper Vault.
The Model Context Protocol integration acts as a secure bridge between AI assistants and Keeper Secrets Manager. It allows AI tools to help you manage secrets while maintaining the highest security standards through human-in-the-loop confirmations for sensitive operations.
Github: https://github.com/Keeper-Security/keeper-mcp-golang-docker
Docker Hub: https://hub.docker.com/r/keeper/keeper-mcp-server
Key Benefits
Zero Trust Architecture: AI agents are assigned specific folders in the vault Human-in-the-Loop: Confirmation prompts for sensitive operations Enterprise Ready: Comprehensive audit logging and compliance features Multi-Platform: Works on Linux, macOS, and Windows Docker Native: Easy deployment with container support
What Can AI Assistants Do?
With KSM MCP integration, AI assistants can help you:
Secret Operations
List secrets - Browse your accessible secrets Search secrets - Find secrets by title, URL, username, or other fields Retrieve secrets - Get specific secret values (with confirmation for unmasked data) Create secrets - Generate new secret entries Update secrets - Modify existing secret information Delete secrets - Remove secrets (with confirmation)
File Management
List attachments - View file attachments on secrets Upload files - Add file attachments to secrets Download files - Retrieve file attachments Delete files - Remove file attachments
Utilities
Generate passwords - Create secure passwords with customizable parameters Get TOTP codes - Retrieve current time-based one-time passwords Execute KSM notation queries - Use Keeper's notation system for complex operations Health checks - Monitor server status and connectivity
Setup and Installation
(1) Create Secrets Manager Application
From Keeper Secrets Manager, create an Application or use an existing application.
(2) Create a Device Token
Discard the first Device token, and click on "Add Device" to generate a new Base64 configuration that will be provided to your AI agent.
(3) Register the MCP server
From your AI Agent configuration screen, register the Keeper Secrets Manager MCP server.
The specific details vary between AI agent applications. In Claude Desktop, this can be set up by opening Settings > Developer and then clicking Edit Config. Add the "ksm" server to this file, making sure to include the Base 64 configuration string generated in step 2.
Once this is set, you can begin interacting with the Keeper Secrets Manager MCP server.
Logs and event reporting are available inside the device logs screen and the Keeper Admin Console screens.
For additional setup details, see: https://github.com/Keeper-Security/keeper-mcp-golang-dockerTo utilize AI Agent integrations with Keeper Secrets Manager (KSM), your role must have the enforcement setting "Can create applications and manage secrets" enabled.
By enabling this feature, you authorize integration between Keeper and third-party AI tools or services. Keeper maintains its Zero-Trust architecture and does not access or process your vault records.
However, any data shared with third-party tools will be governed by those tools' security, privacy, and compliance practices - not Keeper's. You are solely responsible for configuring, managing, and auditing these integrations in accordance with your organization's internal policies and applicable regulations.
To reduce exposure, access granted to AI Agents should be limited to only the minimum necessary folders in the Keeper Vault required to accomplish your specific use case.
AI Agent Integration with Model Context Protocol (MCP)
Keeper Secrets Manager works with AI agents through the Model Context Protocol (MCP), enabling AI Agents to securely interact with specific vault folders. This integration provides a zero-trust architecture where AI agents are explicitly allowed to access designated information from the Keeper Vault.
The Model Context Protocol integration acts as a secure bridge between AI assistants and Keeper Secrets Manager. It allows AI tools to help you manage secrets while maintaining the highest security standards through human-in-the-loop confirmations for sensitive operations.
Github: https://github.com/Keeper-Security/keeper-mcp-golang-docker
Docker Hub: https://hub.docker.com/r/keeper/keeper-mcp-server
Key Benefits
Zero Trust Architecture: AI agents are assigned specific folders in the vault
Human-in-the-Loop: Confirmation prompts for sensitive operations
Enterprise Ready: Comprehensive audit logging and compliance features
Multi-Platform: Works on Linux, macOS, and Windows
Docker Native: Easy deployment with container support
Setup and Installation
(1) Create Secrets Manager Application
Your Keeper admin must first enable Secrets Manager access via a Role Enforcement Policy. Once enabled, Secrets Manager will appear in the left navigation of your Keeper Vault.
Enable Secrets Manager via Role Enforcement Policy
From the Keeper Vault:
Click Secrets Manager in the left nav
Click the blue + Create Application button (top right)
Enter an Application Name (e.g. Claude Desktop)
Select the shared folder(s) this application should have access to under Folder Access for Application
Set Record Permissions for Application (Can Edit, or read-only as appropriate)
Click Generate Access Token — but do not use this token; we will discard it and generate a Base64 config in the next step
(2) Create a Device Token
Discard the first Device token, and click on Add Device to generate a new Base64 configuration that will be provided to your AI agent.
Click on your newly created application in the list to open the detail panel
Click the Devices tab in the right-hand panel, then click + Add Device
Enter a Device Name (e.g. Claude UI)
Change the Method dropdown from "One-Time Access Token" to Configuration File
Under Configuration Type, select Base64 (default)
Click the copy icon to copy the Base64 string to your clipboard
Save your config now. Keeper does not store Configuration Files. Copy or download the Base64 config immediately — you will not be able to retrieve it after closing this window.
Secrets Manager Configuration reference
(3) Register the MCP Server
From your AI Agent configuration screen, register the Keeper Secrets Manager MCP server.
In Claude Desktop, open Settings > Developer and click Edit Config. Add the ksm server to this file, making sure to include the Base64 configuration string generated in step 2.
Always use Edit Config — never edit the file directly in Finder or File Explorer. Editing the config file outside of Claude Desktop settings can cause it to be overwritten on next launch.
macOS — additional step required. Claude Desktop does not inherit your shell's PATH, so it cannot find docker by its short name. Replace "command": "docker" with the full path: "command": "/usr/local/bin/docker"
Windows — The "command": "docker" value works as-is. No change needed.
Verifying the Connection
After saving the config and fully restarting Claude Desktop, confirm KSM is connected:
Open Claude Desktop and click Connectors in the left sidebar
Look for ksm in the list with a blue toggle — if the toggle is on and blue, the connection is active
Try asking Claude: "What's in my KSM vault?" — Claude will prompt you to allow the list_secrets integration. Click Allow once or Allow always to confirm
Troubleshooting
ksm doesn't appear under Connectors after restarting
Make sure Docker Desktop is running before launching Claude Desktop
macOS: Confirm the command path in your config is /usr/local/bin/docker — not just "docker"
Double-check that you edited the config via Settings → Developer → Edit Config, not directly in Finder or File Explorer
Verify your Base64 config string is complete — it should be a long unbroken string with no spaces or line breaks
"Error connecting to KSM" or connector shows as failed
Open Docker Desktop and confirm the engine is running (green status)
Try pulling the image manually to confirm Docker is working: docker pull keeper/keeper-mcp-server:latest
Check that the shared folder you selected when creating the KSM application actually contains records
Config file gets reset / changes don't stick
This happens when the config file is edited directly in Finder or File Explorer instead of via Edit Config in Claude Desktop settings. Always use Edit Config.
For additional setup details, see: https://github.com/Keeper-Security/keeper-mcp-golang-docker
Last updated