SanctumAI — Credential Vault For AI Agents

Name: SanctumAI — Credential Vault For AI Agents
Author: SanctumSec

SanctumSec/sanctum

Give coding agents time-bound access to API keys and secrets via an encrypted vault instead of pasting credentials into chat or env files.

Overview

Sanctum is a MCP server for the Ship phase that provides an encrypted credential vault with lease-based access and CRP support so AI agents use secrets without long-lived exposure.

What is this MCP server?

Encrypted credential vault designed for AI agent workloads
Lease-based access so secrets are not permanently exposed to sessions
CRP support for credential request patterns agents can use safely
npm @sanctumai/mcp-server with SANCTUM_VAULT_PATH and optional SANCTUM_PASSPHRASE for headless unlock
stdio MCP transport at version 0.3.2
MCP server version 0.3.2 published as npm package @sanctumai/mcp-server
Configurable vault path SANCTUM_VAULT_PATH and secret SANCTUM_PASSPHRASE environment variables

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

What problem does it solve?

Agents need third-party credentials constantly, but dropping keys into prompts, repos, or flat env files creates avoidable breach and rotation pain.

Who is it for?

Solo builders running multiple MCP integrations who want one vault, npm-based server setup, and optional headless unlock via SANCTUM_PASSPHRASE.

Skip if: Builders who only use public APIs with no secrets, or teams that already enforce a centralized enterprise secrets manager with full IAM you will not duplicate locally.

What do I get? / Deliverables

Secrets stay in an encrypted vault with timed leases, so your agent can authenticate integrations while you retain unlock and policy control.

Encrypted local vault wired to the agent via MCP
Time-bounded credential leases for integration calls
Documented env-based headless or UI-based vault unlock flow

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

Credential hygiene matters most when you are hardening integrations before and during Ship—agents still need secrets without exposing them broadly. Lease-based vault access is a security control for agent deployments, not generic backend coding—canonical placement is Ship → security.

How it compares

Agent-focused encrypted vault MCP—not a generic password manager UI and not a single-purpose OAuth skill.

Common Questions / FAQ

Who is Sanctum for?

Indie developers and small teams using AI agents with MCP who need encrypted, lease-scoped storage for API keys and service credentials.

When should I use Sanctum?

Before and during Ship when you connect agents to paid APIs, staging environments, or private backends and want to avoid pasting secrets into chat.

How do I add Sanctum to my agent?

Install @sanctumai/mcp-server from npm, set SANCTUM_VAULT_PATH if needed, configure SANCTUM_PASSPHRASE for automated unlock or use the web UI interactively, then register the stdio server in your MCP client.