AI Integration

MeowPass ships with a 14-tool MCP server (v0.3). Use it with Claude Code, Cursor, Windsurf, or any MCP-compatible agent.

Setup

1. Create an API key

Terminal

mp apikey create my-mcp-key # Save the mp_... key

2. Add to Claude Code

Quick setup

claude mcp add meowpass -e MEOWPASS_API_KEY=mp_your_key -- npx -y @meowlabs/meowpass-mcp

Or add to Cursor / Windsurf

.cursor/mcp.json or windsurf mcp config

{ "mcpServers": { "meowpass": { "command": "npx", "args": ["-y", "@meowlabs/meowpass-mcp"], "env": { "MEOWPASS_API_KEY": "mp_your_key_here" } } } }

Available Tools (14)

Tool	What it does	Env
meowpass_whoami	Current user, email, plan	—
meowpass_list_vaults	List all vaults	—
meowpass_list_secrets	List keys (filter by env or all)	optional
meowpass_get_secret	Fetch encrypted secret	optional
meowpass_set_secret	Create or update a secret	optional
meowpass_delete_secret	Remove a secret	optional
meowpass_create_vault	Create a new vault	—
meowpass_delete_vault	Delete a vault	—
meowpass_pull	Pull secrets (filter by env)	optional
meowpass_decrypt	Decrypt with master password	—
meowpass_diff	Compare .env with vault env	optional
meowpass_init	Scan .env files + detect .meowpass.yaml	—
meowpass_run	Run with injected secrets	optional
meowpass_run_redacted	Run — scrubs secrets from output	optional

Example Workflows

Drift detection

"Is my .env up to date with the vault?"

→ Claude calls meowpass_diff and reports which keys are missing or changed.

Secret scaffolding

"I just added Stripe to this project, set up the secrets."

→ Claude detects Stripe SDK, creates placeholder secrets (STRIPE_SECRET_KEY, STRIPE_PUBLISHABLE_KEY, STRIPE_WEBHOOK_SECRET).

Safe deployment

"Deploy this with production secrets."

→ Claude calls meowpass_run_redacted to inject secrets and run the deploy command. Secret values never appear in the chat.

Redacted Mode

The meowpass_run_redactedtool injects secrets into a subprocess but scrubs all secret values from the output before returning to the LLM. The AI orchestrates the action without ever "seeing" the secret values.

Response:

Redacted output

{ "secrets_injected": 12, "exit_code": 0, "stdout": "Deployed to [REDACTED:AWS_SECRET]...", "values_exposed": false }

Security Considerations

• API keys have scopes — create read-only keys for AI agents
• Use meowpass_run_redacted to prevent secrets from leaking into LLM context
• Every MCP access is logged in the audit trail with source: mcp
• Revoke compromised API keys instantly: mp apikey revoke <id>