MCP (Model Context Protocol)

How to Use a Password Manager in Claude Code

Claude Code is fast. You describe a task, it writes code, runs commands, deploys infrastructure. But the moment it needs a credential — a database password, an API key, or a TOTP code — you’re forced to stop, open your password manager, and manually retrieve it.

passwd-mcp removes that interruption. It is an MCP server that connects Claude Code to your team’s Passwd vault while ensuring that raw credential values never enter the AI context.

Setup

Connecting Passwd to Claude Code takes a single command.

claude mcp add passwd-mcp \
  -e PASSWD_ORIGIN=https://your-company.passwd.team \
  -- npx -y @passwd/passwd-mcp@1.3.1

Replace your-company with your Passwd deployment URL.

After running this command, Claude Code automatically discovers the available tools.

Authenticate

The first time Claude Code calls a vault tool, it will trigger a Google OAuth login.

Open the login URL in your browser, authenticate with the same Google account you use for Passwd, and paste the redirect URL back into Claude Code.

Tokens are stored in your system keychain, so this step only happens once.

If you prefer non-interactive authentication, you can set the PASSWD_ACCESS_TOKEN environment variable instead.

What Claude Code can access

After setup, Claude Code can use several vault tools through MCP.

The agent can:

  • search the vault for credentials
  • view secret metadata with credential values redacted
  • generate TOTP codes
  • identify the authenticated user

Sensitive fields such as passwords or API keys are replaced with ••••••••.

This allows Claude Code to reason about credentials without exposing their values.

Why MCP should never return raw passwords

Every result returned by an MCP tool enters the AI model’s context window.

Anything in that context could potentially be extracted through prompt injection, logged by the system, or captured in model telemetry.

For this reason, returning raw credentials through MCP is considered an unsafe design.

Passwd avoids this by structurally redacting sensitive fields before they reach the AI model.

Credential values are never included in MCP responses.

Using credentials safely

Some workflows require the agent to actually use credentials, not just browse them.

In those cases you can add the Passwd agent CLI as an optional companion tool.

The agent CLI allows Claude Code to run commands with credentials injected into the process environment without exposing the values.

Example:

npx -y @passwd/passwd-agent-cli@1.3.1 exec \
  --inject DB_PASS=abc123:password \
  -- psql -h staging.db -U app

The CLI retrieves the secret from the vault and injects it as an environment variable for the command.

Stdout masking ensures the credential never appears in the agent output.

The raw value flows directly to the subprocess and never enters the AI conversation.

Example workflows

Generate a TOTP code

You can ask Claude Code:

“Generate the TOTP code for the AWS admin account.”

Claude Code retrieves the credential and generates the current six-digit code.

Because TOTP codes expire after 30 seconds, they are safe to return in the conversation.

Browse credentials

You can ask:

“What credentials do we have tagged production?”

Claude Code searches the vault and returns matching secrets with metadata such as name, type, URLs, and tags.

Credential values remain redacted.

Start a development environment

You can also combine vault browsing with the agent CLI.

Example request:

“Find the credentials tagged payments-dev and start the services.”

Claude Code searches the vault via MCP to find the correct secret IDs, then runs a command using exec --inject to start services with the required environment variables.

Credentials are used by the process but never appear in the conversation.

Security model

passwd-mcp runs locally on your machine. The MCP server communicates directly with your Passwd deployment over HTTPS.

Claude Code operates with the same permissions as your Passwd account. The agent can only access secrets you already have access to.

Sensitive fields are structurally redacted before reaching the AI model, ensuring that raw credential values cannot be leaked through the conversation.

Full source code is available at:
https://github.com/pepuscz/passwd