If you're running MCP (Model Context Protocol) servers, your API keys are probably sitting in plaintext config files. Here's how to fix that in 5 minutes.
What You'll Build
A setup where:
- Your AI agents (Claude Desktop, Cursor, etc.) can use APIs
- No agent ever sees a raw API key
- Every API call is logged with timestamps
- You can revoke access instantly
Prerequisites
- Node.js 18+
- An MCP-compatible client (Claude Desktop, Cursor, etc.)
- At least one API key you want to protect
Step 1: Install Janee
npm install -g @true-and-useful/janee
Janee is an open-source MCP server specifically designed for secrets management.
Step 2: Initialize
janee init
This creates ~/.janee/config.yaml with a starter template.
Step 3: Add Your First Service
janee add
The interactive wizard walks you through it:
Service name: github
Base URL: https://api.github.com
Auth type: bearer
API key: ghp_your_actual_token_here
✓ Added service "github"
Create a capability for this service? (Y/n): y
Capability name: github-read
TTL: 1h
Auto-approve? (Y/n): y
✓ Created capability "github-read"
Your key is now encrypted in ~/.janee/ — not in any MCP client config.
Step 4: Start the Server
janee serve
Janee is now running as an MCP server.
Step 5: Connect Your MCP Client
For Claude Desktop, add to your MCP config:
{
"mcpServers": {
"janee": {
"command": "janee",
"args": ["serve"]
}
}
}
For Cursor or other MCP clients, the setup is similar — just point to janee serve.
Step 6: Use It
Your agent now has access to the execute tool. When it needs to call GitHub's API:
Agent: "I need to check the latest issues"
→ Calls execute(capability: "github-read", endpoint: "GET /repos/owner/repo/issues")
→ Janee injects the real token, makes the call, returns the response
→ Agent gets the data, never sees ghp_xxx
Step 7: Check the Audit Log
janee logs
Output:
2024-02-12 14:30:00 [github-read] GET /repos/owner/repo/issues → 200 (142ms)
2024-02-12 14:30:05 [github-read] GET /repos/owner/repo/pulls → 200 (89ms)
Every API call, logged automatically.
What You've Gained
| Before | After |
|---|---|
| Keys in plaintext configs | Keys encrypted in ~/.janee/ |
| No idea what agents access | Full audit log |
| Revoke = find and delete everywhere | Revoke = janee remove github
|
| Each client needs each key | Configure once, all clients use Janee |
| No rate limiting | Built-in rate limits per capability |
Adding More Services
janee add # Stripe, OpenAI, Twilio, anything with an API
Each service gets its own capabilities, TTLs, and access controls.
Next Steps
- ⭐ Star Janee on GitHub to follow updates
- 📖 Read the full docs
- 🔒 Check out my MCP Security Checklist
Questions? Open an issue on the GitHub repo.
Janee is free, open-source, and takes 5 minutes to set up. Your API keys deserve better than plaintext.
Top comments (0)