# API Locker Encrypted credential vault with a 21-tool MCP server. Store and manage LLM API keys, service API keys, and OAuth credentials — then let your AI agent list, reveal, rotate, rename, pause, and proxy ca… ## Quick Start ```bash # Connect this server (installs CLI if needed) npx -y @smithery/cli@latest mcp add asancivieri/apilocker # Browse available tools npx -y @smithery/cli@latest tool list asancivieri/apilocker # Get full schema for a tool npx -y @smithery/cli@latest tool get asancivieri/apilocker list_keys # Call a tool npx -y @smithery/cli@latest tool call asancivieri/apilocker list_keys '{}' ``` ## Direct MCP Connection Endpoint: `https://apilocker--asancivieri.run.tools` ## Tools (21) - `list_keys` — List credentials in the user's vault grouped by category (LLM / Service / OAuth). Returns metadata only — never raw sec… - `get_key_metadata` — Get full metadata for one credential by its alias (name). Returns provider, type, tags, paused state, rotation history.… - `reveal_key` — Reveal the decrypted value of a credential by alias. For api_key credentials, returns the single secret string. For oau… - `list_providers` — List all available provider templates. Useful for discovering what providers can be used when storing new credentials. - `get_activity` — Get recent audit log entries showing how credentials have been used. Returns proxy calls, reveals, rotations, renames, … - `run_doctor` — Run a security health check on the vault. Returns warnings about stale rotations, unused keys, expiring tokens, stale d… - `proxy_request` — Make an API request through the locker proxy. The real API key is injected automatically — the agent never sees the raw… - `store_key` — Store a new api_key credential in the vault. The secret is encrypted with AES-GCM before being stored. Use store_oauth_… - `store_oauth_credential` — Store a new OAuth multi-field credential (client_id, client_secret, refresh_token, etc.). For OAuth providers like Goog… - `rotate_key` — Replace a credential's value in place with a new one. The credential's name, provider, and all metadata stay the same. … - `rename_key` — Rename a credential alias. The old name is remembered as a legacy alias forever, so existing references to the old name… - `pause_key` — Pause proxy access for a credential without deleting it. Reveal/run/get/env operations still work on paused credentials… - `resume_key` — Resume proxy access for a paused credential. Requires master token auth. - `delete_key` — Permanently delete a credential. The encrypted blob is removed from KV and the metadata row is removed from D1. This ca… - `list_tokens` — List scoped access tokens for the user's account. Each token authorizes proxy/MCP access to a specific subset of creden… - `create_token` — Create a new scoped access token. Returns the access token and (for rotating tokens) the refresh token. Requires master… - `pause_token` — Pause a scoped token. Paused tokens cannot be used until resumed. Requires master token auth. - `resume_token` — Resume a paused scoped token. Requires master token auth. - `revoke_token` — Permanently revoke (delete) a scoped token. Cannot be undone. Requires master token auth. - `list_devices` — List all devices registered to the user's account. Requires master token auth. - `revoke_device` — Revoke a registered device. The device's master token immediately stops working. Requires master token auth. ```bash # Get full input/output schema for a tool npx -y @smithery/cli@latest tool get asancivieri/apilocker ```