MCP Tools Overview
import { Aside } from ‘@astrojs/starlight/components’;
OpaqueVault exposes 7 MCP tools through ov mcp serve. Every tool is designed around one constraint: plaintext secret values never appear in any tool response.
App context
Section titled “App context”When ov mcp serve starts, it uses the app configured in your OpaqueVault config (set via ov app use or the --app flag). All 7 tools operate within that context automatically — Claude Code does not need to pass an app parameter.
The active app is visible in vault_status.
| Tool | Purpose |
|---|---|
vault_run | Run a command with secrets injected as env vars |
vault_list_secrets | List secret names (not values) in the active app |
vault_secret_exists | Check whether a named secret exists |
vault_create_secret | Create a new secret |
vault_update_secret | Update an existing secret |
vault_delete_secret | Delete a secret |
vault_status | Session info, active app, interceptor count |
What tools return
Section titled “What tools return”All tools return structured JSON. The schema is designed so that no field in any response ever contains a plaintext secret value.
vault_run returns:
{ "exit_code": 0, "stdout": "migrations: 3 applied", "stderr": ""}vault_list_secrets returns:
{ "secrets": ["DATABASE_URL", "OPENAI_API_KEY", "STRIPE_SECRET_KEY"], "total": 3}vault_status returns:
{ "unlocked": true, "intercept_mode": "block", "intercepted_count": 0, "session_age_seconds": 142}Tool availability by plan
Section titled “Tool availability by plan”All 7 MCP tools are available on every plan including Free. The interceptor is always active.