MCP Server

EnvNest exposes an MCP (Model Context Protocol) endpoint so AI coding tools can read and write secrets on your behalf. Requests are token-authenticated and RBAC-gated — the token's permissions determine exactly which tools are available and which resources can be accessed.

Endpoint

All MCP calls use a single HTTP endpoint:

POST https://app.envnest.dev/mcp

JSON-RPC 2.0 over HTTP. The bearer token in the Authorization header controls which tools are registered and what resources can be accessed.

Authentication

Generate a service account token from the EnvNest dashboard and pass it as a bearer token in every request:

Authorization: Bearer <your-service-account-token>

The fastest way to configure this for your project is:

$ envnest ai init

This writes your active profile token into the MCP config for every detected AI tool in the current project directory.

Available Tools

All 11 tools are automatically available through any MCP-compatible AI coding tool. Read-only tokens only see read tools in the tool list — write tools are hidden entirely.

Tool	Description	Required permission
envnest_list_projects	List all projects accessible to the token	environment.secrets.read
envnest_list_environments	List environments in a project	environment.secrets.read
envnest_list_secrets	List secret keys in an environment (values masked by default)	environment.secrets.read
envnest_get_secret	Fetch the decrypted value of a single secret	environment.secrets.read
envnest_set_secret	Create or update a secret	environment.secrets.write
envnest_delete_secret	Soft-delete a secret	environment.secrets.write
envnest_sync_pull	Export secrets as .env / JSON / YAML	environment.secrets.export
envnest_sync_push	Import secrets from a local file into an environment	environment.secrets.write
envnest_sync_diff	Show differences between local and remote secret state	environment.secrets.export
envnest_analyze	AI risk analysis and secret grouping (uses EnvNest AI quota)	environment.secrets.read
envnest_create_environment	Create a new environment in a project	environment.secrets.write

Manual Setup

If you prefer to configure your AI tool manually instead of using envnest ai init:

Claude Code

Add to .claude/settings.json:

{
  "mcpServers": {
    "envnest": {
      "url": "https://app.envnest.dev/mcp",
      "headers": {
        "Authorization": "Bearer <your-token>"
      }
    }
  }
}

Cursor

Add to .cursor/mcp.json:

{
  "envnest": {
    "url": "https://app.envnest.dev/mcp",
    "headers": {
      "Authorization": "Bearer <your-token>"
    }
  }
}

Windsurf

Add to .windsurf/mcp.json:

{
  "envnest": {
    "url": "https://app.envnest.dev/mcp",
    "headers": {
      "Authorization": "Bearer <your-token>"
    }
  }
}

Codex

Add to .codex/mcp.json:

{
  "envnest": {
    "url": "https://app.envnest.dev/mcp",
    "headers": {
      "Authorization": "Bearer <your-token>"
    }
  }
}

Self-Hosted

For self-hosted EnvNest instances, replace the endpoint URL with your instance domain:

{
  "envnest": {
    "url": "https://your-instance.com/mcp",
    "headers": {
      "Authorization": "Bearer <your-token>"
    }
  }
}

The MCP endpoint is enabled by default. To disable it, set ENVNEST_MCP_ENABLED=false in your instance .env.

When using envnest ai init, the URL is taken from your active profile automatically — no manual URL configuration needed.

AI Tools setup guide →← Back to docs