BellaBe/claude-secrets
GPG-encrypted credential manager for Claude Code MCP channels. Keeps API tokens out of .env files that Claude can read.
Platform-specific configuration:
{
"mcpServers": {
"claude-secrets": {
"command": "npx",
"args": [
"-y",
"claude-secrets"
]
}
}
}Add the config above to .claude/settings.json under the mcpServers key.
GPG-encrypted credential storage for Claude Code MCP channels. Keeps tokens out of flat files where Claude's tools can read them.
MCP channel servers need API tokens. Storing them in .env files under ~/.claude/channels/ means Claude Code can read them via file tools. This moves credentials into pass (GPG-encrypted ~/.password-store/), which Claude cannot access.
# Prerequisites (one-time)
sudo apt install pass gnupg
gpg --gen-key
pass init <gpg-key-id> # gpg --list-keys to find it
# Place the directory
cp -r claude-secrets ~/claude-secrets
chmod +x ~/claude-secrets/secret.sh
# Optional alias
echo 'alias claude-secret="~/claude-secrets/secret.sh"' >> ~/.bashrc
source ~/.bashrcsecret.sh set <channel> <key> <value>
secret.sh get <channel> <key>
secret.sh list [channel]
secret.sh rm <channel> <key>
secret.sh migrate <channel> <ENV_KEY> <pass_key>Always quote values — tokens contain colons and special characters that the shell will split or truncate without quotes:
cd ~/claude-secrets
# ✓ Correct — quoted
./secret.sh set telegram bot-token "123456789:AAHfiqksKZ8..."
./secret.sh set telegram admin-id "987654321"
# ✗ Wrong — token gets truncated at the colon
./secret.sh set telegram bot-token 123456789:AAHfiqksKZ8...More examples:
./secret.sh set slack bot-token "xoxb-..."
./secret.sh set slack signing-secret "abc123..."
./secret.sh set discord bot-token "MTk..."Always verify the token works after storing:
# Telegram
curl "https://api.telegram.org/bot$(pass show claude-telegram/bot-token)/getMe"
# Discord
curl -H "Authorization: Bot $(pass show claude-discord/bot-token)" https://discord.com/api/v10/users/@meIf you get a 404 or 401, the token is wrong — re-store it with quotes.
./secret.sh get telegram bot-token./secret.sh list Loading reviews...