Onecli

v1.0.0Securitystable

Open-source credential vault, give your AI agents access to services without exposing keys.

ai-agentsclimcpnanoclawnodejs
Share:
2,231
Stars
0
Downloads
0
Weekly
0/5

What is Onecli?

Onecli is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to open-source credential vault, give your ai agents access to services without exposing keys.

Open-source credential vault, give your AI agents access to services without exposing keys.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Open-source credential vault, give your AI agents access to

Use Cases

Secure credential management for AI agents
Access services without exposing keys
onecli

Maintainer

LicenseApache-2.0
Languagetypescript
Versionv1.0.0
UpdatedMay 22, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx onecli

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Onecli

OneCLI is an open-source credential vault and API gateway that lets AI agents call external services without ever seeing real API keys. It transparently intercepts outbound requests, swaps placeholder tokens for AES-256-GCM encrypted secrets at request time, and routes credentials based on configurable host/path patterns. Teams use it to give AI agents broad service access in a controlled way — revocable per-agent tokens mean one compromised agent never exposes your whole key set.

Prerequisites

  • Docker and Docker Compose installed (required for the gateway and PostgreSQL backend)
  • Node.js 18+ and pnpm (for local development builds)
  • Rust toolchain if building from source (via mise)
  • An MCP-compatible client such as Claude Desktop or Claude Code
  • Optional: Google OAuth credentials (GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET) for multi-user mode
1

Install OneCLI with the quick-install script

Run the official install script to download and start the OneCLI gateway and dashboard using Docker Compose. The dashboard becomes available on port 10254 and the credential injection gateway on port 10255.

curl -fsSL https://onecli.sh/install | sh
2

Verify the services are running

Open the web dashboard at http://localhost:10254 to confirm the gateway is live. The default single-user mode requires no additional login configuration.

open http://localhost:10254
3

Add your real credentials to the vault

In the dashboard, navigate to Secrets and create entries for each API key you want to protect. For each secret, set the host/path match pattern (e.g., api.openai.com) so the gateway knows which outbound requests to intercept and inject the real key.

4

Create a scoped agent token

Generate a per-agent placeholder token in the dashboard under Agent Tokens. Give this token only access to the secrets your agent needs. Hand this token to your AI agent instead of the real API key.

5

Route agent traffic through the OneCLI gateway

Configure your AI agent or MCP client to proxy all outbound HTTP calls through http://localhost:10255. The gateway pattern-matches requests and injects the correct real credentials before forwarding them.

6

Configure for production with environment variables

For production deployments, set the required environment variables before starting the Docker stack so credentials are encrypted at rest and OAuth login is enforced.

DATABASE_URL=postgresql://user:pass@localhost:5432/onecli
SECRET_ENCRYPTION_KEY=your-32-byte-hex-key
NEXTAUTH_SECRET=your-nextauth-secret
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret

Onecli Examples

Client configuration

OneCLI is a gateway/vault rather than a traditional MCP server, so you integrate it by proxying agent HTTP traffic. The example below shows how you might reference it in a custom MCP server wrapper that routes calls through the OneCLI gateway.

{
  "mcpServers": {
    "onecli-gateway": {
      "command": "npx",
      "args": ["onecli"],
      "env": {
        "ONECLI_GATEWAY_URL": "http://localhost:10255",
        "ONECLI_AGENT_TOKEN": "your-scoped-agent-token"
      }
    }
  }
}

Prompts to try

Once your AI agent's HTTP traffic flows through the OneCLI gateway, you can instruct the agent to call protected services without ever mentioning real keys.

- "Call the OpenAI API to summarize this document — use the credentials already configured."
- "Fetch data from our internal analytics API without showing me the API key."
- "Rotate the agent token for the data-pipeline agent and confirm the old token no longer works."
- "List all secrets currently stored in the vault and their associated host patterns."

Troubleshooting Onecli

Gateway starts but real API calls still fail with 401 Unauthorized

Check that the host/path pattern for the secret matches the exact domain the agent is calling (e.g., api.openai.com, not openai.com). Patterns are case-sensitive and must be set before the gateway processes the first request.

Docker Compose fails to start with a port-already-in-use error

Ports 10254 and 10255 may be taken by another service. Edit docker/docker-compose.yml to remap them, then restart with `docker compose -f docker/docker-compose.yml up -d --wait`.

SECRET_ENCRYPTION_KEY is auto-generated on each restart, breaking stored secrets

In production always set SECRET_ENCRYPTION_KEY to a fixed 32-byte hex value in your environment before starting the stack. Without a stable key, previously encrypted secrets cannot be decrypted.

Frequently Asked Questions about Onecli

What is Onecli?

Onecli is a Model Context Protocol (MCP) server that open-source credential vault, give your ai agents access to services without exposing keys. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Onecli?

Follow the installation instructions on the Onecli GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Onecli?

Onecli works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Onecli free to use?

Yes, Onecli is open source and available under the Apache-2.0 license. You can use it freely in both personal and commercial projects.

Onecli Alternatives — Similar Security Servers

Looking for alternatives to Onecli? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "onecli": { "command": "npx", "args": ["-y", "onecli"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Onecli?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides