Token Vault
Agents & Integrations

MCP Proxy: Secure AI Agent Connections

Set up a secure proxy that gives AI agents access without exposing your real credentials.

What is the MCP Proxy?

The MCP proxy acts as a secure intermediary for your AI agents (Cursor, Windsurf, Claude, etc.). Your agent gets a proxy key (a random string). When the agent makes a request, the proxy validates the key, fetches the real token from your vault, injects it into the request headers, and forwards everything to the upstream service. The agent never sees your real credentials.

How It Works

Loading diagram...

Proxy Flow

Loading diagram...

Creating a Proxy

  1. Go to the MCP Proxy tab and click "Create MCP Proxy".
  2. Choose a method: Manual Config, Templates, or Import JSON.
  3. For manual: enter a name, the upstream MCP URL, select which stored token to inject, and configure headers.
  4. Use ${TOKEN} as a placeholder in headers where the real token should be injected (e.g., Authorization: Bearer ${TOKEN}).
  5. Click "Generate Config" to get the proxy configuration JSON.

Manual Configuration

Fill in the proxy name, upstream URL, and select a token to inject:

Create MCP Proxy: Manual Config tab

Import from JSON

If you have an MCP config snippet from a tool's documentation (e.g., { "mcpServers": { ... } }), switch to the Import JSON tab in the create dialog, paste it, and Token Vault will automatically extract the URL and headers for you:

Create MCP Proxy: Import JSON tab

Proxy Ready

After generating the config, the dialog shows the proxy configuration JSON that you copy into your agent's config file:

Proxy Ready success with config

Connecting Your Agent

Copy the generated JSON and paste it into your agent's configuration file:

Agent config (e.g., cursor_mcp.json)
"mcpServers": {
  "github-proxy": {
    "url": "https://api.tokenvault.uk/api/proxy/mcp?key=YOUR_PROXY_KEY",
    "headers": {}
  }
}

Notice: headers is empty because Token Vault handles authentication server-side.

Claude.ai Connectors

Claude.ai web UI connectors expect a plain URL — no JSON config file, no custom headers. Use the Copy URL button on the proxy card (or the "Token in URL" tab in the config dialog) to get a URL with the key embedded:

https://api.tokenvault.uk/api/proxy/mcp?key=mcp_YOUR_PROXY_KEY

Paste this directly into the Add connector dialog in Claude.ai. The key is in the URL, so no additional authentication setup is needed.

The proxy supports both Streamable HTTP and SSE transports, so it works with transport negotiation out of the box.

Managing Proxies

The MCP Proxy page shows all your configured proxies with their status, upstream URL, and action buttons:

MCP Proxy list with cards

Webhook Mode + MCP Proxy

In Webhook Mode, the proxy forwards credential requests to your webhook. Token Vault never sees your plaintext credentials. Your webhook decrypts and injects them into the upstream request. If your webhook is offline, the proxy returns a 503 error.

Agent Grants: Scoped, Time-Limited Credential Access

Give your AI agents scoped, time-limited access to vault credentials.

tvault CLI

The Token Vault command-line interface — manage credentials, agents, and grants from your terminal.

On this page

What is the MCP Proxy?How It WorksProxy FlowCreating a ProxyManual ConfigurationImport from JSONProxy ReadyConnecting Your AgentClaude.ai ConnectorsManaging ProxiesWebhook Mode + MCP Proxy