Open Source MIT License

Let AI agents use your credentials without ever seeing them.

Passman is a secure credential proxy MCP server built in Rust. AI agents reference credentials by name — Passman injects them server-side. Secrets are never exposed.

Get Started View on GitHub
6
Protocols
14
MCP Tools
8
Credential Types
100%
Free & Open
passman — MCP Server
Works with your favorite MCP clients
Claude Code
Claude Desktop
Cursor
VS Code Copilot
Windsurf

How It Works

AI agents never touch your secrets. Passman acts as a secure intermediary, injecting credentials server-side and scrubbing them from all responses.

Step 1
AI Requests
Agent calls an MCP tool, referencing a credential by name
Step 2
Policy Check
Passman validates the request against per-credential policies
Step 3
Secret Injection
Credentials are decrypted and injected into the outbound request
Step 4
Execute & Scrub
Response is sanitized — all secret traces removed across 6 encodings
Step 5
Safe Result
AI gets the clean result. Secrets were never visible to the agent.

Features

Everything you need to securely bridge AI agents with your credentials, services, and infrastructure.

Multi-Protocol Proxy

One tool for all protocols. Proxy HTTP requests, execute SSH commands, run SQL queries across Postgres, MySQL, and SQLite, and send emails via SMTP.

HTTP / SSH / SQL / SMTP

Encrypted Local Vault

AES-256-GCM encryption with Argon2id key derivation. Your vault file never leaves your machine. No cloud sync, no telemetry, no third-party access.

AES-256-GCM + Argon2id

8 Credential Types

Native support for passwords, API tokens, SSH keys, SSH passwords, database connections, certificates, SMTP accounts, and custom types.

Output Sanitization

Every response is scrubbed for secret leaks across 6 encoding variants: raw, Base64, URL-encoded, hex, upper-hex, and partial matches.

6 Encoding Variants

Per-Credential Policies

Fine-grained control: URL pattern whitelists for HTTP, command patterns for SSH, read-only mode for SQL, recipient restrictions for SMTP, and rate limits per credential.

Audit Trail

Every operation is logged with timestamps, credential IDs, operation types, and outcomes. Full accountability for every proxy call.

Desktop GUI

Manage your vault visually with the Tauri v2 + React desktop app. Create, edit, and organize credentials without touching the terminal.

Tauri v2 + React
Download for your platform →

14 MCP Tools

Complete toolkit: vault management, credential CRUD, searching, proxy operations for all protocols, and audit log access — all via the MCP protocol.

Memory Safety

Built in Rust with zeroize for cryptographic memory hygiene. Secrets are wiped from memory immediately after use. No GC, no lingering data.

Rust + Zeroize
🔑 Password
🔐 API Token
🖥 SSH Key
SSH Password
🗂 Database
📄 Certificate
SMTP
Custom

Architecture

A layered Rust architecture. Each crate has a single responsibility. Zero unnecessary dependencies between layers.

MCP Clients
Claude Code
Cursor
VS Code
Claude Desktop
Windsurf
MCP Server
passman-mcp
14 Tools
stdio transport
Proxy Layer
HTTP (reqwest)
SSH (russh)
SQL (sqlx)
SMTP (lettre)
Sanitizer
Vault
passman-vault
AES-256-GCM
Argon2id KDF
Policy Engine
Services
REST APIs
SSH Hosts
PostgreSQL
MySQL
SQLite
SMTP Servers

6 Layers of Security

Defense in depth. Every layer is a barrier between AI agents and your raw secrets.

1

No Raw Secret Access

The MCP protocol never exposes secret values. AI agents can only list, search, and reference credentials by name or UUID. No read-secret tool exists.

2

Output Sanitization

All proxy responses are scrubbed for secret leaks across 6 encoding variants: raw text, Base64, URL-encoded, hex, upper hex, and partial matches.

3

Policy Engine

Per-credential rules: URL whitelists for HTTP, command patterns for SSH, read-only enforcement for SQL, recipient restrictions for SMTP. Deny by default.

4

Rate Limiting

Per-credential rate limits prevent runaway usage. Configurable max requests per window. Protects against accidental loops and abuse.

5

Audit Trail

Every proxy operation logged: timestamp, credential used, operation type, target, and result. Full forensic trail for review and compliance.

6

Memory Safety

Rust ownership model prevents memory bugs. Zeroize trait wipes secrets from RAM after use. No garbage collector delays, no dangling references.

Installation

One command. No Rust, no cargo, no cloning. Downloads a pre-built binary for your platform.

1

Run the Installer

Downloads a pre-built binary for your platform to ~/.local/bin/. No dependencies required.

2

Add to Your AI Client

Add Passman to your MCP client config (Claude Code, Cursor, VS Code, etc). See configs below.

3

Restart Your AI Client

Restart the AI client so it picks up the new MCP server. Passman will be available immediately.

4

Start Using It

Tell your AI: "Unlock my Passman vault". It creates a new vault on first run. Then store credentials and use them securely.

Option 1: One-Line Installer (Recommended)
# Downloads pre-built binary. No Rust required. $ curl -fsSL https://raw.githubusercontent.com/ahmadzein/passman/main/install.sh | bash
Option 2: Build from Source
# Requires Rust toolchain (https://rustup.rs) $ git clone https://github.com/ahmadzein/passman.git $ cd passman $ cargo build --release -p passman-mcp-server $ cp target/release/passman-mcp-server ~/.local/bin/
Option 3: Claude Code CLI
# After installing the binary, add directly via CLI $ claude mcp add --transport stdio passman -- ~/.local/bin/passman-mcp-server

MCP Client Configuration

Drop-in config for every major MCP client. Pick yours and paste.

.mcp.json (project root)
// Claude Code - .mcp.json in project root { "mcpServers": { "passman": { "command": "passman-mcp-server", "args": [] } } }
.cursor/mcp.json
// Cursor - .cursor/mcp.json { "mcpServers": { "passman": { "command": "passman-mcp-server", "args": [] } } }
.vscode/mcp.json
// VS Code Copilot - .vscode/mcp.json { "servers": { "passman": { "type": "stdio", "command": "passman-mcp-server", "args": [] } } }
claude_desktop_config.json
// Claude Desktop - claude_desktop_config.json { "mcpServers": { "passman": { "command": "passman-mcp-server", "args": [] } } }
~/.codeium/windsurf/mcp_config.json
// Windsurf - ~/.codeium/windsurf/mcp_config.json { "mcpServers": { "passman": { "command": "passman-mcp-server", "args": [] } } }

Desktop App

Manage your vault visually. The desktop app shares the same vault as the MCP server — changes sync automatically.

macOS

Universal app for Apple Silicon & Intel Macs

Apple Silicon (.dmg) Intel (.dmg)
💻

Windows

64-bit installer for Windows 10+

Installer (.exe) MSI Package (.msi)
🐧

Linux

AppImage, .deb, or .rpm

AppImage Debian (.deb) RPM (.rpm)

macOS users

The app is not signed with an Apple Developer certificate. After installing, open Terminal and run:

Remove quarantine
$ xattr -cr /Applications/Passman.app
Or install via CLI
# Installs MCP server + Desktop GUI in one command $ curl -fsSL https://raw.githubusercontent.com/ahmadzein/passman/main/install.sh | GUI=1 bash

Why Passman?

The only MCP credential proxy with full protocol coverage, policy engine, and output sanitization.

Feature Passman Janee mcp-secrets-vault 1Password op Google Toolbox
HTTP Proxy ~ GET/POST only
SSH Proxy
SQL Proxy PG/MySQL/SQLite ~ SQL only, GCP bias
SMTP Proxy
Output Sanitization 6 encodings ~ N/A
Policy Engine Per-credential
Local Vault AES-256-GCM ~ Env vars Cloud
Desktop GUI
Pricing Free forever Free Free (abandoned) $3-8/mo Free
Open Source MIT

Ready to secure your AI workflows?

Open source, free forever, built in Rust. One command to install.

View on GitHub Installation Guide
$ curl -fsSL https://raw.githubusercontent.com/ahmadzein/passman/main/install.sh | bash