DelineaMCP

MCP server for the Delinea Secret Server and Platform APIs

Features

• Automatic authentication against Secret Server
• Extensive Secret Server tool set for managing folders, secrets, users, groups and roles. Includes inbox and access request helpers and coding agent utilities.
• ChatGPT compatibility tools (search and fetch) for controlled AI interactions.
• Optional Delinea Platform user management tools
• Supports either Server Sent Events or STDIO transport modes
• OAuth 2.0 with dynamic client registration per the MCP specification
• TLS support for secure connections
• Ready-to-run Docker image and development server entry point
• Tested with ChatGPT, Claude Desktop, remote Claude connector, VSCode Copilot and openwebui

Installation

[!NOTE]

This project uses uv (https://github.com/astral-sh/uv), but if you prefer to run commands without this, you can do pip and venv commands as usual if desired.

• Install Uv
• Initialize project: uv pip sync requirements.txt
• Use uv run server.py --config config.json

Configuration

Secrets such as passwords continue to come from environment variables. Provide DELINEA_PASSWORD in your shell environment. Optional features rely on additional variables such as AZURE_OPENAI_KEY or PLATFORM_SERVICE_PASSWORD.

Non-secret parameters belong in config.json:

{
  "delinea_username": "<username>",
  "delinea_base_url": "https://your-secret-server/SecretServer",
  "platform_hostname": "<tenant>.secureplatform.io",
  "platform_service_account": "<service_account>",
  "platform_tenant_id": "<tenant_id>",
  "azure_openai_endpoint": "https://example.openai.azure.com/",
  "azure_openai_deployment": "<deployment_name>",
  "auth_mode": "none",
  "transport_mode": "stdio",
  "chatgpt_disable_scope_checks": false,
  "port": 8000,
  "debug": false,
  "external_hostname": null,
  "ssl_keyfile": null,
  "ssl_certfile": null,
  "registration_psk": null,
  "jwt_key_path": ".cache/jwt.json",
  "oauth_db_path": ".cache/oauth.db",
  "enabled_tools": []
}

For Secret Server Cloud simply use the cloud URL without /SecretServer. Specify ssl_keyfile and ssl_certfile to enable HTTPS. For Let's Encrypt, use the privkey.pem and fullchain.pem files.

The configuration file supports the following keys:

• delinea_username - Secret Server username. Must be a programmatic user with permission to do the tasks you want.
• delinea_base_url - Base URL of your Secret Server instance.
• platform_hostname - Platform tenant hostname (enables Platform tools).
• platform_service_account - Service account used with the Platform API.
• platform_tenant_id - Tenant ID for Platform API requests.
• azure_openai_endpoint - Azure OpenAI endpoint. Only if you want the automatic report generation (most agents can generate their own report SQL so don't enable unless you need it).
• azure_openai_deployment - Deployment name for Azure OpenAI.
• auth_mode - Authentication mode (none or oauth). OAuth obviously doesn't work with stdio transport.
• transport_mode - stdio for command line or sse for HTTP/SSE.
• chatgpt_disable_scope_checks - Skip scope validation on ChatGPT requests. Enable only if you encounter problems connecting to ChatGPT.
• port - Port for the HTTP server in sse mode.
• debug - Enable verbose logging.
• external_hostname - Hostname used when constructing OAuth token audiences. Don't add HTTP(S) prefix or port.
• ssl_keyfile - Path to the SSL key for HTTPS. (eg privkey.pem)
• ssl_certfile - Path to the SSL certificate for HTTPS. (eg fullchain.pem)
• registration_psk - Pre-shared key required to register OAuth clients. You will need to type in this secret in your browser to approve OAuth connections.
• jwt_key_path - Location of the RSA

... View full README on GitHub