Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"safehold": {
"args": [
"-y",
"safehold@latest"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Your identity documents, on your machine, shared only when you say so.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'safehold-skills' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked safehold-skills against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in other
Pi Coding Agent extension (CLI-first) — routes bash/read/grep/find/ls through lean-ctx CLI for strong token savings. Optional MCP bridge can register advanced tools.
Autonomous spec-to-product coding-agent CLI with an MCP server exposing 34 tools over stdio.
97% token reduction for AI coding sessions — zero deps, 21 languages, MCP server
App framework, testing framework, and inspector for MCP Apps.
MCP Security Weekly
Get CVE alerts and security updates for io.github.Spacetime-Technology/safehold and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Your identity documents, on your machine, shared only when you say so.
Safehold is a local MCP server that stores passports, visas, driving licences, and other identity documents. When an AI agent needs your passport number to book a flight, it asks Safehold. You see what's being requested and why, then approve or deny. Nothing leaves your device.
Your identity data is scattered across dozens of services you don't control: banks, airlines, government portals, SaaS products. Each one holds a copy and decides for itself how to store it, whether to sell it, and how long it'll stick around. AI agents make this worse. Anything an agent can access, every API it touches can reach too.
Safehold is the alternative. The agent gets a field value. You get a consent prompt instead of a privacy policy. Your files stay where they are.
Open source, so none of this requires trust.
A few things that get confused with safehold but solve a different problem.
You can stuff a passport into 1Password. The op CLI can read specific fields. There's even an official 1Password MCP server now. So yes, parts of this overlap.
What's different is the trust model. Once your 1Password vault is unlocked, anything with that session can read anything in it. No per-field consent, no "why are you asking for this?" prompt. The vault is built for humans typing passwords, not for agents pulling structured fields with a stated reason.
Safehold gates each field individually, every time, with a purpose attached.
Works fine if your agent is a browser filling a form. Doesn't help when it isn't. Agents working over APIs, CLI tools, or other MCP servers never see the autofill layer, so you end up copy-pasting from a passwords app into a chat anyway. Safehold gives a non-browser agent a way to request a passport number without that detour.
Locked to the platform. Apple Wallet won't hand your boarding pass to a third-party agent. mDL pilots and the EU eIDAS wallet are issuer-controlled and narrow in scope. None of them speak MCP, and none will let an agent on your laptop request a field from your driving licence.
People do this. They drop their passport number into a system prompt, or type it into a message and trust the agent to handle it. The number then lives in chat history, gets shipped to the model provider, and sticks around in their logs. You also have no record of which agent used it for what.
Safehold keeps the document on disk, encrypted, and only releases the one field the agent asked for. Nothing extra ends up in the conversation.
Tempting if you're a developer. ~/identity.json plus the filesystem MCP is three lines of config and done. It also gives every other agent on the box the same access, with no encryption at rest, no logging, and no consent step. The first time that file shows up in a backup or a screen share, you have a problem.
KYC vendors. You send them your documents, they store them, and partner services query them on your behalf. The model assumes you don't hold the keys. Safehold takes the other direction: documents stay on your machine and you approve every release.
Built for service secrets, not personal identity. No human-facing consent flow, no schema for documen