Delinea releases an Model Context Protocol (MCP) server The Delinea Platform and Delinea Secret Server provide AI agents with access to the credentials. It applies policy and identity rules to every call in order to prevent long-lived secret from being stored by agents while still allowing full auditability.
What is new to me?
It is important to note that the word “you” means “the”. GitHub project DelineaXPM/delinea-mcp The (MIT-licensed version) provides a restricted MCP tool interface for account and credential operations. It supports both STDIO/HTTP/SSE and OAuth 2.0 dynamic registration as per MCP spec. This repo contains Docker artifacts as well as example configurations for agent/editor integration.
What it does?
Secrets are vaulted, but the server provides MCP tools to proxy them to Secret Server (and optionally, the Delinea Platform): folder and secret retrieval/search; inbox/access request helpers; user/session administration and report execution. Secrets themselves do not appear to agents. Configuration divides secrets (e.g. DELINEA_PASSWORDSecrets and Non-Secrets config.jsonThe scope control (enabled_toolsTLS certificates, as well as a pre-shared registration key, are optional.
Tell me what it is that I should care about.
MCP is a fast-growing tool for enterprises to connect agents with operational systems. Recent incidents—such as a rogue MCP package exfiltrating email—underscore the need for registration controls, TLS, least-privilege tool surfaces, and traceable identity context on every call. Delinea’s server Claims to implement controls using a PAM aligned pattern. (Ephemeral auth plus policy checks and audit) This reduces credentials sprawl while simplifying the revocation.
You can read more about it here:
Delinea’s MIT-licensed MCP server gives enterprises a standard, auditable way for AI-agent credential access—short-lived tokens, policy evaluation, and constrained tools—to reduce secret exposure while integrating with Secret Server and the Delinea Platform. You can get it now at GitHubThe initial coverage of OAuth2 and the technical details for STDIO/HTTP (SSE) transports and scoped operation.
