delinea-mcp
Provides an MCP server that exposes tools for interacting with Delinea Secret Server APIs (and optionally Delinea Platform user management). It supports OAuth 2.0 with dynamic client registration, and can run over stdio (for local/desktop connectors) or SSE/HTTP transport.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
README indicates HTTPS/TLS is optional via ssl_keyfile/ssl_certfile. Secrets are sourced from environment variables. OAuth endpoints are explicitly warned as development/testing oriented; specifically, /oauth/authorize accepts any redirect_uri without validation (open redirection risk) unless production restricts callbacks. Tool exposure can be reduced via enabled_tools and allowed search/fetch object types, supporting least-privilege at the MCP-tool layer.
⚡ Reliability
Best When
You want an agent-friendly MCP interface to Delinea Secret Server/Platform with careful scoping (enabled_tools, allowed search/fetch object types) and you can secure the OAuth/token flow and transport.
Avoid When
You cannot restrict OAuth development/test behaviors (notably redirect_uri validation) or you need enterprise-grade operational guarantees like published SLAs, strong idempotency, and fully documented error semantics.
Use Cases
- • Automate secret and folder management in Delinea Secret Server via AI/agent tools
- • Search and fetch secrets, folders, and related entities with controlled tool access
- • Assist with access request workflows (approve/deny, inbox/message handling)
- • Administer users/roles/groups/folder structures through MCP tools
- • Integrate with ChatGPT/Claude desktop-style MCP connectors using stdio or SSE
Not For
- • Direct internet-facing deployment without tightening OAuth redirect_uri validation and TLS settings
- • Use as a general-purpose secret exfiltration proxy without strict tool whitelisting and least-privilege Delinea account permissions
- • Environments requiring a documented, formal REST/SDK contract beyond MCP tool invocation
Interface
Authentication
Auth_mode supports 'none' or 'oauth'. The server itself uses Delinea credentials to obtain bearer tokens for subsequent Delinea API requests. Config includes registration_psk, jwt_key_path, oauth_db_path, and external_hostname, implying a multi-step OAuth/token issuance flow.
Pricing
Open-source project; no hosted pricing indicated. Any costs depend on Delinea usage and optional Azure OpenAI features.
Agent Metadata
Known Gotchas
- ⚠ OAuth development/testing concern: /oauth/authorize accepts any redirect_uri and will redirect without validation; production must restrict approved callback URLs to prevent open redirection/code capture risk.
- ⚠ OAuth transport constraints: OAuth 'doesn't work with stdio transport' per README; ensure correct transport/auth mode pairing.
- ⚠ Tool registration is controlled by config.enabled_tools and enabled object types for search/fetch; an agent may fail if it expects tools not registered or object types not allowed.
- ⚠ Azure OpenAI-dependent tool (ai_generate_and_run_report) is automatically disabled if Azure OpenAI variables are missing; agents should check availability before calling.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for delinea-mcp.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.