{"id":"delineaxpm-delinea-mcp","name":"delinea-mcp","homepage":null,"repo_url":"https://github.com/DelineaXPM/delinea-mcp","category":"security","subcategories":[],"tags":["mcp","secret-management","delinea","oauth2","python","agent-tools","stdio","sse"],"what_it_does":"Provides an MCP server that exposes tools for interacting with Delinea Secret Server APIs (and optionally Delinea Platform user management). It supports OAuth 2.0 with dynamic client registration, and can run over stdio (for local/desktop connectors) or SSE/HTTP transport.","use_cases":["Automate secret and folder management in Delinea Secret Server via AI/agent tools","Search and fetch secrets, folders, and related entities with controlled tool access","Assist with access request workflows (approve/deny, inbox/message handling)","Administer users/roles/groups/folder structures through MCP tools","Integrate with ChatGPT/Claude desktop-style MCP connectors using stdio or SSE"],"not_for":["Direct internet-facing deployment without tightening OAuth redirect_uri validation and TLS settings","Use as a general-purpose secret exfiltration proxy without strict tool whitelisting and least-privilege Delinea account permissions","Environments requiring a documented, formal REST/SDK contract beyond MCP tool invocation"],"best_when":"You want an agent-friendly MCP interface to Delinea Secret Server/Platform with careful scoping (enabled_tools, allowed search/fetch object types) and you can secure the OAuth/token flow and transport.","avoid_when":"You cannot restrict OAuth development/test behaviors (notably redirect_uri validation) or you need enterprise-grade operational guarantees like published SLAs, strong idempotency, and fully documented error semantics.","alternatives":["Use Delinea Secret Server API directly with an internal service layer and strict RBAC","Build a smaller, purpose-specific MCP server that wraps only the minimal Delinea endpoints needed","Use a secrets management proxy/gateway that supports audit logging and policy enforcement"],"af_score":54.0,"security_score":70.2,"reliability_score":25.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:24:10.511145+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["none","oauth (OAuth 2.0 with dynamic client registration per MCP spec)","server authenticates to Secret Server automatically (uses DELINEA_USERNAME + DELINEA_PASSWORD)"],"oauth":true,"scopes":false,"notes":"Auth_mode supports 'none' or 'oauth'. The server itself uses Delinea credentials to obtain bearer tokens for subsequent Delinea API requests. Config includes registration_psk, jwt_key_path, oauth_db_path, and external_hostname, implying a multi-step OAuth/token issuance flow."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Open-source project; no hosted pricing indicated. Any costs depend on Delinea usage and optional Azure OpenAI features."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":54.0,"security_score":70.2,"reliability_score":25.0,"mcp_server_quality":82.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":55.0,"rate_limit_clarity":15.0,"tls_enforcement":75.0,"auth_strength":70.0,"scope_granularity":55.0,"dependency_hygiene":65.0,"secret_handling":85.0,"security_notes":"README indicates HTTPS/TLS is optional via ssl_keyfile/ssl_certfile. Secrets are sourced from environment variables. OAuth endpoints are explicitly warned as development/testing oriented; specifically, /oauth/authorize accepts any redirect_uri without validation (open redirection risk) unless production restricts callbacks. Tool exposure can be reduced via enabled_tools and allowed search/fetch object types, supporting least-privilege at the MCP-tool layer.","uptime_documented":0.0,"version_stability":35.0,"breaking_changes_history":35.0,"error_recovery":30.0,"idempotency_support":"false","idempotency_notes":"Some tools perform state changes (create/update/delete, approve/deny requests, mark read/unread) but the README does not describe idempotency guarantees or safe retry behavior.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["OAuth development/testing concern: /oauth/authorize accepts any redirect_uri and will redirect without validation; production must restrict approved callback URLs to prevent open redirection/code capture risk.","OAuth transport constraints: OAuth 'doesn't work with stdio transport' per README; ensure correct transport/auth mode pairing.","Tool registration is controlled by config.enabled_tools and enabled object types for search/fetch; an agent may fail if it expects tools not registered or object types not allowed.","Azure OpenAI-dependent tool (ai_generate_and_run_report) is automatically disabled if Azure OpenAI variables are missing; agents should check availability before calling."]}}