MCP Directory

How to add Janee to Windsurf

Secrets management for AI agents via MCP — agents call your APIs without ever seeing the keys. Paste the config into ~/.codeium/windsurf/mcp_config.json and restart Windsurf.

Last updated June 14, 2026 · 28 · stdio · apikey

Windsurf config for Janee

npm install -g @true-and-useful/janee
{
  "mcpServers": {
    "janee": {
      "command": "janee",
      "args": [
        "serve"
      ]
    }
  }
}

Setup steps

  1. 1Open Windsurf → Cascade → the hammer/MCP icon → Configure (or edit ~/.codeium/windsurf/mcp_config.json).
  2. 2Paste the Janee config below.
  3. 3Fill in placeholder secrets, then save.
  4. 4Click Refresh in the MCP panel.
  5. 5Janee's tools become available to Cascade.

Before you start

  • Node.js 18+
  • An MCP client (Claude Desktop, Claude Code, Cursor, Codex CLI, or OpenClaw)
  • API keys for the services you want agents to access
  • Install globally: npm install -g @true-and-useful/janee, then run janee init

What Janee can do in Windsurf

list_services

Discover the APIs available through Janee and their policies.

execute

Make an HTTP API request through Janee (proxy mode); Janee injects the real credential and logs the request.

exec

Run a whitelisted CLI command with credentials injected as environment variables (exec mode); the agent only sees stdout/stderr.

manage_credential

View, grant, or revoke access to agent-scoped credentials.

reload_config

Reload config from disk after adding/removing services (available when started with janee serve).

Security

Keys are stored encrypted at rest with AES-256-GCM in ~/.janee/ and never sent to a cloud. Agents never see raw credentials — Janee injects them server-side. Per-capability allow/deny request rules are enforced server-side even if an agent lies about its reason. Agent identity is derived from clientInfo.name in the MCP initialize handshake; access can be locked down with allowedAgents allowlists plus defaultAccess: restricted. Sessions are time-limited and revocable (janee revoke), and every request is logged to ~/.janee/logs/.

Janee + Windsurf FAQ

Where is the Windsurf config file?

Windsurf reads MCP servers from ~/.codeium/windsurf/mcp_config.json. Paste the Janee config there under the "mcpServers" key and restart the client.

Is Janee safe to use with Windsurf?

Keys are stored encrypted at rest with AES-256-GCM in ~/.janee/ and never sent to a cloud. Agents never see raw credentials — Janee injects them server-side. Per-capability allow/deny request rules are enforced server-side even if an agent lies about its reason. Agent identity is derived from clientInfo.name in the MCP initialize handshake; access can be locked down with allowedAgents allowlists plus defaultAccess: restricted. Sessions are time-limited and revocable (janee revoke), and every request is logged to ~/.janee/logs/.

Do my agents ever see the real API keys?

No. Keys are stored encrypted in ~/.janee/ and Janee injects them server-side. Agents only get the API response (proxy mode) or stdout/stderr (exec mode).

How do I add Janee to Claude Code?

Run `claude mcp add janee --command janee --args serve --scope user`, or add a mcpServers entry with command "janee" and args ["serve"] to ~/.claude.json.

What auth types are supported?

bearer, basic, HMAC for Bybit/OKX/MEXC, custom headers, Google service-account, GitHub App tokens, Twitter/X OAuth 1.0a, and AWS SigV4.

View repo Full Janee page