Detect. Rotate. Fix — automatically.
Your AI agent finds leaked credentials, rotates them, and verifies the fix before you even know there was a problem.
Most tools detect problems. Lockzero fixes them.
An AI agent detects the leak, calls the MCP endpoint, and initiates remediation before a human is even aware there was a problem.
Lockzero validates the new key, transitions traffic, and retires the old credential. The whole cycle completes programmatically, end to end.
Every MCP-triggered action is logged with the same fidelity as human operations — actor, timestamp, outcome, and affected secret.
Credentials managed at machine speed. No humans required. Full audit preserved.
Each capability is a discrete MCP method, callable via JSON-RPC 2.0. All actions are tenant-scoped, policy-checked, and logged.
detect_exposureScan a text payload — logs, diffs, error output — for exposed API keys. Returns matched secret IDs, confidence scores, and recommended action.
list_secretsReturn all secrets in the tenant with status, rotation age, provider, and environment labels. Useful for pre-deploy audits and status summaries.
get_secret_metadataGet full metadata for a specific secret: provider type, environment, last rotation timestamp, rotation schedule, rotation policy, and current status.
assess_blast_radiusMap which services, environments, and downstream systems are using a given credential. Understand exposure scope before triggering remediation.
rotate_secretTrigger the full rotation workflow for a secret. Lockzero validates the new key, transitions traffic, and retires the old credential. Returns new ARN and status.
rollback_secretInstantly revert a secret to its previous working version. Designed for post-rotation breakage. Returns the restored secret ARN and confirmation.
revoke_secretImmediately invalidate a credential when exposure is confirmed. Marks the secret as revoked in the audit trail and triggers downstream alerts.
verify_remediationConfirm that a rotated credential is active, the old key is fully retired, and all dependent systems have adopted the new value.
get_rotation_historyRetrieve the full rotation history for a secret: timestamps, actors (human or agent), outcomes, and rollbacks. Useful for compliance and incident reports.
get_active_incidentsList all open security incidents in the tenant — leaked keys, overdue rotations, policy violations, and usage anomalies. Scoped to your account.
check_rotation_policyQuery the rotation policy for a given secret: max age, required approvals, notification rules, and whether the secret is overdue.
get_audit_logRetrieve recent audit events for a specific secret or the full tenant. Includes human and agent-triggered actions, with actor ID and outcome.
The full MCP workflow runs end-to-end without human intervention. Every step is logged and auditable.
Agent finds a credential in logs, a diff, an error response, or a notification — and calls detect_exposure.
Agent calls assess_blast_radius to understand which services are at risk before taking any action.
Agent calls rotate_secret. Lockzero validates the new key, transitions traffic, and retires the old credential.
Agent calls verify_remediation to confirm the old key is retired and all systems have adopted the new credential.
Connect your alerting system to an AI agent. When an alert fires for unusual API usage, the agent calls Lockzero MCP to assess the affected secret, rotate it, and close the incident — all before an engineer is even paged.
Before every production release, a CI/CD agent calls list_secrets and get_active_incidents to verify no credentials are overdue for rotation or involved in open incidents. Block deployments when security posture is degraded.
A scheduled agent polls check_rotation_policy and get_rotation_history to build a running compliance report. Flag secrets that have exceeded their max rotation age without requiring any human to run a report manually.
After a confirmed credential exposure, an agent calls assess_blast_radius, get_rotation_history, and get_audit_log to build a complete timeline — which systems were affected, when the key was last rotated, and what actions were taken.
No SDK required. Lockzero MCP speaks standard JSON-RPC 2.0 over HTTPS — any MCP-compatible client works out of the box.
After subscribing, open your Lockzero dashboard → Settings → MCP Keys. Generate a new key. It starts with lz_mcp_ and is shown once — copy it now.
Paste the endpoint and your key into your client config (Claude Desktop, Claude Code, or any MCP-compatible client). See exact snippets below.
Say "Check my secrets status" or "Rotate the OpenAI key if it's overdue." Your agent now has full programmatic access to your Lockzero account.
// Claude Desktop — add to your config file{
"mcpServers": {
"lockzero": {
"url": "https://lockzero.io/api/mcp",
"headers": {
"Authorization": "Bearer YOUR_MCP_KEY"
}
}
}
}# Claude Code CLI — run once in your terminalclaude mcp add lockzero \
--transport http \
https://lockzero.io/api/mcp \
--header "Authorization: Bearer YOUR_MCP_KEY"
# Verify it's connected
claude mcp listhttps://lockzero.io/api/mcpJSON-RPC 2.0 over HTTPS POSTapplication/jsonAuthorization: Bearer <mcp-key>JSON-RPC 2.0 result or error objectPOST https://lockzero.io/api/mcp
Authorization: Bearer <mcp-key>
Content-Type: application/json
{
"jsonrpc": "2.0",
"id": 1,
"method": "rotate_secret",
"params": {
"secret_id": "prod/openai/api-key",
"reason": "Exposure detected in CI logs"
}
}Each MCP key is scoped to a single Lockzero tenant. Agents can only access secrets and incidents within the account the key belongs to.
MCP keys can be issued with read-only or read-write permissions. Grant agents only the access level they need for their specific workflow.
Every MCP-triggered action is logged identically to human operations — method, actor, timestamp, affected secret ID, and outcome.
Lockzero MCP follows the Model Context Protocol standard. Any agent or AI platform that supports MCP can connect and use the full capability set.
Fix incidents before you see them. Credentials managed at machine speed, with full audit preserved.