Delinea推出了一款模型上下文协议（MCP）服务器，允许AI代理安全地访问Delinea Secret Server和Delinea Platform中存储的凭证。该服务器在每次调用时都强制执行身份验证和策略规则，旨在将长期存在的敏感凭证排除在AI代理的内存之外，同时保持完整的审计记录。该服务器通过GitHub开源，提供标准化的、可审计的访问方式，包括短期令牌、策略评估和受限工具集，以减少敏感信息泄露，并与Delinea的平台集成。它支持OAuth 2.0动态客户端注册，并提供STDIO和HTTP/SSE传输。

🔐 **安全凭证访问控制**：Delinea的MCP服务器核心功能是为AI代理提供一种安全、受控的方式来访问Delinea Secret Server和Delinea Platform中存储的凭证。它通过在每次调用时执行身份验证和策略规则，确保敏感信息不会直接暴露给AI代理，从而降低了凭证泄露的风险，并保持了操作的可审计性。

🛠️ **开源工具与集成**：该MCP服务器以MIT许可的GitHub项目DelineaXPM/delinea-mcp的形式开源。它提供了一个受约束的MCP工具集，用于凭证检索和账户操作，并支持OAuth 2.0动态客户端注册。该工具支持STDIO和HTTP/SSE传输，并提供了Docker制品和示例配置，方便与编辑器/代理进行集成。

🛡️ **增强的安全性与合规性**：服务器通过实施注册控制、TLS加密、最小权限工具集以及可追溯的身份上下文，解决了近期MCP包被滥用的安全事件。它遵循PAM（特权访问管理）模式，结合了短暂身份验证、策略检查和审计，有效减少了凭证蔓延，并简化了凭证吊销流程，满足企业对安全性和合规性的高要求。

Delinea released an Model Context Protocol (MCP) server that let AI-agent access to credentials stored in Delinea Secret Server and the Delinea Platform. The server applies identity checks and policy rules on every call, aiming to keep long-lived secrets out of agent memory while retaining full auditability

What’s new for me?

The GitHub project DelineaXPM/delinea-mcp (MIT-licensed) exposes a constrained MCP tool surface for credential retrieval and account operations, supports OAuth 2.0 dynamic client registration per the MCP spec, and offers both STDIO and HTTP/SSE transports. The repo includes Docker artifacts and example configs for editor/agent integrations

How it works?

The server exposes MCP tools that proxy to Secret Server and (optionally) the Delinea Platform: secret and folder retrieval/search, inbox/access-request helpers, user/session admin, and report execution; secrets themselves remain vaulted and are never presented to the agent. Configuration separates secrets into environment variables (e.g., DELINEA_PASSWORD) and non-secrets into config.json, with scope controls (enabled_tools, allowed object types), TLS certs, and an optional registration pre-shared key.

Explain me why exactly it matters to me

Enterprises are rapidly wiring agents to operational systems through MCP. Recent incidents—such as a rogue MCP package exfiltrating email—underscore the need for registration controls, TLS, least-privilege tool surfaces, and traceable identity context on every call. Delinea’s server claims to implement these controls in a PAM-aligned pattern (ephemeral auth + policy checks + audit), reducing credential sprawl and simplifying revocation.

Summary

Delinea’s MIT-licensed MCP server gives enterprises a standard, auditable way for AI-agent credential access—short-lived tokens, policy evaluation, and constrained tools—to reduce secret exposure while integrating with Secret Server and the Delinea Platform. It’s available now on GitHub, with initial coverage and technical details confirming OAuth2, STDIO/HTTP(SSE) transports, and scoped operations.

The post Delinea Released an MCP Server to Put Guardrails Around AI Agents Credential Access appeared first on MarkTechPost.