MCP Server
Give agentic tools the ability to interface with the Doppler API.
The Doppler MCP Server implements the Model Context Protocol, allowing agentic AI tools to interface with the Doppler API.
The Doppler MCP Server is experimental and intended for development, testing, and evaluation purposes. Because outputs are non-deterministic and vary with the connected model, query, and server configuration, always use a token scoped only to the actions, projects, and environments you intend to allow, and review agentic output for alignment with your security and compliance requirements.
Prerequisites
- Node.js 20 or later
- An MCP-compatible AI client
Setup
The Doppler MCP Server is available as an npm package, @dopplerhq/mcp-server. For most use cases, using npx is the recommended method for running the MCP server so that you always use the latest version.
If you do wish to install the Doppler MCP Server globally, you may do so using your node package manager of choice.
The examples below use npx.
1. Authenticate
Run the login command to authenticate with your Doppler account:
npx @dopplerhq/mcp-server loginThe login command will guide you through authentication. You can either authenticate via your browser to create a CLI token or enter any existing Doppler token. Your credentials are stored in your system keyring for future sessions.
2. Configure Your MCP Client
Add the Doppler server to your MCP client configuration. Refer to your AI client's documentation for the location of its MCP configuration file.
Add the following to your configuration:
{
"mcpServers": {
"doppler": {
"command": "npx",
"args": ["-y", "@dopplerhq/mcp-server"]
}
}
}Restart your MCP client to apply the changes.
Automated Environments
In environments where interactive login isn't possible (e.g., CI/CD, shared workstations), you may pass a DOPPLER_TOKEN environment variable at runtime. We recommend using the Doppler CLI to inject the DOPPLER_TOKEN. This keeps tokens out of your configuration files entirely.
For example, your mcp-tokens Doppler project might have a secret called MCP_TOKEN whose value is a Service Account Token or Service Token. Since the MCP server expects the token in an environment variable called DOPPLER_TOKEN, use the --command flag to map the secret name at runtime:
{
"mcpServers": {
"doppler": {
"command": "doppler",
"args": [
"run",
"--project",
"mcp-tokens",
"--config",
"dev",
"--command",
"DOPPLER_TOKEN=$MCP_TOKEN npx -y @dopplerhq/mcp-server"
]
}
}
}Read-Only Mode
If you only need to read secrets (not create or modify them), use read-only mode:
{
"mcpServers": {
"doppler": {
"command": "npx",
"args": ["-y", "@dopplerhq/mcp-server", "--read-only"]
}
}
}This prevents the MCP server from exposing write tools to the client, so that it's less likely to attempt write operations. Note that this does not prevent agentic AI from attempting writes through other means. You should always use properly scoped tokens if you need to prevent writes.
Restricting Access
You can restrict the server to a specific project or config using CLI flags:
{
"mcpServers": {
"doppler": {
"command": "npx",
"args": [
"-y",
"@dopplerhq/mcp-server",
"--project",
"my-app",
"--config",
"dev"
]
}
}
}While CLI flags provide a way to restrict the MCP's scope, they aren't a guarantee that agentic AI won't attempt to work around them. If you need to enforce access control, always use properly scoped tokens.
Available Operations
The MCP server exposes Doppler API operations as tools:
- List projects, configs, and secrets
- Read secret values and download configs
- Create and update secrets
- Manage environments and configs
- View activity logs
The available tools depend on whether you're using read-only mode and any project/config flags. Token permissions are enforced by the Doppler API when operations are performed.
Logging Out
To clear your cached credentials from your system keyring:
npx @dopplerhq/mcp-server logoutUpdated about 2 hours ago