Overview

Keepit MCP is a locally-deployed Model Context Protocol (MCP) server that creates a secure bridge between AI assistants and your Keepit backup environment. It translates natural language requests into Keepit REST API calls, enabling your team to monitor, manage, and secure your backup estate through conversation.

Unlike hosted integrations, Keepit MCP runs entirely within your infrastructure. Your data never leaves your control, and all operations happen through your existing security boundaries.

Key characteristics:

• Runs locally on your machine or dedicated server
• 100% control over where data is going, which model is used to process it
• Read-only in first version (no write operations to your Keepit environment)
• Compatible with any MCP-capable AI client (Claude Desktop, AnythingLLM, Jan, and others)
• Open source and free

How it works

When you ask a question in your AI client:

1. Your AI client (e.g., Claude Desktop) sends the request to the local MCP server.

2. The MCP server translates this into the appropriate Keepit API calls.

3. Data is retrieved from your Keepit account via secure API connection.

4. Results are formatted and returned to your AI client.

5. Model processes results and outputs them back.

[AI Client]  →  [MCP Server (Local)]  →  [Keepit API (Secure)]

System requirements

Installation

Step 1: Clone the repository

git clone https://github.com/keepit-official/keepit-mcp.git

cd keepit-mcp

Step 2: Install dependencies

npm install

Step 3: Configure credentials

Create a .env file in the project root with your Keepit credentials:

KEEPIT_USER=your-secondary-token-id

KEEPIT_PASS=your-secondary-token-secret

KEEPIT_ENV=eu          # or us, ws-test, etc.

LOCAL_PORT=3000        # optional, defaults to 3000

Important: We strongly recommend using a secondary token rather than your primary login credentials. Create one in the Keepit Web App under User Info > Security > Secondary Tokens. Grant only the minimum permissions.

Step 4: Connect to your AI client

For Claude Desktop using the .mcpb package:

1. Build the package: npm run generate-mcpb

2. In Claude Desktop, go to Settings > Extensions > Advanced settings.

3. Click Install Extension and select the generated keepit-mcp.mcpb file.

4. Enter your Keepit credentials when prompted.

5. Enable the extension.

Alternatively, run the server directly with npm start and configure your AI client to connect to the local MCP endpoint.

Supported tools and capabilities

Keepit MCP exposes 8 tools via the MCP protocol. 

Each tool handles a specific operation, and you can combine them in a single prompt for cross-referencing and correlation. This leads into following capabilities:

Connector management

Job monitoring

Audit and compliance

Snapshot management

Example prompts

Keepit MCP is designed for talking naturally. Below are example prompts organized by use case. A comprehensive prompt library with 50+ examples is available separately.

Quick health check

• "Do I have any unhealthy connectors?"
• "Show me connectors with snapshots older than 24 hours, sorted by staleness."
• "Count all connectors and show each one's current health status."

Incident investigation

"We had an outage yesterday. For all connectors: show health status now, show job history for P2D with any spike in failures, show audit logs for P2D with any config changes or unusual admin activity, and cross-reference which connectors had both failed jobs AND audit events within the same 2-hour window."

Compliance and reporting

• "Pull 90-day audit logs and summarize by action type, actor, and failures. Highlight spikes or unusual actors."
• "Export the last 7 days of logs where actions include delete, purge, or disable, sorted newest first."
• "Generate a quarterly compliance summary: protected connectors, worst snapshot staleness, job failure trend, and notable audit events."

SLA and risk monitoring

• "Find connectors with latest snapshot older than 12 hours. Split into Critical vs Non-critical groups."
• "Rank connectors by risk: unhealthy status or snapshots 48+ hours stale, health first then staleness."
• "Identify connectors with no jobs in the last 14 days but prior activity in the preceding 14 days."

Authentication

Keepit MCP uses token-based authentication with Keepit API credentials. The server supports role-based access control (RBAC) at both the user and connector level, giving you granular control over who can access what.

To get started, create a secondary token in the Keepit Web App (User Info > Security > Secondary Tokens) with read-only permissions. This is the only authentication method built into Keepit MCP.

For organizations that require additional authentication layers such as gateway authentication, SSO, or identity provider integration, these can be implemented on top of Keepit MCP within your hosting infrastructure. See the Enterprise Deployment Guide for suggested patterns using Azure API Management, Entra ID, and role-based gateway policies.

Deployment options

Choose a deployment pattern based on your team size and infrastructure requirements.

Detailed configuration examples for each pattern, including systemd service files, Docker Compose manifests, Kubernetes YAML, and Azure Key Vault integration, are available in the Enterprise Deployment Guide.

Current limitations

• Read-only operations only. No write, restore, delete, or configuration changes through MCP.
• Each MCP tool requires individual user consent in the AI client.
• The MCP server does not have access to the local filesystem or machine.
• No data persistence between sessions (stateless operation).
• Rate limits are inherited from the Keepit API.
• AI-interpreted commands should always be reviewed before acting on results, as the LLM may occasionally misinterpret requests.

Resources

• GitHub Repository: https://github.com/keepit-official/keepit-mcp