Security Model
- • All credentials stored in an AES-256-GCM encrypted vault on your machine
- • Vault password is typed once in the terminal, never stored anywhere
- • MCP clients connect via a local IPC socket — no API keys in config files
- • Policy enforcement happens at the socket before any key is touched
Setup in 4 Steps
Install
Install the OpenMM package globally
npm install -g @qbtlabs/openmm-mcpCreate Vault
Run the one-time setup wizard to create your encrypted vault, generate a wallet, and add exchange credentials
openmm-initStart Server
Start the unified MCP server — run this before launching any AI client
openmm serveConfigure Client
Write the MCP config for your AI client (Claude, Cursor, Windsurf, etc.)
openmm-mcp --setupClient Config Reference
openmm-mcp --setup writes this automatically. Shown here for reference.
{
"mcpServers": {
"openmm": {
"type": "stdio",
"command": "node",
"args": [
"<openmm-mcp-path>/dist/index.js"
],
"env": {
"MCP_TRANSPORT": "stdio",
"OPENMM_SOCKET": "/tmp/openmm.sock",
"PAYMENT_SERVER": "https://mcp.openmm.io",
"X402_TESTNET": "true"
}
}
}
}Note: openmm-mcp --setup detects your node and package paths automatically and writes the correct absolute paths.
No API keys, no wallet keys in config — just the socket path and payment server. Credentials stay in the vault.
Managing Credentials
Exchange credentials live inside your encrypted vault. Use the CLI to manage them:
openmm-exchange listopenmm-exchange add mexcopenmm-exchange remove gateioSee CLI Reference for all commands including wallet management, policy limits, and vault operations.