After building AI tools for the past year, we recently made a YouTube video on building MCP servers and realized MCP is a total game-changer. It essentially lets AI do anything by connecting to your apps. But the deeper we dove, the clearer it became that security and privacy were complete afterthoughts. Coming from backgrounds at Okta and Stripe, this made us pretty uncomfortable.
We kept seeing the same pattern: every app needs its own MCP server, each storing sensitive tokens, with minimal security controls. It felt like we were back to the early days of OAuth implementations. Functional, but scary.
How Keyboard fixes this:
- Isolated execution: Your API keys live in your own GitHub Codespace secrets, Bearer OAuth tokens in encrypted files on your machine. Your credentials stay in your trust radius
- Ephemeral environments: Codespaces can be destroyed/recreated, limiting blast radius
- Built-in access controls: GitHub's enterprise-grade security model protects your credentials
- Zero-trust architecture: Only you can access your API keys and execution environment
What makes this different:
- Real code execution: Claude can run JavaScript/Node.js with npm packages and your API credentials
- Reusable workflows: Save complex scripts as "Keyboard Shortcuts" for instant reuse
- Universal integration: One setup connects Linear, Slack, Google Workspace, GitHub, and more
- Auto-environment management: Codespaces created/managed automatically as needed
The GitHub Codespace approach came from experimental work with interactive documentation. We realized Codespaces might be the most secure place to execute these tasks - isolated, ephemeral, with enterprise-grade controls.
We need your help: If this resonates, give us a star on GitHub! We're looking for early users and contributors who want to help make MCP more powerful and more secure.
We'd love your feedback, especially if you've been experimenting with MCP yourself!
Dope concept! If keyboard could connect our entire app at Potarix we could go completely hands off and it would streamline our flow!
linktothenew · 7h ago
If there is either an API key or you support Oauth, you definitely can!
mifydev · 8h ago
Looks great! How does it match intent to the set of tools, do you have a library of them?
linktothenew · 7h ago
Hey great question! It has a universal tool called plan and run-code, so basically when it gets a task it will determine what API access it has in the GitHub codespace, for example:
Write me a 10 Slides google slides presentation on the current news -> Claude will hit the plan tool -> come up with plan and recognize it has access to a codespace with the googleapis npm installed and it has a scoped Google User Token -> it will then write code to create the slide deck -> You can then approve or deny that code -> if approved the code is executed to create the slide deck -> then you can approve whether to share the result with Claude or not
mifydev · 7h ago
Got it! In the future I think you can actually cache and reuse this code, and some flows will run automagically!
linktothenew · 7h ago
Hey yeah! We actually support this, so any code you want to execute you can save it as a reusuable code snippet that we call a "keyboard-shortcut".
linktothenew · 11h ago
Side-note, we changed our title too many times, and body got deleted.. facepalm
After building AI tools for the past year, we recently made a YouTube video on building MCP servers and realized MCP is a total game-changer. It essentially lets AI do anything by connecting to your apps. But the deeper we dove, the clearer it became that security and privacy were complete afterthoughts. Coming from backgrounds at Okta and Stripe, this made us pretty uncomfortable.
We kept seeing the same pattern: every app needs its own MCP server, each storing sensitive tokens, with minimal security controls. It felt like we were back to the early days of OAuth implementations. Functional, but scary.
How Keyboard fixes this:
- Isolated execution: Your API keys live in your own GitHub Codespace secrets, Bearer OAuth tokens in encrypted files on your machine. Your credentials stay in your trust radius
- Ephemeral environments: Codespaces can be destroyed/recreated, limiting blast radius
- Built-in access controls: GitHub's enterprise-grade security model protects your credentials
- Zero-trust architecture: Only you can access your API keys and execution environment
What makes this different:
- Real code execution: Claude can run JavaScript/Node.js with npm packages and your API credentials
- Reusable workflows: Save complex scripts as "Keyboard Shortcuts" for instant reuse
- Universal integration: One setup connects Linear, Slack, Google Workspace, GitHub, and more
- Auto-environment management: Codespaces created/managed automatically as needed
The GitHub Codespace approach came from experimental work with interactive documentation. We realized Codespaces might be the most secure place to execute these tasks - isolated, ephemeral, with enterprise-grade controls.
We need your help: If this resonates, give us a star on GitHub! We're looking for early users and contributors who want to help make MCP more powerful and more secure.
We'd love your feedback, especially if you've been experimenting with MCP yourself!
If you want to try it here is the quickstart: https://docs.keyboard.dev/getting-started/quickstart
Write me a 10 Slides google slides presentation on the current news -> Claude will hit the plan tool -> come up with plan and recognize it has access to a codespace with the googleapis npm installed and it has a scoped Google User Token -> it will then write code to create the slide deck -> You can then approve or deny that code -> if approved the code is executed to create the slide deck -> then you can approve whether to share the result with Claude or not