Claude Desktop is sanctioned by Anthropic. The MCP servers you load into it are not. Sigil takes the keys; your Claude asks Sigil for what it needs, when it needs it.
Claude Desktop is the cleanest agent surface on the market. The Model Context Protocol gave it a plug-in shape — and overnight, every API in your life is one MCP server away. That is also why one prompt injection in a long email thread can spend, send, or share anything Claude can reach. Sigil is the layer that makes MCP tractable.
MCP is the right architectural answer for AI-tool integration. It is also a credential firehose with no review board, no scope language, and no audit trail. Every MCP server you install runs in your assistant's context with whatever access tokens you fed it.
Unlike Apple's App Store or even npm with provenance, the MCP ecosystem has no central review. The server you install today can ship a malicious update tomorrow — running in Claude's context, holding your tokens.
SOURCE — Anthropic MCP spec, open by designclaude_desktop_config.json.API keys, OAuth refresh tokens, database URLs — most MCP servers ask you to paste them into the same JSON config file. One quick screenshot, one curl from a malicious tool, and they are gone.
SOURCE — every "Claude Desktop MCP" tutorial on the webIndirect prompt injection through the content of a normal-looking email, calendar invite, or shared document. Claude reads it, treats it as instruction, and the legitimate Gmail MCP server obediently sends. No exploit needed — the credentials are valid.
SOURCE — Simon Willison · "Trifecta of prompt injection"Claude Desktop does not log tool calls. By the time an out-of-character email or transfer is noticed, the trail is cold. There is no rollback, no "show me everything this MCP server has touched in the last hour."
SOURCE — Claude Desktop docs, no audit endpointSigil is a single MCP server you point Claude Desktop at. Behind it sits an encrypted vault, a per-action permission layer, and a live audit log. Your other MCP servers stop holding tokens; Sigil holds them, hands them out scoped, and records every use.
OAuth tokens, API keys, refresh secrets move out of claude_desktop_config.json and into Sigil's vault, encrypted under a per-user key. Claude Desktop's config becomes a single line — point at Sigil, that is it.
Permit Claude to read your calendar, send up to ten emails today, query this Stripe account read-only — for one hour, one week, or until you say otherwise. Default is deny. Every grant is revocable in one click.
Every action Claude takes through Sigil generates a record. See the moment it reads an email, queries a calendar, hits Stripe. Anomaly alerts when behaviour drifts. Revoke instantly, replay never.
Install the Sigil CLI, paste a six-line MCP server block into Claude Desktop's config, restart. Your existing MCP servers stay where they are — Sigil sits alongside them and gradually takes over the credentialled ones.
One curl pipe. macOS and Linux today, Windows later in beta.
sigil pair --kind claude-desktop opens a browser, you click confirm, the CLI gets a token. No copy-paste of secrets anywhere.
Claude Desktop → Settings → Developer → Edit Config → paste the six-line mcpServers block above. Restart Claude. Done.
Sigil is additive. Claude Desktop remains Claude Desktop. The change is in where credentials live and what a misbehaving prompt can do with them.
claude_desktop_config.jsonPrivate beta opens June 2026. Claude Desktop power users get first access. Tell us where to reach you.