Using PrivateNote with OpenAI Codex

What is MCP?

MCP (Model Context Protocol) is an open protocol that lets AI applications connect to tools, data sources, and services through standardised servers. Any MCP-compatible client — Claude Desktop, Cursor, Codex, Windsurf, or another assistant — can call tools exposed by an MCP server.

The PrivateNote MCP server exposes a single tool: create_private_note. When an AI calls it, a local Node.js process encrypts your content before anything touches the network. The result is a secure, expiring link you can share with anyone.

Requirements

Before installing, make sure you have:

• An MCP-compatible client: Claude Desktop, Cursor, Codex CLI, Windsurf, or any client that implements the MCP spec
• Node.js 18 or later — check with: node --version
• npx available — check with: npx --version
• Network access to privatenote.ai (or your self-hosted instance)

The fastest path: one command (Codex)

If you use the Codex CLI, adding PrivateNote as a global MCP server is a single command:

codex mcp add privatenote -- npx -y privatenote-mcp

• That's it. The server is registered globally in ~/.codex/config.toml
• Every new Codex session has access to the create_private_note tool
• No project-level config needed — it follows you across repos

Claude Desktop and other MCP clients

Most MCP clients accept a JSON config file. For Claude Desktop, open the config for your OS:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

Windows: %APPDATA%\Claude\claude_desktop_config.json

Add the following entry, save the file, and restart Claude Desktop:

{
  "mcpServers": {
    "privatenote": {
      "command": "npx",
      "args": ["-y", "privatenote-mcp"]
    }
  }
}

• After restart, Claude will detect the server and expose the create_private_note tool in chat automatically
• Cursor: add the same entry under Settings → MCP
• Any other client that follows the MCP spec uses the same JSON block

What you can now ask your AI assistant

Once the MCP server is connected, you can use plain natural language:

# Example response from the assistant:

PrivateNote created:
https://privatenote.ai/note/xK9m2p...#A3f7...

Expires in 24 hours · Burns after reading

• "Create a PrivateNote that says: The temporary password is X. Make it expire in 24 hours."
• "Wrap this database password in a self-destructing link for the contractor"
• "Send the SSH key securely — 15-minute expiry, burn after reading"
• "Generate a PrivateNote for the staging credentials and give me the link"

What the tool actually does

When the AI calls create_private_note, the MCP server runs a local Node.js process on your machine. The encryption happens there — before anything touches the network.

The server generates a random 256-bit AES key, encrypts the content with AES-256-GCM, and POSTs only the ciphertext to privatenote.ai. The key is not in the request.

The decryption key lives only in the URL fragment — the #this-part that browsers never send to servers. What comes back is a link. Whoever opens the link decrypts it in their browser. The note deletes itself immediately after.

privatenote.ai stores encrypted blobs. Without the fragment, those blobs are meaningless.

Common tool options

The create_private_note tool accepts the following parameters:

# Structured example prompt:

Create a PrivateNote with:
content: "The deployment token is ghp_abc123"
expiresIn: "15m"
burnAfterReading: true

• content — the sensitive text to encrypt and store (required)
• expiresIn — how long the note stays accessible: 15m, 1h, 24h, or 7d (default: 24h)
• burnAfterReading — destroy the note after the first view (default: true)
• title — an optional label prepended to the content before encryption

The privacy caveat you should understand

Here's the honest part: when you type a secret into a Codex prompt, Codex reads it before the MCP tool runs. OpenAI's servers process that message.

So "create a PrivateNote for sk_live_abc123" means the value sk_live_abc123 briefly appeared in a cloud context. The PrivateNote step ensures it doesn't persist in Slack, email, or chat history — but it isn't the same as the AI never seeing it.

Two ways to close that gap:

• Use the VS Code extension when in the Codex IDE — select the secret in your editor, right-click → Share as PrivateNote. The secret goes directly from your editor to the encrypted link. Codex is never involved
• Use a local model for the agent session. Nothing leaves your machine until it's already encrypted

Using the VS Code extension in Codex IDE

Codex runs inside a VS Code-compatible editor. The PrivateNote VS Code extension installs and works there exactly as it does in standard VS Code.

code --install-extension PrivateNote.privatenote-vscode

• After install, an envelope icon appears in the activity bar — click it to open the PrivateNote panel
• Select any text in the editor, right-click → Share as PrivateNote for a quick one-off
• The lock icon in the editor title bar appears whenever you have text selected
• With this path, Codex never touches the plaintext — the extension encrypts locally in the VS Code host process

If you prefer the config file

You can also add the MCP server manually. The codex mcp add command writes to ~/.codex/config.toml — you can edit that file directly if you prefer:

[mcp_servers.privatenote]
command = "npx"
args = ["-y", "privatenote-mcp"]

Pointing at a self-hosted instance

If your team runs a private PrivateNote server, set the base URL via an environment variable in the MCP config:

[mcp_servers.privatenote]
command = "npx"
args = ["-y", "privatenote-mcp"]

[mcp_servers.privatenote.env]
PRIVATENOTE_API_BASE_URL = "https://notes.your-domain.com"

• All secrets stay on your infrastructure — nothing reaches privatenote.ai
• The same AES-256-GCM encryption applies; only the storage destination changes

Troubleshooting

If the PrivateNote tool does not appear in your client after setup:

• Restart your MCP client — config changes are not picked up while the app is running
• Confirm Node.js is installed and on your PATH: node --version
• Confirm npx works: npx --version
• Validate your JSON config — a trailing comma is the most common syntax error
• Check your client's MCP or extension logs for startup errors
• Make sure your machine has network access to privatenote.ai (or your self-hosted host)

A few things to remember

The URL is the secret. The link contains the decryption key in its fragment. Treat it with the same care as the credential itself — don't commit it, don't log it, don't post it in a public channel.

Burn-after-reading means exactly that. Once the link is opened, it's gone. Neither you nor the recipient can re-open it.

Rotate after sharing. If a credential appeared in an AI prompt — even briefly — treat it as potentially seen. Share the current value via PrivateNote, then rotate to a new one.

PrivateNote is for delivery, not storage. If you need a secret to be accessible for more than a few days, use a proper secrets manager. PrivateNote is the secure handoff step, not the vault.

Use short expiry windows. For one-time secrets, 15m or 1h is almost always sufficient. Default to the shortest window that still works for your recipient.