How to Use the CyberArk Privilege Cloud MCP in OpenAI Agents SDK

Q: How does the OpenAI Agents SDK handle justification logs when calling CyberArk Privilege Cloud?

Your agent passes the justification string directly to the retrievepassword tool. The SDK logs this parameter, ensuring every password check-out matches your vault's audit policy.

Secure your privileged infrastructure by letting your OpenAI Agents SDK inspect safes, fetch passwords, and kill rogue sessions.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect CyberArk Privilege Cloud MCP to OpenAI Agents SDK

Create your Vinkius account to connect CyberArk Privilege Cloud to OpenAI Agents SDK and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup CyberArk Privilege Cloud with OpenAI Agents SDK

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Validate PAM operations with OpenAI guardrails

`add_account` registers a privileged credential into a specific vault safe using the OpenAI Agents SDK to enforce platform ID mappings before execution. Your agent checks that the target platform matches security baselines before calling the tool, stopping misconfigured credentials before they hit the vault. If an agent tries to use `delete_account` on a critical system, the SDK's built-in guardrails intercept the call to verify authorization. This prevents autonomous agents from accidentally deleting active credentials during decommissioning cycles.

Run secure password check-outs with OpenAI tracing

`retrieve_password` pulls clear-text credentials directly into your OpenAI Agents SDK runtime while automatically logging the required justification. The OpenAI dashboard traces this specific tool call, giving security teams a clear audit trail of exactly which agent requested the credential and why. Once the agent finishes, the system handles the check-in or triggers rotation. Because the SDK tracks agent handoffs, you can pass the retrieved credential to a specialized worker agent without exposing it to the main conversational loop.

Terminate active PSM sessions via OpenAI MCP Server

`terminate_session` stops an active privileged session instantly when your OpenAI Agents SDK detects anomalous command patterns in the PSM logs. Your monitoring agent evaluates session telemetry and executes this tool to block unauthorized actions mid-stream. You configure this MCP Server tool as a high-priority action in your Python agent loop. When triggered, the agent immediately severs the PSM connection, containing the blast radius before a compromised credential can do real damage.

Setup guide

Set up CyberArk Privilege Cloud MCP in OpenAI Agents SDK

Prerequisites

Python 3.10+ installed
openai-agents package (pip install openai-agents)
Active Vinkius subscription with a valid endpoint token

1

Install the SDK

Run pip install openai-agents to install the OpenAI Agents SDK. The MCP integration is built-in — no extra dependencies needed.
2

Connect via SSE transport

Use MCPServerSse with your Vinkius endpoint URL. Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. The SDK auto-discovers all CyberArk Privilege Cloud tools at runtime.
3

Create your Agent

Pass the MCP to Agent(mcp_servers=[server]). The agent receives CyberArk Privilege Cloud tools as native definitions — JSON schemas resolve automatically.
4

Run the agent

Call Runner.run(agent, prompt) to execute. The agent invokes the appropriate CyberArk Privilege Cloud tools and returns structured results. Copy the full example on the right to get started.

agent.py

import asyncio
from agents import Agent, Runner
from agents.mcp import MCPServerSse

async def main():
    async with MCPServerSse(
        url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    ) as server:
        agent = Agent(
            name="CyberArk Privilege Cloud Agent",
            instructions="You have access to CyberArk Privilege Cloud tools.",
            mcp_servers=[server],
        )
        result = await Runner.run(agent, "List recent transactions")
        print(result.final_output)

asyncio.run(main())

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by CyberArk. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect CyberArk Privilege Cloud now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about CyberArk Privilege Cloud MCP in OpenAI Agents SDK

Your agent passes the justification string directly to the `retrieve_password` tool. The SDK logs this parameter, ensuring every password check-out matches your vault's audit policy.

Yes, you configure tool exposure directly in the SDK constructor. By limiting the agent to `list_accounts` and `get_account`, you prevent the model from calling destructive tools like `delete_account`.

The SDK manages credentials at the supervisor level, so handoffs between specialist agents preserve the underlying MCP connection. A routing agent can identify a target via `list_safes` and hand the task to a retrieval agent without re-authenticating.

The tool returns a raw API error from the vault. Your Python agent catches this exception through the SDK error handler, letting you log the failure in your OpenAI dashboard without crashing the runtime.

Clear-text passwords and safe metadata never touch OpenAI servers. The Vinkius MCP sandbox isolates these credentials, passing them directly to your local runtime over an encrypted stream.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript