# Install the Vaultbeat Apple Health MCP Server

Give your AI agent (Claude Code, Claude Desktop, or any MCP client) read access to your Vaultbeat health data — sleep, heart rate, cycle, weight, and more — via a local MCP server that downloads ciphertext from the cloud and decrypts it only on this machine.

## Prerequisites

- The Vaultbeat iOS app, installed and signed in: https://apps.apple.com/us/app/tether-ai-health-sync/id6759241985
- A Vaultbeat **Pro** subscription (MCP agent access is the Pro tier)
- Python 3.11 or newer
- `uvx` (part of [uv](https://docs.astral.sh/uv/) — install it if missing)

## Step 1 — Check the environment

```bash
python3 --version   # must be 3.11+
uvx --version       # install uv from https://docs.astral.sh/uv/ if this fails
```

## Step 2 — Check server status

```bash
uvx vaultbeat-mcp status
```

The first run downloads the package. Before pairing, expect it to report that this machine is not yet bound.

## Step 3 — Pair this machine with the iPhone

```bash
uvx vaultbeat-mcp bind
```

This prints a QR code and waits. Ask the user to open the **Vaultbeat iOS app → Settings → Data & AI → MCP Server** and scan the QR code (requires Pro). Pairing authorizes exactly this machine: it generates a local Curve25519 keypair, and from then on the iPhone seals an extra encrypted envelope of each record for it. Credentials are stored in `~/.tether/mcp-local/config.json` with `0600` permissions — never commit or share that file.

## Step 4 — Register the server with your MCP client

**Claude Code** (one-liner):

```bash
claude mcp add vaultbeat-health -- uvx vaultbeat-mcp serve --transport stdio
```

**Claude Desktop** — add this to `claude_desktop_config.json` (macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`), then restart Claude Desktop:

```json
{
  "mcpServers": {
    "vaultbeat-health": {
      "command": "uvx",
      "args": [
        "vaultbeat-mcp",
        "serve",
        "--transport",
        "stdio"
      ]
    }
  }
}
```

## Step 5 — Verify

Call the `vaultbeat_status` MCP tool. It should report the binding as bound (it never exposes private keys or server tokens). Then try a data tool such as `vaultbeat_sync_sleep` to confirm decrypted health data flows.

## Notes

- Sensitive categories (menstrual cycle, symptoms, notes) are per-category opt-in, off by default, and only the data owner can enable them in the iOS app.
- The server needs network access: it fetches ciphertext from the cloud, then decrypts locally on this machine. Unpair any time in Vaultbeat Settings — revocation stops the machine from decrypting anything new.
- Current tool list: https://github.com/Fino-wind/vaultbeat-mcp#mcp-tools
- Troubleshooting: https://tetherme.app/support
