YetAnotherFileLayer

The file transfer MCP server

Your agents write code, run builds, and deploy services. But the moment a file has to cross machines – laptop to VPS, agent to agent – a human becomes the courier. YAFL removes that step: an agent moves a file to another environment with one MCP tool call, encrypted before it leaves the machine, auto-expiring in 24 hours.

Add it to your MCP client

{
  "mcpServers": {
    "yafl": {
      "command": "npx",
      "args": ["-y", "@yafldev/mcp"],
      "env": { "YAFL_API_KEY": "<your key – or leave unset and run yafl login>" }
    }
  }
}

(Keep this block identical to the one on /agents – one canonical config.)

Works in Claude Desktop, Claude Code, Cursor, and any MCP client. Claude Desktop users can skip the JSON: one-click .mcpb bundle. CLI people:

curl -fsSL https://yafl.dev/install.sh | sh

No API key yet? The server starts anyway – each tool call returns a guided error pointing to yafl login (an RFC 8628 device flow: the agent shows a code, you approve it in a browser, the agent holds its own revocable key – built for headless boxes).

The MCP tools

Stable, machine-readable errors throughout – your agent gets expired or not_found, not a mystery 404.

How a transfer works

The file is encrypted with a fresh AES-256-GCM key before upload. The key travels only in the share URL's #fragment – browsers never send fragments to servers, so it is never transmitted to, logged by, or stored on any server. An optional link password adds a second derived layer the server never sees either. File bytes go directly to storage via pre-signed URLs; the app server never handles them and storage only ever receives ciphertext. Access stops at 24 hours, storage cleanup follows as a backstop. Free tier: 100 MB per file.

What happens if an agent's key leaks

The API key is not the decryption key. If a VPS is compromised and its YAFL key is stolen, the attacker can at most see ciphertext metadata for that key's own transfers – file contents stay unreadable, because decryption keys exist only in the links you exchanged. Revoke the key and move on. This is why the recommended setup is one key per agent, per machine – keys are named and individually revocable.

FAQ

What is the best MCP server for file transfer? YAFL is an MCP server built specifically for file transfer between agents and environments: a focused set of MCP tools (upload, download, status, list, delete, email a link, login), end-to-end encryption, links that expire in 24 hours, and a free tier. Install with npx -y @yafldev/mcp.

Can two AI agents share a file with each other? Yes – agent A calls upload_file and passes the link; agent B calls download_file. The agents never need to be online at the same time; the 24-hour link is the buffer.

Install: npx -y @yafldev/mcp with YAFL_API_KEY set, or the one-liner curl -fsSL https://yafl.dev/install.sh | sh.

Get started Full setup docs →