HashiCorp Vault MCP Server – Secrets and PKI
HashiCorp Vault's official MCP Server lets AI clients interact with Vault APIs for secrets and PKI workflows. Use it when an agent needs controlled access to Vault key-value secrets, mounts, PKI issuers, PKI roles, or certificate issuance in a trusted local environment.
Overview
HashiCorp Vault MCP Server is the official Model Context Protocol server for
integrating AI clients with Vault. It exposes selected Vault API operations as
MCP tools so an AI model can help manage secrets, mounts, and PKI resources
through natural-language workflows.
What the MCP server enables
The server provides specialized Vault tools that an AI model can call when a
prompt requires Vault operations. Documented capabilities include:
- Listing, creating, reading, and deleting key-value secrets.
- Creating, deleting, and listing Vault mounts for KV v1 and KV v2.
- Enabling the PKI secrets engine.
- Creating and reading PKI issuers.
- Creating, reading, listing, and deleting PKI roles.
- Issuing PKI certificates from configured roles.
- Using session-based Vault client management and structured logging.
- Supporting CORS, logging, and Vault context middleware for HTTP deployments.
When to use it
Use Vault MCP when an AI assistant is helping with Vault-backed secret and
certificate workflows in a trusted development or operations environment.
Practical examples include storing an API key in a KV mount, retrieving a
development secret, creating a KV mount for a new service, configuring a PKI
issuer, creating a certificate role, or issuing a short-lived certificate for a
workload.
Connection and authentication
Vault MCP can run with stdio for direct local client communication or
streamable-http for network-based communication. HashiCorp documents Docker,
compiled binary, and source installation options. Docker is described as the
most reliable and consistent method and uses the official
hashicorp/vault-mcp-server image.
For local Docker stdio, pass VAULT_ADDR, optional VAULT_NAMESPACE, and
VAULT_TOKEN into the container. Compiled binary and source installs run
vault-mcp-server stdio for stdio mode. Streamable HTTP can be started with
vault-mcp-server streamable-http and optional host, port, MCP endpoint, and
log-file flags.
Key considerations
Vault MCP is documented as beta, and HashiCorp strongly discourages using beta
Vault MCP functionality in production deployments. The server may expose Vault
data, including secrets, to connected MCP clients and LLMs, so use it only with
trusted clients and trusted models. HashiCorp recommends running it locally and
not exposing it to other network users. Always scope VAULT_TOKEN to the
minimum policies required, prefer short-lived tokens where possible, avoid
logging secret values, and review destructive operations such as deleting
secrets, deleting mounts, or deleting PKI roles before allowing an agent to
proceed.
Supported Transports
stdio
Command: docker
Args:
run-i--rm-eVAULT_ADDR-eVAULT_NAMESPACE-eVAULT_TOKENhashicorp/vault-mcp-server
stdio
Command: vault-mcp-server
Args:
stdio
streamable_http
URL: http://127.0.0.1:8080/mcp
Frequently Asked Questions
- When should an AI agent use the HashiCorp Vault MCP Server?
- Use it when a trusted AI client needs to help with Vault-backed secret or PKI workflows, such as listing key-value secrets, creating a secret, reading a permitted secret, configuring PKI issuers and roles, or issuing a certificate from an approved PKI role.
- What does the HashiCorp Vault MCP Server add to an AI agent's capabilities?
- It gives the agent selected Vault API operations through MCP tools, including key-value secret actions, mount operations, PKI setup, PKI role management, and certificate issuance, rather than relying only on general Vault knowledge.
- What can an AI agent access or manage through Vault MCP?
- Depending on the Vault token policy, the agent can list, create, read, and delete KV secrets, create and delete KV mounts, enable PKI, create and read PKI issuers, create, list, read, and delete PKI roles, and issue PKI certificates.
- How is authentication configured for Vault MCP?
- Vault MCP connects to Vault with VAULT_ADDR, VAULT_TOKEN, and optional VAULT_NAMESPACE. Use a least-privilege Vault token, prefer short-lived credentials, and avoid exposing tokens or secret values in client logs, prompts, or committed MCP configuration files.
- Which transport should be used for Vault MCP?
- Use local stdio for most clients because HashiCorp recommends running the beta server locally and not exposing it to other network users. Use Streamable HTTP only for controlled local or tightly restricted integrations that need network-based MCP communication.