HashiCorp Vault MCP Server (Official)

Official HashiCorp Vault MCP server enabling AI agents to interact with Vault for secrets management — reading/writing secrets, managing leases, querying PKI, and interacting with Vault's secrets engines.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Security hashicorp vault secrets mcp-server official infrastructure enterprise pki
⚙ Agent Friendliness
76
/ 100
Can an agent use this?
🔒 Security
96
/ 100
Is it safe for agents?
⚡ Reliability
84
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
78
Documentation
88
Error Messages
82
Auth Simplicity
50
Rate Limits
68

🔒 Security

TLS Enforcement
100
Auth Strength
95
Scope Granularity
98
Dep. Hygiene
90
Secret Handling
98

Vault is the gold standard for secrets management. Policy engine provides finest-grained access control of any secrets manager. FIPS 140-2 available. Audit logging on all access.

⚡ Reliability

Uptime/SLA
85
Version Stability
88
Breaking Changes
85
Error Recovery
80
AF Security Reliability

Best When

An agent needs to retrieve or manage secrets from HashiCorp Vault in a security-critical infrastructure workflow.

Avoid When

You're not using HashiCorp Vault — use AWS Secrets Manager or Azure Key Vault integrations for those platforms.

Use Cases

  • Reading application secrets from Vault KV store in agent workflows
  • Dynamic secrets generation for databases and cloud providers
  • PKI certificate issuance and management via agents
  • Vault policy auditing and compliance checking by agents
  • Secret rotation automation with agent-driven Vault interactions

Not For

  • Developers unfamiliar with Vault's auth methods and policy model
  • Simple secret storage (use cloud provider secret managers instead)
  • Non-HashiCorp Vault secret managers (AWS Secrets Manager, Azure Key Vault)

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
Yes
Webhooks
No
OpenAPI Spec ↗

Authentication

Methods: vault_token approle aws_iam kubernetes_sa oidc
OAuth: Yes Scopes: Yes

Vault's auth method ecosystem is extensive — AppRole recommended for agents, Kubernetes SA for k8s deployments. Vault Token with policy restrictions controls access. Never use root token.

Pricing

Model: open-source
Free tier: Yes
Requires CC: No

Vault OSS is free. HCP Vault (managed) has usage-based pricing. Enterprise adds compliance features.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Documented

Known Gotchas

  • Vault token TTL requires agents to handle token renewal or use renewable tokens
  • AppRole setup requires both RoleID and SecretID — store SecretID securely, not in agent context
  • Vault policies must be carefully scoped — agents should have path-specific read-only access
  • Dynamic secret leases expire — agents must track and renew or revoke leases
  • Namespace support in Vault Enterprise changes API paths — configure namespace header correctly
  • Sealed Vault returns 503 — agents must handle gracefully and alert operators

Alternatives

aws-secrets-manager-api azure-key-vault-api 1password-secrets-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for HashiCorp Vault MCP Server (Official).

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered