# HashiCorp Vault > Read dynamic and static secrets from HashiCorp Vault inside agent workflows. [Canonical HTML page](https://top-mcps.com/mcp/vault) · [server.json](https://top-mcps.com/mcp/vault.json) · [methodology](https://top-mcps.com/about/methodology) ## Install ### Claude Desktop — `claude_desktop_config.json` Paste under mcpServers. Fully quit and reopen Claude after editing. ```json { "mcpServers": { "vault": { "command": "go", "args": [ "install", "github.com/hashicorp/mcp-server-vault@latest" ], "env": { "VAULT_ADDR": "${VAULT_ADDR}", "VAULT_TOKEN": "${VAULT_TOKEN}", "VAULT_NAMESPACE": "${VAULT_NAMESPACE}" } } } } ``` ### Claude Code — `CLI or .mcp.json` Run from your repo. Commit .mcp.json to share with your team. ```shell # export VAULT_ADDR=https://vault.example.com # export VAULT_TOKEN=hvs.… # export VAULT_NAMESPACE=admin (Enterprise only) claude mcp add vault -- go install github.com/hashicorp/mcp-server-vault@latest ``` ### Cursor — `.cursor/mcp.json` Global path: ~/.cursor/mcp.json. Reload window after editing. ```json { "mcpServers": { "vault": { "command": "go", "args": [ "install", "github.com/hashicorp/mcp-server-vault@latest" ], "env": { "VAULT_ADDR": "${VAULT_ADDR}", "VAULT_TOKEN": "${VAULT_TOKEN}", "VAULT_NAMESPACE": "${VAULT_NAMESPACE}" } } } } ``` ### VS Code — `.vscode/mcp.json` VS Code uses the "servers" key (not "mcpServers"). ```jsonc { "servers": { "vault": { "command": "go", "args": [ "install", "github.com/hashicorp/mcp-server-vault@latest" ], "env": { "VAULT_ADDR": "${VAULT_ADDR}", "VAULT_TOKEN": "${VAULT_TOKEN}", "VAULT_NAMESPACE": "${VAULT_NAMESPACE}" } } } } ``` ### Windsurf — `~/.codeium/windsurf/mcp_config.json` Open via Cascade → hammer icon → Configure. ```json { "mcpServers": { "vault": { "command": "go", "args": [ "install", "github.com/hashicorp/mcp-server-vault@latest" ], "env": { "VAULT_ADDR": "${VAULT_ADDR}", "VAULT_TOKEN": "${VAULT_TOKEN}", "VAULT_NAMESPACE": "${VAULT_NAMESPACE}" } } } } ``` ### Cline — `cline_mcp_settings.json` Open via the Cline sidebar → MCP Servers → Edit. ```json { "mcpServers": { "vault": { "command": "go", "args": [ "install", "github.com/hashicorp/mcp-server-vault@latest" ], "env": { "VAULT_ADDR": "${VAULT_ADDR}", "VAULT_TOKEN": "${VAULT_TOKEN}", "VAULT_NAMESPACE": "${VAULT_NAMESPACE}" } } } } ``` ### Continue — `~/.continue/config.json` Continue uses modelContextProtocolServers with a transport block. ```json { "experimental": { "modelContextProtocolServers": [ { "transport": { "type": "stdio", "command": "go", "args": [ "install", "github.com/hashicorp/mcp-server-vault@latest" ], "env": { "VAULT_ADDR": "${VAULT_ADDR}", "VAULT_TOKEN": "${VAULT_TOKEN}", "VAULT_NAMESPACE": "${VAULT_NAMESPACE}" } } } ] } } ``` ### Codex CLI — `~/.codex/config.toml` Codex uses TOML. Each server is a [mcp_servers.] subtable. ```shell # ~/.codex/config.toml [mcp_servers.vault] command = "go" args = [ "install", "github.com/hashicorp/mcp-server-vault@latest", ] env = { VAULT_ADDR = "${VAULT_ADDR}", VAULT_TOKEN = "${VAULT_TOKEN}", VAULT_NAMESPACE = "${VAULT_NAMESPACE}" } ``` ### Zed — `~/.config/zed/settings.json` Zed calls them "context_servers". Settings live-reload on save. ```jsonc { "context_servers": { "vault": { "command": { "path": "go", "args": [ "install", "github.com/hashicorp/mcp-server-vault@latest" ] }, "env": { "VAULT_ADDR": "${VAULT_ADDR}", "VAULT_TOKEN": "${VAULT_TOKEN}", "VAULT_NAMESPACE": "${VAULT_NAMESPACE}" } } } } ``` ### ChatGPT — `ChatGPT → Apps directory` HashiCorp Vault doesn't ship a hosted HTTPS endpoint today. ChatGPT supports remote MCP servers only — to use this server in ChatGPT you'll need to deploy it to a public HTTPS URL first (e.g. via Cloudflare Workers or Vercel) or wait for an official remote build. ```none ``` ## At a glance - **Maintainer:** Community / HashiCorp - **Transport:** stdio - **Auth model:** API key - **Required secrets:** VAULT_ADDR, VAULT_TOKEN, VAULT_NAMESPACE - **Supported clients:** Claude, Cursor, VS Code, Any MCP-compatible client, Vault 1.13+, Vault Enterprise (namespaces) - **License:** MPL-2.0 - **Language:** Go - **Latest version:** latest - **Last verified:** 2026-05-27 - **Score:** 54/100 (rubric 2026-04 — see https://top-mcps.com/about/methodology) - **Source:** https://github.com/hashicorp/mcp-server-vault ## Tools & permissions | Tool | Description | Args | Side effects | |------|-------------|------|--------------| | `kv_v2_get` | Read a KV v2 secret at a path. | `mount: string, path: string` | read | | `database_creds` | Request dynamic database credentials. | `mount: string, role: string` | read | | `pki_issue` | Issue a certificate from a PKI role. | `mount: string, role: string, common_name: string` | write | ## Security & scope - **Access scope:** read-only - **Sandbox:** Vault token in env. All capability checks happen at the Vault side — the MCP is a thin client. Treat the token as a high-value credential and prefer short-lived tokens issued at session start. - **Gotchas:** - A wildcard policy on the agent token defeats the entire purpose. Mint narrowly-scoped tokens, one per workflow. - Dynamic credentials revoke when their TTL expires — design the workflow around that lifetime. - Audit logs on the Vault side are your forensic trail. Make sure they are enabled and shipped off-host. ## Quick answer **What it does.** Reads from HashiCorp Vault — KV v2 secrets, dynamic database credentials, and PKI issuance — without leaking values into the conversation. **Best for:** - Dynamic database credential issuance - KV v2 secret reads - PKI certificate issuance - Per-token scoped agent access - Audit-logged secret use **Not for:** - Teams without an existing Vault deployment - Single-developer secret stores ## Description A community-maintained MCP that connects an AI agent to a HashiCorp Vault deployment. Supports KV v2 secret reads, dynamic database credentials, and PKI certificate issuance against policies the agent's token allows. Built around the same reference-only pattern as the 1Password server — the model sees the secret path, never the cleartext. ## Why it matters Vault is the enterprise standard for dynamic secrets. An MCP makes its short-lived-credential pattern usable from inside an agent without rewriting workflows. ## Key features - KV v2 read - Dynamic database credentials - PKI issuance - Token-scoped policies - Namespace support (Vault Enterprise) ## FAQ ### How is the agent token scoped? Through standard Vault policies. Mint a token with only the policies the workflow needs — for a KV-read workflow, that is a single read capability against the relevant path. ### Dynamic credentials — what are they good for? A Vault dynamic database secret engine issues a fresh credential per request with a TTL. The agent gets a short-lived username/password that auto-expires — much safer than a long-lived shared credential. ### Namespaces? Yes, Vault Enterprise namespaces are supported via VAULT_NAMESPACE. Use them to keep agent identities isolated from production human identities. ### Approle / AWS auth instead of token? Not in the current release — token auth only. Wrap with a short-lived token issued by your auth flow of choice and rotate it via the same mechanism you use for other Vault tokens. ## Changelog - **2026-05-27** — Refreshed install snippets and fact sheet; verified for 2026. - **2025-03-18** — Initial directory listing.