Vault Kv
FreeNot checkedA read-only MCP server that provides tools to read, list, and inspect secrets from HashiCorp Vault's KV secrets engine (versions 1 and 2) using a Vault token.
About
A read-only MCP server that provides tools to read, list, and inspect secrets from HashiCorp Vault's KV secrets engine (versions 1 and 2) using a Vault token.
README
A read-only MCP (Model Context Protocol) server that exposes the HashiCorp Vault KV secrets engine (versions 1 and 2) as tools. Every tool performs only non-destructive reads — there are no write, delete, or destroy operations. It authenticates with a Vault token and speaks MCP over stdio, so it works with local MCP clients such as Claude Desktop.
Tools (all read-only)
| Tool | Description |
|---|---|
vault_kv_read |
Read a secret (latest or a specific KV v2 version). |
vault_kv_list |
List keys / sub-folders under a path. |
vault_kv_read_metadata |
KV v2: read version history and metadata. |
vault_list_kv_mounts |
Discover available secret mounts and their KV versions. |
vault_health |
Check Vault server health / connectivity. |
KV v1 vs v2 is auto-detected per mount when kv_version is not supplied (falling back to v2).
For defense in depth, pair this with a Vault token whose policies grant only read/list capabilities on the relevant paths.
Configuration
Set these environment variables (see .env.example):
VAULT_ADDR— Vault base URL (defaulthttp://127.0.0.1:8200)VAULT_TOKEN— required Vault token, sent as theX-Vault-TokenheaderVAULT_NAMESPACE— optional, for Vault Enterprise / HCP VaultVAULT_SKIP_VERIFY— optional, settrueto skip TLS verification (dev only)
The token only needs policies granting access to the KV paths you intend to use.
Build
npm install
npm run build
Run / test with the MCP Inspector
VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN=hvs.xxxx npm run inspector
Use with Claude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"vault-kv": {
"command": "node",
"args": ["/absolute/path/to/vault-mcp/dist/index.js"],
"env": {
"VAULT_ADDR": "http://127.0.0.1:8200",
"VAULT_TOKEN": "hvs.your-token-here"
}
}
}
}
Quick local Vault for testing
vault server -dev # prints a Root Token and unseal info
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=<root-token-from-output>
vault kv put secret/demo username=app password=s3cr3t
Then ask your MCP client to read secret/demo.
Security notes
- The server only ever reads from Vault; it never writes, deletes, or destroys secrets.
- The token is read only from the environment and never logged.
- Prefer a short-lived, least-privilege token (read/list only) over a root token.
Install Vault Kv in Claude Desktop, Claude Code & Cursor
unyly install vault-kv-mcpInstalls into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.
First time? Get the CLI: curl -fsSL https://unyly.org/install | sh
Or configure manually
Run in your terminal:
claude mcp add vault-kv-mcp -- npx -y github:elisjetmax/mcp-vault-hashicorpFAQ
Is Vault Kv MCP free?
Yes, Vault Kv MCP is free — one-click install via Unyly at no cost.
Does Vault Kv need an API key?
No, Vault Kv runs without API keys or environment variables.
Is Vault Kv hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Vault Kv in Claude Desktop, Claude Code or Cursor?
Open Vault Kv on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Vault Kv with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
