Install HashiCorp Vault MCP Server

Pick your client, copy the command, done.

Add it to Claude Code

claude mcp add -e "VAULT_ADDR=${VAULT_ADDR}" -e "VAULT_TOKEN=${VAULT_TOKEN}" vault-mcp -- docker run -i --rm -e VAULT_ADDR=https://your-vault-server:8200 -e VAULT_TOKEN=hvs.your-vault-token ashgw/vault-mcp:latest

Required:VAULT_ADDRVAULT_TOKEN

Environment Variables

Set these before running HashiCorp Vault MCP Server.

VariableDescriptionRequired

VAULT_ADDRURL of the Vault clusterYes

VAULT_TOKENVault authentication tokenYes

Available Tools (4)

Once configured, HashiCorp Vault MCP Server gives your AI agent access to:

create_secretCreates a new secret in the Vault KV v2 engine.

read_secretReads a secret from the Vault KV v2 engine.

delete_secretDeletes a secret from the Vault KV v2 engine.

create_policyCreates or updates a Vault ACL policy.

Try It Out

After setup, try these prompts with your AI agent:

→Read the secret located at secret/data/myapp/config.

→Create a new secret at secret/data/api-keys/stripe with the provided JSON data.

→Generate a new Vault ACL policy that allows read-only access to the secret/data/myapp path.

→List all available secrets in the Vault instance.

→Delete the deprecated secret at secret/data/old-service.

Prerequisites & system requirements

An MCP-compatible client (Claude Code, Cursor, Windsurf, Claude Desktop, or Codex)
Docker installed and running
VAULT_ADDR — URL of the Vault cluster
VAULT_TOKEN — Vault authentication token

Keep this setup from going cold

Save the docs, env vars, and workflow around HashiCorp Vault MCP Server in Conare so Claude Code, Codex, and Cursor remember it next time.

Remember this setup

← HashiCorp Vault MCP Server overview Browse cloud servers →