Skip to main content

Vault MCP Tools

Vault provides MCP (Model Context Protocol) tools for AI assistants to manage secrets securely.

Available Tools

vault_get

Retrieve a secret value. 
{
  "name": "vault_get",
  "arguments": {
    "path": "stripe/api_key",
    "environment": "production"
  }
}
Response: 
{
  "path": "stripe/api_key",
  "environment": "production",
  "value": "sk_live_xxx...",
  "version": 3,
  "last_updated": "2024-01-15T10:30:00Z"
}

vault_set

Create or update a secret. 
{
  "name": "vault_set",
  "arguments": {
    "path": "stripe/api_key",
    "value": "sk_live_new_xxx",
    "environment": "staging",
    "description": "Updated Stripe API key"
  }
}
Response: 
{
  "path": "stripe/api_key",
  "environment": "staging",
  "version": 4,
  "message": "Secret updated successfully"
}

vault_list

List secrets (names only, not values). 
{
  "name": "vault_list",
  "arguments": {
    "prefix": "stripe/",
    "environment": "production"
  }
}
Response: 
{
  "secrets": [
    {
      "path": "stripe/api_key",
      "description": "Stripe API key",
      "last_updated": "2024-01-15T10:30:00Z"
    },
    {
      "path": "stripe/webhook_secret",
      "description": "Stripe webhook signing secret",
      "last_updated": "2024-01-10T08:00:00Z"
    }
  ]
}

vault_history

Get version history for a secret. 
{
  "name": "vault_history",
  "arguments": {
    "path": "stripe/api_key",
    "limit": 10
  }
}
Response: 
{
  "path": "stripe/api_key",
  "versions": [
    {
      "version": 3,
      "created_at": "2024-01-15T10:30:00Z",
      "created_by": "[email protected]"
    },
    {
      "version": 2,
      "created_at": "2024-01-01T08:00:00Z",
      "created_by": "[email protected]"
    }
  ]
}

vault_rotate

Rotate a secret with a new value. 
{
  "name": "vault_rotate",
  "arguments": {
    "path": "stripe/api_key",
    "new_value": "sk_live_rotated_xxx",
    "environment": "production"
  }
}
Response: 
{
  "path": "stripe/api_key",
  "old_version": 3,
  "new_version": 4,
  "rotated_at": "2024-01-15T10:35:00Z",
  "message": "Secret rotated successfully"
}

Example Conversations

User: “What’s our Stripe API key?” Assistant uses: vault_get with path: "stripe/api_key" Response: “The Stripe API key is sk_live_xxx.... It was last updated on January 15th.”
User: “List all our database secrets” Assistant uses: vault_list with prefix: "database/" Response: “You have 3 database secrets: database/primary/password, database/replica/password, and database/read_only/password.”
User: “Rotate the staging Stripe key” Assistant uses: vault_rotate with path: "stripe/api_key", environment: "staging" Response: “I’ve rotated the staging Stripe API key. The new version is v4.”

Security Notes

  • MCP access requires appropriate permissions
  • All operations are logged to the audit trail
  • Production secrets may require additional approval
  • Never expose secret values in logs or responses unless explicitly requested

Setup

Add Vault MCP to your Claude Desktop or Cursor configuration: 
{
  "mcpServers": {
    "brainzlab-vault": {
      "command": "npx",
      "args": ["-y", "@brainzlab/mcp-server"],
      "env": {
        "BRAINZLAB_SECRET_KEY": "your-secret-key",
        "BRAINZLAB_PRODUCTS": "vault"
      }
    }
  }
}