Mastra AISDK

HashiCorp Vault MCP Server

Bring Secrets Management
to Mastra AI

Name: HashiCorp Vault MCP Server
Price: 29 USD
Availability: InStock
Rating: 4.9 (1 reviews)
Author: Vinkius

Learn how to connect HashiCorp Vault to Mastra AI and start using 50 AI agent tools in minutes. Fully managed, enterprise secure, and ready to use without writing a single line of code.

GDPR Free for Subscribers

Approle LoginConfigure Aws RootConfigure DatabaseConfigure Kubernetes AuthCreate Acl PolicyCreate Approle RoleCreate Aws RoleCreate Database RoleCreate Pki RoleCreate TokenCreate Transit KeyCreate Userpass UserDecrypt TransitDelete Kv SecretEnable Audit DeviceEnable Auth MethodEnable EngineEncrypt TransitGenerate Approle Secret IdGenerate Aws CredsGenerate Database CredsGenerate Pki RootGet Init StatusGet Openapi SpecGet System HealthGithub LoginInitialize VaultIssue Pki CertKubernetes LoginList Acl PoliciesList Audit DevicesList Auth MethodsList Kv SecretsList MountsList Token AccessorsLookup LeaseLookup Self TokenMap Github TeamRead Kv MetadataRead Kv SecretRenew LeaseRenew Self TokenRevoke LeaseRevoke Pki CertRevoke Self TokenRotate Transit KeySeal VaultUnseal VaultUserpass LoginWrite Kv Secret

Unlock for AI Agents

Ask AI about this MCP Server ChatGPT Claude Perplexity

Compatible with every major AI agent and IDE

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

+ other MCP clients

What is the HashiCorp Vault MCP Server?

Connect your HashiCorp Vault instance to any AI agent to automate secrets management and security operations through natural language.

What you can do

Secrets Management — Read, write, and list KV secrets directly from your secure mounts using the KV engine.
Dynamic Credentials — Generate on-demand credentials for Databases, AWS, and PKI certificates without manual intervention.
Token Operations — Create, lookup, and renew tokens to manage session lifecycles and access control.
Transit Encryption — Encrypt and decrypt data using Vault's transit engine to protect sensitive information without exposing keys.
System Administration — Check cluster health, manage mounts, and configure auth methods or ACL policies directly.

How it works

Subscribe to this server
Provide your Vault Address and Token
Start managing your infrastructure security from Claude, Cursor, or any MCP-compatible client

Who is this for?

DevOps Engineers — automate secret rotation and infrastructure provisioning workflows.
Security Teams — audit token accessors and manage ACL policies through conversation.
Developers — fetch development secrets and generate local database credentials without leaving the IDE.

Built-in capabilities (50)

approle_login

configure_aws_root

Configure AWS root credentials

configure_database

Configure a database connection

configure_kubernetes_auth

Configure Kubernetes authentication

create_acl_policy

Create or update an ACL policy

create_approle_role

Create or update an AppRole role

create_aws_role

Create an AWS role

create_database_role

Create a database role

create_pki_role

Create a PKI role

create_token

Create a new Vault token

create_transit_key

Create a new Transit key

create_userpass_user

Create a new Userpass user

decrypt_transit

Decrypt data using Transit engine

delete_kv_secret

Delete the latest version of a KV v2 secret

enable_audit_device

Enable an audit device

enable_auth_method

Enable a new auth method

enable_engine

Enable a new secrets engine

encrypt_transit

Encrypt data using Transit engine

generate_approle_secret_id

Generate a new Secret ID for an AppRole

generate_aws_creds

Generate dynamic AWS credentials

generate_database_creds

Generate dynamic database credentials

generate_pki_root

Generate a new PKI root certificate

get_init_status

Check Vault initialization status

get_openapi_spec

Generate OpenAPI V3 document of mounted backends

get_system_health

Check Vault system health

github_login

initialize_vault

Initialize a new Vault cluster

issue_pki_cert

Issue a new PKI certificate

kubernetes_login

list_acl_policies

List ACL policies

list_audit_devices

List enabled audit devices

list_auth_methods

List enabled auth methods

list_kv_secrets

List secrets in a KV v2 engine path

list_mounts

List mounted secrets engines

list_token_accessors

List token accessors (requires sudo)

lookup_lease

Lookup a lease by ID

lookup_self_token

Lookup details about the current Vault token

map_github_team

Map a GitHub team to Vault policies

read_kv_metadata

Read metadata for a KV v2 secret

read_kv_secret

Read a secret from KV v2 engine

renew_lease

Renew a lease

renew_self_token

Renew the current Vault token

revoke_lease

Revoke a lease

revoke_pki_cert

Revoke a PKI certificate

revoke_self_token

Revoke the current Vault token

rotate_transit_key

Rotate a Transit key

seal_vault

Seal the Vault

unseal_vault

Unseal the Vault with a key share

userpass_login

write_kv_secret

Create or update a secret in KV v2 engine

Why Mastra AI?

Mastra's agent abstraction provides a clean separation between LLM logic and HashiCorp Vault tool infrastructure. Connect 50 tools through Vinkius and use Mastra's built-in workflow engine to chain tool calls with conditional logic, retries, and parallel execution. deployable to any Node.js host in one command.

—
Mastra's agent abstraction provides a clean separation between LLM logic and tool infrastructure. add HashiCorp Vault without touching business code
—
Built-in workflow engine chains MCP tool calls with conditional logic, retries, and parallel execution for complex automation
—
TypeScript-native: full type inference for every HashiCorp Vault tool response with IDE autocomplete and compile-time checks
—
One-command deployment to any Node.js host. Vercel, Railway, Fly.io, or your own infrastructure

See it in action

HashiCorp Vault in Mastra AI

AI Agent→Vinkius

High Security·Kill Switch·Plug and Play

Why Vinkius

HashiCorp Vault and 4,000+ other MCP servers. One platform. One governance layer.

Teams that connect HashiCorp Vault to Mastra AI through Vinkius don't need to source, host, or maintain individual MCP servers. Every tool call runs inside a hardened runtime with credential isolation, DLP, and a signed audit chain.

4,000+MCP Servers ready

<40msCold start

60%Token savings

	Raw MCP	Vinkius
Server catalog	Find and host yourself	4,000+ managed
Infrastructure	Self-hosted	Sandboxed V8 isolates
Credential handling	Plaintext in config	Vault + runtime injection
Data loss prevention	None	Configurable DLP policies
Kill switch	None	Global instant shutdown
Financial circuit breakers	None	Per-server limits + alerts
Audit trail	None	Ed25519 signed logs
SIEM log streaming	None	Splunk, Datadog, Webhook
Honeytokens	None	Canary alerts on leak
Custom domains	Not applicable	DNS challenge verified
GDPR compliance	Manual effort	Automated purge + export

Unlock for AI Agents View step-by-step setup guide for Mastra AI →

Enterprise Security

Why teams choose Vinkius for HashiCorp Vault in Mastra AI

The HashiCorp Vault MCP Server runs on Vinkius-managed infrastructure inside AWS — a purpose-built runtime with per-request V8 isolates, Ed25519 signed audit chains, and sub-40ms cold starts. All 50 tools execute in hardened sandboxes optimized for native MCP execution.

Your AI agents in Mastra AI only access the data you authorize, with DLP that blocks sensitive information from ever reaching the model, kill switch for instant shutdown, and up to 60% token savings. Enterprise-grade infrastructure, zero maintenance.

Unlock for AI Agents View full HashiCorp Vault details →

Fully ManagedVinkius Servers

60%Token savings

High SecurityEnterprise-grade

IAMAccess control

EU AI ActCompliant

DLPData protection

V8 IsolateSandboxed

Ed25519Audit chain

<40msKill switch

Stream every event to Splunk, Datadog, or your own webhook in real-time

* Every MCP server runs on Vinkius-managed infrastructure inside AWS - a purpose-built runtime with per-request V8 isolates, Ed25519 signed audit chains, and sub-40ms cold starts optimized for native MCP execution. See our infrastructure

The Vinkius Advantage

How Vinkius secures
HashiCorp Vault for Mastra AI

Every tool call from Mastra AI to the HashiCorp Vault MCP Server is protected by DLP redaction, cryptographic audit chains, V8 sandbox isolation, kill switch, and financial circuit breakers.

< 40msCold start

Ed25519Signed audit chain

60%Token savings

FAQ

Frequently asked questions

Can I check the remaining TTL and policies of my current session token?

Yes. Use the lookup_self_token tool. It returns the creation time, TTL, associated policies, and metadata for the token currently in use.

How do I retrieve a specific secret from a KV version 2 engine?

Use the read_kv_secret tool by providing the path to the secret. The agent will fetch the data and present the key-value pairs securely.

Is it possible to generate temporary database credentials through the agent?

Yes. If the database engine is configured, use generate_database_creds with the specific role name to receive a temporary username and password.

How does Mastra AI connect to MCP servers?

Create an MCPClient with the server URL and pass it to your agent. Mastra discovers all tools and makes them available with full TypeScript types.

Can Mastra agents use tools from multiple servers?

Yes. Pass multiple MCP clients to the agent constructor. Mastra merges all tool schemas and the agent can call any tool from any server.

Does Mastra support workflow orchestration?

Yes. Mastra has a built-in workflow engine that lets you chain MCP tool calls with branching logic, error handling, and parallel execution.

createMCPClient not exported

Install: npm install @mastra/mcp

Explore More MCP Servers

View all →

Weights & Biases

6 tools

Track experiments, monitor ML runs, and manage artifacts on WandB — the developer platform for AI.

DBeaver (CloudBeaver)

19 tools

Manage database connections, users, and server configurations via CloudBeaver's API — inspect drivers, manage teams, and query server status directly.