HashiCorp Vault
HashiCorp Vault is an open source tool for securely storing and accessing secrets. A secret is anything you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret while providing tight access control via policies and recording a detailed audit log. It supports dynamic secrets, data encryption, PKI, SSH certificate issuance, and identity-based access through a comprehensive REST HTTP API.
APIs
HashiCorp Vault KV Secrets Engine API
The KV v2 secrets engine provides key-value secret storage with versioning, metadata management, soft delete, and permanent destruction of secret versions. Essential for storing...
HashiCorp Vault System Backend API
The Vault system backend provides management operations for authentication methods, secrets engine mounts, ACL policies, token lifecycle, and lease management. All sys/ endpoint...
Vault HTTP API
The complete Vault HTTP API gives full access to all Vault operations via REST. Includes authentication method APIs (AppRole, LDAP, JWT, Kubernetes, AWS, Azure), secrets engine ...
Collections
Pricing Plans
Rate Limits
FinOps
Vault Finops
FINOPSFeatures
Versioned key-value secret storage with soft delete, undelete, and permanent destruction.
On-demand, time-limited credentials for databases, AWS, Azure, GCP, and other backends.
Encryption-as-a-Service for application data without storing plaintext in Vault.
Built-in PKI secrets engine for issuing X.509 certificates with configurable TTLs.
Dynamic SSH certificates and OTPs for secure machine access management.
Fine-grained HCL-based policies controlling access to any secret path with capabilities.
Pluggable authentication supporting AppRole, LDAP, JWT/OIDC, Kubernetes, AWS, and more.
All dynamic secrets have TTL-bound leases that can be renewed or revoked on demand.
Comprehensive audit trail of all API requests and responses for compliance.
Official HashiCorp Vault MCP server enabling AI-assisted secrets management workflows.
Use Cases
Inject database credentials, API keys, and config into applications at runtime via Vault Agent.
Replace Kubernetes secrets with Vault-managed secrets using the Vault Secrets Operator.
Automatically rotate database credentials with dynamic secrets engine for zero-knowledge security.
Automate certificate lifecycle management for internal services and mutual TLS.
Provide short-lived credentials to CI/CD pipelines via AppRole or GitHub Actions OIDC.
Manage Vault configuration as code using the Terraform Vault provider.
Meet SOC 2, PCI-DSS, HIPAA, and FedRAMP requirements with immutable audit logs.
Integrations
Terraform Vault provider for managing Vault configuration and policies as code.
Vault Secrets Operator and Vault Agent Injector for native Kubernetes integration.
OIDC-based authentication from GitHub Actions workflows without static credentials.
Dynamic AWS IAM credentials and EC2/IAM-based authentication methods.
Native HashiCorp Consul integration for service mesh secrets and ACL tokens.
Dynamic database credentials for PostgreSQL with configurable role TTLs.
Native HashiCorp Nomad integration for workload identity and secrets.
HashiCorp Vault lookup plugin for Ansible playbook secret retrieval.