Vault MCP Server (mschuchard)

138 tools. 80 can modify or destroy data without limits.

24 destructive tools with no built-in limits. Policy required.

Last updated:

80 can modify or destroy data
58 read-only
138 tools total

Community server · catalogue entry verified 04/07/2026

How to control Vault MCP Server (mschuchard) ↓

What Vault MCP Server (mschuchard) exposes to your agents

Read (58) Write / Execute (56) Destructive / Financial (24)
Critical Risk

The most dangerous Vault MCP Server (mschuchard) tools

80 of Vault MCP Server (mschuchard)'s 138 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

How to control Vault MCP Server (mschuchard)

PolicyLayer is an MCP gateway — it sits between your AI agents and Vault MCP Server (mschuchard), and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations
{
  "database-connection-delete": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "audit-device-disable": {
    "limits": [
      {
        "counter": "audit-device-disable_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "audit-devices-list": {
    "limits": [
      {
        "counter": "audit-devices-list_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register Vault MCP Server (mschuchard) — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON VAULT MCP SERVER (MSCHUCHARD) →

Instant setup, no code required.

All 138 Vault MCP Server (mschuchard) tools

WRITE 39 tools
Write audit-device-disable audit-device-disable Write audit-device-enable audit-device-enable Write authentication-engine-disable authentication-engine-disable Write authentication-engine-enable authentication-engine-enable Write authentication-engine-tune authentication-engine-tune Write database-credentials-generate database-credentials-generate Write database-role-create database-role-create Write database-static-role-create database-static-role-create Write identity-entities-merge identity-entities-merge Write identity-entity-alias-create-or-update identity-entity-alias-create-or-update Write identity-entity-alias-update identity-entity-alias-update Write identity-entity-create-or-update identity-entity-create-or-update Write identity-entity-update identity-entity-update Write identity-group-alias-create-or-update identity-group-alias-create-or-update Write identity-group-alias-update identity-group-alias-update Write identity-group-create-or-update identity-group-create-or-update Write identity-group-update identity-group-update Write identity-oidc-configure identity-oidc-configure Write identity-oidc-key-create-or-update identity-oidc-key-create-or-update Write identity-oidc-role-create-or-update identity-oidc-role-create-or-update Write kv2-configure-backend kv2-configure-backend Write kv2-create-or-update kv2-create-or-update Write kv2-patch kv2-patch Write kv2-update-metadata kv2-update-metadata Write pki-create-update-role pki-create-update-role Write pki-set-crl-configuration pki-set-crl-configuration Write pki-set-signed-intermediate pki-set-signed-intermediate Write pki-set-urls pki-set-urls Write pki-submit-ca-information pki-submit-ca-information Write pki-update-issuer pki-update-issuer Write policy-create-or-update policy-create-or-update Write raft-auto-snapshot-config-create-or-update raft-auto-snapshot-config-create-or-update Write secret-engine-disable secret-engine-disable Write secret-engine-enable secret-engine-enable Write secret-engine-move secret-engine-move Write secret-engine-tune-configuration secret-engine-tune-configuration Write transit-engine-encryption-key-create transit-engine-encryption-key-create Write transit-engine-encryption-key-update-config transit-engine-encryption-key-update-config Write transit-engine-generate-random-bytes transit-engine-generate-random-bytes
READ 58 tools
Read audit-devices-list audit-devices-list Read authentication-engine-read authentication-engine-read Read authentication-engines-list authentication-engines-list Read database-connection-read database-connection-read Read database-connections-list database-connections-list Read database-role-read database-role-read Read database-roles-list database-roles-list Read database-static-credentials-get database-static-credentials-get Read database-static-role-read database-static-role-read Read database-static-roles-list database-static-roles-list Read identity-entities-list identity-entities-list Read identity-entity-alias-read identity-entity-alias-read Read identity-entity-aliases-list identity-entity-aliases-list Read identity-entity-lookup identity-entity-lookup Read identity-entity-read identity-entity-read Read identity-entity-read-by-name identity-entity-read-by-name Read identity-group-alias-read identity-group-alias-read Read identity-group-aliases-list identity-group-aliases-list Read identity-group-lookup identity-group-lookup Read identity-group-read identity-group-read Read identity-group-read-by-name identity-group-read-by-name Read identity-groups-list identity-groups-list Read identity-oidc-configuration-read identity-oidc-configuration-read Read identity-oidc-key-read identity-oidc-key-read Read identity-oidc-keys-list identity-oidc-keys-list Read identity-oidc-public-keys-read identity-oidc-public-keys-read Read identity-oidc-role-read identity-oidc-role-read Read identity-oidc-roles-list identity-oidc-roles-list Read identity-oidc-token-introspect identity-oidc-token-introspect Read identity-oidc-well-known-read identity-oidc-well-known-read Read kv2-list kv2-list Read kv2-metadata-and-versions kv2-metadata-and-versions Read kv2-read kv2-read Read kv2-read-backend-configuration kv2-read-backend-configuration Read kv2-undelete kv2-undelete Read pki-list-certificates pki-list-certificates Read pki-list-issuers pki-list-issuers Read pki-list-roles pki-list-roles Read pki-read-certificate pki-read-certificate Read pki-read-crl pki-read-crl Read pki-read-crl-configuration pki-read-crl-configuration Read pki-read-issuer pki-read-issuer Read pki-read-role pki-read-role Read pki-read-root-ca pki-read-root-ca Read pki-read-root-ca-chain pki-read-root-ca-chain Read pki-read-urls pki-read-urls Read policies-list policies-list Read policy-read policy-read Read raft-auto-snapshot-config-read raft-auto-snapshot-config-read Read raft-auto-snapshot-configs-list raft-auto-snapshot-configs-list Read raft-auto-snapshot-status-read raft-auto-snapshot-status-read Read raft-config-read raft-config-read Read raft-snapshot-take raft-snapshot-take Read secret-engine-read-configuration secret-engine-read-configuration Read secret-engine-retrieve-option secret-engine-retrieve-option Read secret-engines-list secret-engines-list Read transit-engine-encryption-key-read transit-engine-encryption-key-read Read transit-engine-encryption-keys-list transit-engine-encryption-keys-list

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Questions about Vault MCP Server (mschuchard)

Can an AI agent delete data through the Vault MCP Server (mschuchard) MCP server? +

Yes. The Vault MCP Server (mschuchard) server exposes 24 destructive tools including database-connection-delete, database-role-delete, database-static-role-delete. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Vault MCP Server (mschuchard)? +

The Vault MCP Server (mschuchard) server has 39 write tools including audit-device-disable, audit-device-enable, authentication-engine-disable. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach Vault MCP Server (mschuchard).

How many tools does the Vault MCP Server (mschuchard) MCP server expose? +

138 tools across 3 categories: Destructive, Read, Write. 58 are read-only. 80 can modify, create, or delete data.

How do I enforce a policy on Vault MCP Server (mschuchard)? +

Register the Vault MCP Server (mschuchard) MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Vault MCP Server (mschuchard) tool call.

Deterministic rules across all 138 Vault MCP Server (mschuchard) tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

Instant setup, no code required.

138 Vault MCP Server (mschuchard) tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.