Security considerations for the Vault Radar MCP server

Integrating security workflows with agentic AI tools requires careful consideration of the security model for the Vault Radar MCP server.

Learn more about the HCP Vault Radar security model for information about how Vault Radar protects your secrets and sensitive information.

Beta feature

This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Overview

HCP Vault Radar scans supported data sources for leaked secrets and sensitive information.

Data storage

The Vault Radar service does not store any discovered secrets. Because Vault Radar does not store secrets, it is impossible for secrets to leak through Vault Radar, or its supported tools like the Vault Radar CLI or the Vault Radar MCP server.

The Vault Radar MCP server operates in a stateless manner, meaning it does not persist any data between requests. It processes each request independently, and formats the response for the target large language model (LLM).

Authentication

HCP Vault Radar API authentication

The Vault Radar MCP server connects to a subset of the Vault Radar API's using a project level service principal with the viewer role.

By using the viewer role, there is no risk of changing the Vault Radar configuration.

MCP server authentication

The Vault Radar MCP server operates as a standalone service, utilizing the MCP standard input/output (STDIO) transport.

This allows AI tools to connect to the MCP server only within the context of the local environment, mitigating common attack vectors such as token pass-through or session hijacking.