Hashicorp Vault

HTTP API at {vault-addr}/v1/ with a consistent path-based model. Every secrets engine is mounted at a path: /v1/secret/data/{key} for KV, /v1/database/creds/{role} for dynamic database credentials, /v1/aws/creds/{role} for AWS credentials, etc. The API is REST-like with JSON payloads. Reading a secret: GET /v1/{mount}/data/{path}. Writing: POST/PUT. Dynamic credential generation: GET /v1/{engine}/creds/{role} returns temporary credentials with a lease_id and TTL. Lease renewal: POST /v1/sys/leases/renew. Auth methods (token, AppRole, Kubernetes, AWS, LDAP, OIDC) each have their own login endpoint returning a Vault token. The path-based model is elegant: everything is a path, and policies grant access to path patterns. Batch operations via /v1/sys/tools/hash and transit bulk operations.

Vault is the industry standard for secrets management, and its dynamic secrets model is uniquely valuable for agents. Instead of storing static API keys, agents can request short-lived credentials on demand — Vault generates database credentials, AWS IAM keys, or TLS certificates with automatic expiration. This eliminates credential rotation as an agent concern. The core capabilities: KV secrets engine (static key-value storage), dynamic secrets (on-demand credential generation for AWS, databases, SSH, etc.), Transit engine (encryption/decryption without managing keys), PKI engine (certificate authority), and identity management. For agents, Vault transforms secrets management from 'store and rotate keys' to 'request credentials when needed with automatic cleanup.' The trade-off: Vault's operational complexity is significant for self-hosted deployments. HCP Vault Cloud reduces this burden.

Vault supports extensive auth methods: Token (direct), AppRole (machine-to-machine — recommended for agents), Kubernetes (pod identity), AWS (IAM role), Azure (managed identity), GCP (service account), LDAP, OIDC/JWT, GitHub, and more. AppRole is the standard agent auth method: the agent presents a role_id and secret_id to receive a Vault token with policy-attached permissions. Policies use HCL to define path-based access rules with fine granularity. Response wrapping adds a layer of token protection. Token TTLs enforce credential refresh. Identity groups aggregate policies across auth methods. For agents, AppRole provides clean machine authentication with policy-scoped access. The auth model is the most flexible among secrets management platforms — any identity system can be an auth source.

API errors return JSON with errors array containing descriptive messages. Standard HTTP status codes: 403 for permission denied, 404 for missing secrets, 429 for rate limits. Seal/unseal mechanism: Vault starts sealed (encrypted, inaccessible) and must be unsealed with key shares — this is a critical operational concern for self-hosted deployments. Auto-unseal with cloud KMS mitigates this. Lease expiration means dynamic credentials stop working at TTL — agents must renew or request new credentials before expiry. Vault audit logs every API call for compliance. Performance replication and DR replication provide high availability. The main reliability risk for agents: Vault unavailability blocks credential requests. Running Vault in HA mode with multiple nodes mitigates this. HCP Vault Cloud handles operational concerns automatically.

Documentation at developer.hashicorp.com/vault is extensive — tutorials, API reference, concepts, and operational guides. The tutorial collection covers getting started, secrets engines, auth methods, policies, and production deployment. API reference documents every endpoint for every secrets and auth engine. The documentation's strength: it covers both the 'why' (security concepts, threat models) and the 'how' (API calls, configuration). HashiCorp Learn provides structured learning paths. Community is active on Discuss forums and GitHub. Client libraries: official Go client, community libraries for Python (hvac), Node.js, Ruby, Java. The documentation's main challenge: the breadth of features means navigating to the right content requires understanding Vault's architecture first. For agents, the AppRole tutorial and KV secrets engine tutorial are the essential starting points.