naftiko: 1.0.0-alpha2 info: label: Azure Key Vault Secrets and Keys description: Unified workflow for managing cryptographic keys, secrets, and certificates with encryption, signing, and certificate lifecycle operations. Used by security engineers and DevOps teams. tags: - Azure - Key Vault - Security - Secrets Management created: '2026-04-18' modified: '2026-05-06' binds: - namespace: env keys: AZURE_KEY_VAULT_TOKEN: AZURE_KEY_VAULT_TOKEN capability: consumes: - type: http namespace: key-vault baseUri: https://myvault.vault.azure.net description: Azure Key Vault Data Plane API for key, secret, and certificate operations. authentication: type: bearer token: '{{AZURE_KEY_VAULT_TOKEN}}' resources: - name: keys path: /keys description: Key management. operations: - name: list-keys method: GET description: List keys in the vault. inputParameters: - name: api-version in: query type: string required: true description: API version. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: key-create path: /keys/{key-name}/create description: Key creation. operations: - name: create-key method: POST description: Create a new key. inputParameters: - name: key-name in: path type: string required: true description: Key name. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: kty: '{{tools.keyType}}' - name: key-details path: /keys/{key-name}/{key-version} description: Individual key operations. operations: - name: get-key method: GET description: Get a key. inputParameters: - name: key-name in: path type: string required: true description: Key name. - name: key-version in: path type: string required: true description: Key version. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: update-key method: PATCH description: Update key attributes. inputParameters: - name: key-name in: path type: string required: true description: Key name. - name: key-version in: path type: string required: true description: Key version. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: key-delete path: /keys/{key-name} description: Key deletion. operations: - name: delete-key method: DELETE description: Delete a key. inputParameters: - name: key-name in: path type: string required: true description: Key name. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: key-encrypt path: /keys/{key-name}/{key-version}/encrypt description: Encryption operations. operations: - name: encrypt method: POST description: Encrypt data using a key. inputParameters: - name: key-name in: path type: string required: true description: Key name. - name: key-version in: path type: string required: true description: Key version. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: alg: '{{tools.algorithm}}' value: '{{tools.value}}' - name: key-decrypt path: /keys/{key-name}/{key-version}/decrypt description: Decryption operations. operations: - name: decrypt method: POST description: Decrypt data using a key. inputParameters: - name: key-name in: path type: string required: true description: Key name. - name: key-version in: path type: string required: true description: Key version. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: alg: '{{tools.algorithm}}' value: '{{tools.value}}' - name: key-sign path: /keys/{key-name}/{key-version}/sign description: Signing operations. operations: - name: sign method: POST description: Sign a digest using a key. inputParameters: - name: key-name in: path type: string required: true description: Key name. - name: key-version in: path type: string required: true description: Key version. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: alg: '{{tools.algorithm}}' value: '{{tools.digest}}' - name: key-verify path: /keys/{key-name}/{key-version}/verify description: Verification operations. operations: - name: verify method: POST description: Verify a signature. inputParameters: - name: key-name in: path type: string required: true description: Key name. - name: key-version in: path type: string required: true description: Key version. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: alg: '{{tools.algorithm}}' digest: '{{tools.digest}}' value: '{{tools.signature}}' - name: secrets path: /secrets description: Secret management. operations: - name: list-secrets method: GET description: List secrets in the vault. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: secret-set path: /secrets/{secret-name} description: Secret creation and deletion. operations: - name: set-secret method: PUT description: Set a secret value. inputParameters: - name: secret-name in: path type: string required: true description: Secret name. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: value: '{{tools.value}}' - name: delete-secret method: DELETE description: Delete a secret. inputParameters: - name: secret-name in: path type: string required: true description: Secret name. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: secret-details path: /secrets/{secret-name}/{secret-version} description: Individual secret operations. operations: - name: get-secret method: GET description: Get a secret value. inputParameters: - name: secret-name in: path type: string required: true description: Secret name. - name: secret-version in: path type: string required: true description: Secret version. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: certificates path: /certificates description: Certificate management. operations: - name: list-certificates method: GET description: List certificates in the vault. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: certificate-create path: /certificates/{certificate-name}/create description: Certificate creation. operations: - name: create-certificate method: POST description: Create a new certificate. inputParameters: - name: certificate-name in: path type: string required: true description: Certificate name. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: certificate-details path: /certificates/{certificate-name}/{certificate-version} description: Individual certificate operations. operations: - name: get-certificate method: GET description: Get a certificate. inputParameters: - name: certificate-name in: path type: string required: true description: Certificate name. - name: certificate-version in: path type: string required: true description: Certificate version. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: certificate-delete path: /certificates/{certificate-name} description: Certificate deletion. operations: - name: delete-certificate method: DELETE description: Delete a certificate. inputParameters: - name: certificate-name in: path type: string required: true description: Certificate name. outputRawFormat: json outputParameters: - name: result type: object value: $. exposes: - type: rest port: 8080 namespace: secrets-and-keys-api description: Unified REST API for Azure Key Vault secrets, keys, and certificates. resources: - path: /v1/keys name: keys description: Key management. operations: - method: GET name: list-keys description: List keys. call: key-vault.list-keys outputParameters: - type: object mapping: $. - method: POST name: create-key description: Create a key. call: key-vault.create-key outputParameters: - type: object mapping: $. - path: /v1/keys/{id} name: key-details description: Individual key management. operations: - method: GET name: get-key description: Get a key. call: key-vault.get-key with: key-name: rest.id outputParameters: - type: object mapping: $. - method: DELETE name: delete-key description: Delete a key. call: key-vault.delete-key with: key-name: rest.id outputParameters: - type: object mapping: $. - path: /v1/secrets name: secrets description: Secret management. operations: - method: GET name: list-secrets description: List secrets. call: key-vault.list-secrets outputParameters: - type: object mapping: $. - path: /v1/secrets/{id} name: secret-details description: Individual secret management. operations: - method: PUT name: set-secret description: Set a secret. call: key-vault.set-secret with: secret-name: rest.id outputParameters: - type: object mapping: $. - method: GET name: get-secret description: Get a secret. call: key-vault.get-secret with: secret-name: rest.id outputParameters: - type: object mapping: $. - method: DELETE name: delete-secret description: Delete a secret. call: key-vault.delete-secret with: secret-name: rest.id outputParameters: - type: object mapping: $. - path: /v1/certificates name: certificates description: Certificate management. operations: - method: GET name: list-certificates description: List certificates. call: key-vault.list-certificates outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: secrets-and-keys-mcp transport: http description: MCP server for AI-assisted Key Vault secrets, keys, and certificate management. tools: - name: list-keys description: List cryptographic keys in the vault. hints: readOnly: true openWorld: true call: key-vault.list-keys outputParameters: - type: object mapping: $. - name: create-key description: Create a new cryptographic key. hints: readOnly: false call: key-vault.create-key with: key-name: tools.keyName outputParameters: - type: object mapping: $. - name: get-key description: Get key details. hints: readOnly: true call: key-vault.get-key with: key-name: tools.keyName key-version: tools.keyVersion outputParameters: - type: object mapping: $. - name: delete-key description: Delete a key. hints: readOnly: false destructive: true idempotent: true call: key-vault.delete-key with: key-name: tools.keyName outputParameters: - type: object mapping: $. - name: encrypt description: Encrypt data using a key. hints: readOnly: false idempotent: true call: key-vault.encrypt with: key-name: tools.keyName key-version: tools.keyVersion outputParameters: - type: object mapping: $. - name: decrypt description: Decrypt data using a key. hints: readOnly: false idempotent: true call: key-vault.decrypt with: key-name: tools.keyName key-version: tools.keyVersion outputParameters: - type: object mapping: $. - name: sign description: Sign a digest using a key. hints: readOnly: false call: key-vault.sign with: key-name: tools.keyName key-version: tools.keyVersion outputParameters: - type: object mapping: $. - name: verify description: Verify a signature. hints: readOnly: true call: key-vault.verify with: key-name: tools.keyName key-version: tools.keyVersion outputParameters: - type: object mapping: $. - name: list-secrets description: List secrets in the vault. hints: readOnly: true openWorld: true call: key-vault.list-secrets outputParameters: - type: object mapping: $. - name: set-secret description: Set a secret value. hints: readOnly: false idempotent: true call: key-vault.set-secret with: secret-name: tools.secretName outputParameters: - type: object mapping: $. - name: get-secret description: Get a secret value. hints: readOnly: true call: key-vault.get-secret with: secret-name: tools.secretName secret-version: tools.secretVersion outputParameters: - type: object mapping: $. - name: delete-secret description: Delete a secret. hints: readOnly: false destructive: true idempotent: true call: key-vault.delete-secret with: secret-name: tools.secretName outputParameters: - type: object mapping: $. - name: list-certificates description: List certificates in the vault. hints: readOnly: true openWorld: true call: key-vault.list-certificates outputParameters: - type: object mapping: $. - name: create-certificate description: Create a new certificate. hints: readOnly: false call: key-vault.create-certificate with: certificate-name: tools.certificateName outputParameters: - type: object mapping: $. - name: get-certificate description: Get a certificate. hints: readOnly: true call: key-vault.get-certificate with: certificate-name: tools.certificateName certificate-version: tools.certificateVersion outputParameters: - type: object mapping: $. - name: delete-certificate description: Delete a certificate. hints: readOnly: false destructive: true idempotent: true call: key-vault.delete-certificate with: certificate-name: tools.certificateName outputParameters: - type: object mapping: $.