Azure Key Vault · Capability

Azure Key Vault Secrets and Keys

Unified workflow for managing cryptographic keys, secrets, and certificates with encryption, signing, and certificate lifecycle operations. Used by security engineers and DevOps teams.

Run with Naftiko AzureKey VaultSecuritySecrets Management

What You Can Do

GET
List keys — List keys.
/v1/keys
POST
Create key — Create a key.
/v1/keys
GET
Get key — Get a key.
/v1/keys/{id}
DELETE
Delete key — Delete a key.
/v1/keys/{id}
GET
List secrets — List secrets.
/v1/secrets
PUT
Set secret — Set a secret.
/v1/secrets/{id}
GET
Get secret — Get a secret.
/v1/secrets/{id}
DELETE
Delete secret — Delete a secret.
/v1/secrets/{id}
GET
List certificates — List certificates.
/v1/certificates

MCP Tools

list-keys

List cryptographic keys in the vault.

read-only
create-key

Create a new cryptographic key.

get-key

Get key details.

read-only
delete-key

Delete a key.

idempotent
encrypt

Encrypt data using a key.

idempotent
decrypt

Decrypt data using a key.

idempotent
sign

Sign a digest using a key.

verify

Verify a signature.

read-only
list-secrets

List secrets in the vault.

read-only
set-secret

Set a secret value.

idempotent
get-secret

Get a secret value.

read-only
delete-secret

Delete a secret.

idempotent
list-certificates

List certificates in the vault.

read-only
create-certificate

Create a new certificate.

get-certificate

Get a certificate.

read-only
delete-certificate

Delete a certificate.

idempotent

APIs Used

key-vault

Capability Spec

secrets-and-keys.yaml Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "Azure Key Vault Secrets and Keys"
  description: "Unified workflow for managing cryptographic keys, secrets, and certificates with encryption, signing, and certificate lifecycle operations. Used by security engineers and DevOps teams."
  tags:
    - Azure
    - Key Vault
    - Security
    - Secrets Management
  created: "2026-04-18"
  modified: "2026-04-18"

binds:
  - namespace: env
    keys:
      AZURE_KEY_VAULT_TOKEN: AZURE_KEY_VAULT_TOKEN

capability:
  consumes:
    - import: key-vault
      location: ./shared/key-vault-data-plane.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: secrets-and-keys-api
      description: "Unified REST API for Azure Key Vault secrets, keys, and certificates."
      resources:
        - path: /v1/keys
          name: keys
          description: "Key management."
          operations:
            - method: GET
              name: list-keys
              description: "List keys."
              call: "key-vault.list-keys"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: POST
              name: create-key
              description: "Create a key."
              call: "key-vault.create-key"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/keys/{id}
          name: key-details
          description: "Individual key management."
          operations:
            - method: GET
              name: get-key
              description: "Get a key."
              call: "key-vault.get-key"
              with:
                key-name: "rest.id"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: DELETE
              name: delete-key
              description: "Delete a key."
              call: "key-vault.delete-key"
              with:
                key-name: "rest.id"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/secrets
          name: secrets
          description: "Secret management."
          operations:
            - method: GET
              name: list-secrets
              description: "List secrets."
              call: "key-vault.list-secrets"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/secrets/{id}
          name: secret-details
          description: "Individual secret management."
          operations:
            - method: PUT
              name: set-secret
              description: "Set a secret."
              call: "key-vault.set-secret"
              with:
                secret-name: "rest.id"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: GET
              name: get-secret
              description: "Get a secret."
              call: "key-vault.get-secret"
              with:
                secret-name: "rest.id"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: DELETE
              name: delete-secret
              description: "Delete a secret."
              call: "key-vault.delete-secret"
              with:
                secret-name: "rest.id"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/certificates
          name: certificates
          description: "Certificate management."
          operations:
            - method: GET
              name: list-certificates
              description: "List certificates."
              call: "key-vault.list-certificates"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: secrets-and-keys-mcp
      transport: http
      description: "MCP server for AI-assisted Key Vault secrets, keys, and certificate management."
      tools:
        - name: list-keys
          description: "List cryptographic keys in the vault."
          hints:
            readOnly: true
            openWorld: true
          call: "key-vault.list-keys"
          outputParameters:
            - type: object
              mapping: "$."
        - name: create-key
          description: "Create a new cryptographic key."
          hints:
            readOnly: false
          call: "key-vault.create-key"
          with:
            key-name: "tools.keyName"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-key
          description: "Get key details."
          hints:
            readOnly: true
          call: "key-vault.get-key"
          with:
            key-name: "tools.keyName"
            key-version: "tools.keyVersion"
          outputParameters:
            - type: object
              mapping: "$."
        - name: delete-key
          description: "Delete a key."
          hints:
            readOnly: false
            destructive: true
            idempotent: true
          call: "key-vault.delete-key"
          with:
            key-name: "tools.keyName"
          outputParameters:
            - type: object
              mapping: "$."
        - name: encrypt
          description: "Encrypt data using a key."
          hints:
            readOnly: false
            idempotent: true
          call: "key-vault.encrypt"
          with:
            key-name: "tools.keyName"
            key-version: "tools.keyVersion"
          outputParameters:
            - type: object
              mapping: "$."
        - name: decrypt
          description: "Decrypt data using a key."
          hints:
            readOnly: false
            idempotent: true
          call: "key-vault.decrypt"
          with:
            key-name: "tools.keyName"
            key-version: "tools.keyVersion"
          outputParameters:
            - type: object
              mapping: "$."
        - name: sign
          description: "Sign a digest using a key."
          hints:
            readOnly: false
          call: "key-vault.sign"
          with:
            key-name: "tools.keyName"
            key-version: "tools.keyVersion"
          outputParameters:
            - type: object
              mapping: "$."
        - name: verify
          description: "Verify a signature."
          hints:
            readOnly: true
          call: "key-vault.verify"
          with:
            key-name: "tools.keyName"
            key-version: "tools.keyVersion"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-secrets
          description: "List secrets in the vault."
          hints:
            readOnly: true
            openWorld: true
          call: "key-vault.list-secrets"
          outputParameters:
            - type: object
              mapping: "$."
        - name: set-secret
          description: "Set a secret value."
          hints:
            readOnly: false
            idempotent: true
          call: "key-vault.set-secret"
          with:
            secret-name: "tools.secretName"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-secret
          description: "Get a secret value."
          hints:
            readOnly: true
          call: "key-vault.get-secret"
          with:
            secret-name: "tools.secretName"
            secret-version: "tools.secretVersion"
          outputParameters:
            - type: object
              mapping: "$."
        - name: delete-secret
          description: "Delete a secret."
          hints:
            readOnly: false
            destructive: true
            idempotent: true
          call: "key-vault.delete-secret"
          with:
            secret-name: "tools.secretName"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-certificates
          description: "List certificates in the vault."
          hints:
            readOnly: true
            openWorld: true
          call: "key-vault.list-certificates"
          outputParameters:
            - type: object
              mapping: "$."
        - name: create-certificate
          description: "Create a new certificate."
          hints:
            readOnly: false
          call: "key-vault.create-certificate"
          with:
            certificate-name: "tools.certificateName"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-certificate
          description: "Get a certificate."
          hints:
            readOnly: true
          call: "key-vault.get-certificate"
          with:
            certificate-name: "tools.certificateName"
            certificate-version: "tools.certificateVersion"
          outputParameters:
            - type: object
              mapping: "$."
        - name: delete-certificate
          description: "Delete a certificate."
          hints:
            readOnly: false
            destructive: true
            idempotent: true
          call: "key-vault.delete-certificate"
          with:
            certificate-name: "tools.certificateName"
          outputParameters:
            - type: object
              mapping: "$."