diff --git a/content/vault/v1.20.x/content/docs/mcp-server/prompt-model.mdx b/content/vault/v1.20.x/content/docs/mcp-server/prompt-model.mdx
index ef60fefdd2..000896191d 100644
--- a/content/vault/v1.20.x/content/docs/mcp-server/prompt-model.mdx
+++ b/content/vault/v1.20.x/content/docs/mcp-server/prompt-model.mdx
@@ -8,7 +8,7 @@ description: |-
This topic provides example prompts for helping you manage HashiCorp Vault after installing the Vault model context protocol (MCP) server. Refer to [Deploy the Vault MCP server](/vault/docs/tools/mcp-server/deploy) for instructions on how to deploy the server.
-@include 'beta.mdx'
+@include 'alerts/beta.mdx'
## Overview
@@ -80,6 +80,8 @@ The server performs the following operations:
#### Sample response
+
+
```text
Successfully stored database credentials in Vault:
@@ -96,6 +98,8 @@ or by reading the secret directly from Vault.
to read from this path while following the principle of least privilege.
```
+
+
### Set up PKI certificate authority
The following prompt creates a complete PKI infrastructure for SSL/TLS certificates:
@@ -148,6 +152,8 @@ The server performs multiple coordinated operations:
#### PKI setup response
+
+
```text
Successfully configured PKI infrastructure for example.com:
@@ -177,6 +183,8 @@ The PKI infrastructure is ready to issue certificates for:
- Both server and client authentication use cases
```
+
+
### List and audit secrets
The following prompt performs security auditing across Vault:
@@ -207,6 +215,8 @@ mounts exist and list the secrets in the main KV store.
#### Audit response
+
+
```text
# Vault Security Audit Report
@@ -240,6 +250,8 @@ secret/
**Mount Health**: All mounts operational ✅
```
+
+
### Issue SSL certificates for applications
The following prompt demonstrates certificate lifecycle management:
@@ -270,6 +282,8 @@ the existing PKI role.
#### Certificate response
+
+
```text
Successfully issued SSL certificate for api.internal.example.com:
@@ -308,6 +322,8 @@ MIIEvgIBADANBgkqhkiG9w0BAQ...
Certificate expires in 30 days - set up renewal automation.
```
+
+
### Delete and cleanup secrets
The following prompt demonstrates secure cleanup operations:
@@ -342,6 +358,8 @@ the entire legacy mount if it's empty.
#### Cleanup response
+
+
```text
Cleanup operations completed successfully:
@@ -364,23 +382,25 @@ Would you like me to remove the empty legacy path structure
or keep it for future use?
```
-## Best Practices for Vault MCP Prompts
+
+
+## Best practices for Vault MCP prompts
-### Effective Prompt Structure
+### Effective prompt structure
- **Be Specific**: Use exact mount paths and secret names
- **Include Context**: Mention the purpose (app credentials, certificates, etc.)
- **Specify Requirements**: TTL values, certificate parameters, security policies
- **Request Validation**: Ask for confirmation of operations before execution
-### Security Considerations
+### Security considerations
- **Principle of Least Privilege**: Request minimal necessary permissions
- **Audit Trail**: Ensure operations are logged and traceable
- **Secret Lifecycle**: Consider rotation, expiration, and cleanup
- **Access Patterns**: Design secrets structure for application access patterns
-### Common Use Cases
+### Common use cases
- **Application Secrets**: Database credentials, API keys, service tokens
- **PKI Management**: Certificate authorities, SSL certificates, key rotation
diff --git a/content/vault/v1.20.x/content/docs/mcp-server/reference.mdx b/content/vault/v1.20.x/content/docs/mcp-server/reference.mdx
index 847bf4deb3..774a7c94ea 100644
--- a/content/vault/v1.20.x/content/docs/mcp-server/reference.mdx
+++ b/content/vault/v1.20.x/content/docs/mcp-server/reference.mdx
@@ -57,7 +57,7 @@ You can set one of the following transport protocols when starting the MCP serve
| `stdio` | Local development and direct integration with MCP clients | Uses standard input/output for JSON-RPC message communication | Automatically used when no specific transport mode is configured |
| `streamable-http`| Distributed setups, internal environments | HTTP-based transport with support for both direct HTTP requests | Enable by setting `TRANSPORT_MODE=streamable-http` |
-## HTTP Mode Configuration
+## HTTP mode configuration
At this stage, the MCP server is intended for local use only. If using the StreamableHTTP transport in production, always configure the MCP_ALLOWED_ORIGINS environment variable to restrict access to trusted origins only.
This helps prevent DNS rebinding attacks and other cross-origin vulnerabilities.
@@ -72,7 +72,7 @@ In HTTP mode, Vault configuration can be provided through multiple methods (**in
You can set the following environment variables to configure the server behavior.
-| Variable | Purpose | Default Value | Example | Options |
+| Variable | Purpose | Default value | Example | Options |
|--------------------------|--------------------------------------------------------------|---------------------------|--------------------------------|-----------------------------------------|
| `VAULT_ADDR` | Vault server address | `http://127.0.0.1:8200` | `http://vault.example.com:8200`| Any valid Vault server address |
| `VAULT_TOKEN` | Vault authentication token (required) | — | `hvs.xxxxxxxx` | Any valid Vault token |
diff --git a/content/vault/v1.20.x/data/docs-nav-data.json b/content/vault/v1.20.x/data/docs-nav-data.json
index 9baf184773..4b40a402d6 100644
--- a/content/vault/v1.20.x/data/docs-nav-data.json
+++ b/content/vault/v1.20.x/data/docs-nav-data.json
@@ -1981,11 +1981,11 @@
"path": "mcp-server/overview"
},
{
- "title": "Deploy Server",
+ "title": "Deploy server",
"path": "mcp-server/deploy"
},
{
- "title": "Prompt Model",
+ "title": "Prompt model",
"path": "mcp-server/prompt-model"
},
{
@@ -1993,7 +1993,7 @@
"path": "mcp-server/reference"
},
{
- "title": "Security Model",
+ "title": "Security model",
"path": "mcp-server/security-model"
}
]