New | Vault Plugin

plugin_directory = "/Users/yourname/vault/plugins"

api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://127.0.0.1:8201"


ui = true

A "new" plugin isn't finished when it compiles. You must consider upgrades.

Vault 1.10+ introduced Plugins Reloading. You no longer need to restart the Vault core every time you change a plugin. Instead:

This is the gold standard for vault plugin new lifecycle management. vault plugin new

Vault and the plugin SDK negotiate a protocol version. If you use SDK version 1.0.0 but Vault is version 1.15+, you may see Unsupported protocol version. Rule: Always use the latest SDK (go get github.com/hashicorp/vault/sdk@latest) and ensure your Go mod matches Vault’s minor version.

Rating: 8.5/10
Recommendation:

Topic Vault is a set-it-and-forget-it tool that truly delivers. Once configured, it feels like magic — your notes just go where they belong.

Every new plugin starts with this skeleton:

package main

import (
"os"
"github.com/hashicorp/vault/sdk/plugin"
"github.com/your-company/my-crm-plugin/backend"
) A "new" plugin isn't finished when it compiles


func main() {
meta := &plugin.PluginMeta
BackendType: "secrets", // or "auth"
plugin.Serve(&plugin.ServeOpts{
BackendCreator: func() (interface{}, error) 
return backend.New(), nil
,
}) // Defaults to reading PLUGIN_PROTOCOL_VERSION from env
}

This is the heartbeat of your "new" plugin. When Vault calls it, it says, "Give me an instance of your backend."

If this isn't the plugin you meant (e.g., a different app like VS Code, Logseq, or a Notion alternative), let me know and I'll tailor the review accordingly.

Create a Makefile:

.PHONY: build
build:
    go build -o vault-plugin-my-plugin main.go

.PHONY: dev
dev: build
mv vault-plugin-my-plugin ~/.vault/plugins/

Build and install:

make build
make dev

Registration makes Vault aware of the plugin. Mounting makes it live.

vault secrets enable -path=crm -plugin-name=my-crm

Now, your custom logic is accessible at vault read crm/.... If your plugin requires configuration (like API keys for the external CRM), you typically write to a /config endpoint: This is the gold standard for vault plugin

vault write crm/config api_key="secret_key_xyz"