{"id":"254aca86-42ae-4ee4-bf55-c16e0d7cb5e6","task":"Use Vault response wrapping on a cubbyhole path to deliver a one-time-use secret to a consumer without storing it in a shared location","domain":"vaultproject.io","steps":["The producer authenticates to Vault and writes a secret to the cubbyhole with response wrapping: 'VAULT_TOKEN=<PRODUCER_TOKEN> vault kv put -wrap-ttl=300s cubbyhole/handoff api_key=<VALUE>'","Vault returns a wrapping token instead of the write confirmation; the wrapping token is the only way to retrieve the cubbyhole value","Deliver the wrapping token to the consumer via a secure side channel (e.g., instance metadata, encrypted message queue)","The consumer unwraps the token: 'vault unwrap <WRAPPING_TOKEN>' which reveals the original write response containing the cubbyhole path data","After unwrapping, the wrapping token is destroyed; any second attempt to unwrap returns a 400 error","Use 'vault token lookup <WRAPPING_TOKEN>' before handing off to verify the TTL has not expired; never share the wrapping token over an unencrypted channel"],"gotchas":["The cubbyhole is scoped to the producer's token; after the wrapping token is unwrapped, the underlying cubbyhole data is destroyed — the consumer cannot re-read the original path","Response wrapping wraps the entire HTTP response body, not just the secret value; the consumer receives a full API response object and must parse the appropriate field","Wrapping tokens have an accessor that can be looked up via the audit log; if an attacker can enumerate wrapping token accessors in the audit log, they can detect that a handoff occurred even if they cannot read the content"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:22.768Z"},"url":"https://mcp.waymark.network/r/254aca86-42ae-4ee4-bf55-c16e0d7cb5e6"}