Vault Cortex
vault-cortex gives MCP clients full, headless access to an Obsidian vault through 23 tools — no Obsidian instance required. Capabilities include:
Vault CRUD: Read, write, patch (heading-targeted edits), find-and-replace, list, and delete notes.
Full-text search: BM25/FTS5-ranked search with phrase matching, stemming, and filters (tags, folder, properties). Also search by tag (hierarchical prefix match), browse by folder with metadata, and list recent notes.
Tag management: List all tags with usage counts; search notes by tag.
Structured memory: Read, update (append dated entries), and delete entries in
About Me/memory files; discover memory files and their sections.Properties (frontmatter): List all property keys with counts/sample values, enumerate distinct values per key, search notes by key-value pair, and update properties without touching the note body.
Link graph: Find backlinks (notes linking to a given note), outgoing links (with broken-link detection), and orphan notes (no incoming links).
Daily notes: Resolve and read today's or any date's daily note using the vault's configured settings.
Auth: Supports OAuth 2.1 (JWT) and static bearer token.
Provides full access to an Obsidian vault, allowing AI agents to search, read, write, manage structured memory, query backlinks, and work with daily notes.
What is this?
Vault Cortex gives any MCP client — Claude Desktop, Claude Code, Cursor, OpenCode — full access to your Obsidian vault. Search notes, read and write content, query the link graph, manage structured memory, and resolve daily notes — all through 23 tools over a single Docker container.
The typical Obsidian + MCP setup requires three moving parts running simultaneously: Obsidian open → Local REST API plugin → a separate MCP server wrapping the REST API. Vault Cortex replaces all of that with Docker and your vault folder.
Plugin-free — Obsidian doesn't need to be running; headless sync keeps the vault current, and the server works directly with
.mdfiles on diskRemote access — works from your phone, a remote server, or any MCP client via OAuth 2.1
Ranked search — SQLite FTS5 with BM25 scoring, stemming, phrase matching, and tag/property/folder filtering
Structured memory — dated entries, section targeting, auto-initialization for AI personalization
Obsidian-native — understands frontmatter, wikilinks, tags, headings, and daily notes
Roadmap
Phase | What | Status |
1 | Vault CRUD, full-text search (FTS5), memory layer, OAuth 2.1 | Complete |
2 | Semantic search + knowledge graph via LightRAG | Planned |
Related MCP server: Vault MCP Server (mschuchard)
Quick Start
Local (5 minutes — Docker + your vault folder)
Prerequisites: Docker and an Obsidian vault (or any folder of .md files).
# 1. Get the quickstart files
curl -O https://raw.githubusercontent.com/aliasunder/vault-cortex/main/deploy/local/docker-compose.yml
curl -O https://raw.githubusercontent.com/aliasunder/vault-cortex/main/deploy/local/.env.example
# 2. Configure
cp .env.example .env
# Edit .env — set MCP_AUTH_TOKEN (openssl rand -hex 32) and VAULT_PATH
# 3. Start
docker compose upConnect Claude Desktop or Claude Code — add a remote MCP server with URL http://localhost:8000/mcp and your token as the bearer token.
Remote (access from anywhere — Docker + Obsidian Sync)
Run Vault Cortex on a VPS with Obsidian Sync for remote access from any device.
# On your VPS:
mkdir -p /opt/vault-cortex && cd /opt/vault-cortex
curl -O https://raw.githubusercontent.com/aliasunder/vault-cortex/main/deploy/remote/docker-compose.yml
curl -O https://raw.githubusercontent.com/aliasunder/vault-cortex/main/deploy/remote/.env.example
cp .env.example .env
# Edit .env — set MCP_AUTH_TOKEN, PUBLIC_URL, OBSIDIAN_AUTH_TOKEN, VAULT_NAME
docker compose up -dConnect via OAuth — add a remote MCP server with <PUBLIC_URL>/mcp. A consent page opens; enter your token to approve. JWT access tokens refresh automatically.
Tools (23)
Category | Tool | Description |
Vault CRUD |
| Read a note by path |
| Create or overwrite a note with frontmatter | |
| Heading-targeted edit (append, prepend, replace, insert) | |
| Find-and-replace text in a note | |
| List notes with optional glob/folder filter | |
| Delete a note (protected paths enforced) | |
Search |
| Full-text search with tag/folder/property filters |
| Find notes by tag (exact or prefix match) | |
| Browse notes in a folder with metadata | |
| Recently modified or created notes | |
| All tags with usage counts | |
Memory |
| Read structured memory (file, section, or all) |
| Append a dated entry to a memory section | |
| Remove a specific memory entry by date | |
| Discover memory files and their sections | |
Properties |
| All frontmatter keys with sample values |
| Distinct values for a property key | |
| Find notes by frontmatter key-value | |
| Add or update properties without touching the body | |
Links |
| Notes linking to a given path |
| Links from a given note | |
| Notes with no incoming links | |
Daily Notes |
| Today's (or any date's) daily note |
Configuration
All settings are environment variables with sensible defaults.
Variable | Required? | Default | Description |
| Yes | — | Bearer token for authentication (also the JWT signing key) |
| Local only | — | Host path to your vault (bind mount source; remote uses a named volume) |
| Remote only | — | Public URL for OAuth discovery metadata |
| — |
| Vault folder for structured memory files |
| — |
| Folders that |
| — |
| Folders excluded from orphan detection |
| — |
| IANA timezone for timestamps and daily note resolution |
| — | GitHub repo URL | URL returned in OAuth discovery metadata |
| — |
| Logging verbosity: |
| — |
| Directory for persistent log files. Logs survive container restarts. |
| — |
| Days to keep log files before automatic cleanup on startup |
Smart defaults: Setting MEMORY_DIR automatically updates the defaults for PROTECTED_PATHS and ORPHAN_EXCLUDE_FOLDERS. You only set those explicitly for a fully custom list.
See templates/memory/ for memory file examples and the dated-entry design philosophy.
Authentication
Two methods, both validated at two layers (Lambda authorizer + Express middleware):
Method | Used by | Token format |
OAuth 2.1 | Claude Desktop, Claude Code, claude.ai, any OAuth client | JWT (HS256, 24h) |
Static bearer | Claude Code, MCP Inspector, curl | Raw |
OAuth uses dynamic client registration — no Client ID/Secret needed. A consent page opens in your browser; enter your MCP_AUTH_TOKEN to approve. Refresh tokens have a 60-day sliding expiry (daily users never re-authenticate).
See ARCHITECTURE.md → Auth for the full flow diagram.
How It Works
graph LR
Client["MCP Client"] -->|OAuth 2.1 / Bearer| Server["vault-mcp"]
Server -->|read/write| Vault[("/vault<br/>.md files")]
Server -->|query| SQLite[("SQLite FTS5")]
Sync["obsidian-sync"] <-->|Obsidian Sync| VaultThe vault .md files are the source of truth. SQLite FTS5 is rebuildable derived state — the index is built on startup and kept current by a file watcher. obsidian-sync keeps the vault in sync with your Obsidian apps (remote deployments only).
See ARCHITECTURE.md for the full design, auth flow diagrams, and Phase 1/2 boundaries.
Deployment Options
Path | What | Guide |
Local | Docker on your machine, vault bind-mounted | |
Remote | VPS + Obsidian Sync, access from anywhere | |
AWS (SST) | Full IaC: Lightsail + API Gateway + Lambda + CI/CD |
Development
# Run locally with hot reload
PUBLIC_URL=http://localhost:8000 MCP_AUTH_TOKEN=local-dev-token VAULT_PATH=~/Vault npm run dev:mcp
# Tests
npm test
# Full check suite
npm run prettier:check && npm run lint && npm test && npm run buildMCP Inspector — interactive browser UI for testing tools:
# Start server (terminal 1), then:
npx @modelcontextprotocol/inspector
# Enter http://localhost:8000/mcp as URL, local-dev-token as Bearer tokenSee CONTRIBUTING.md for the full development setup.
Tips
For Claude users
The obsidian-vault skill teaches Claude how to write Obsidian-compatible content — frontmatter, wikilinks, tags, callouts, and plugin-specific syntax. Vault Cortex delivers the content; obsidian-vault ensures it renders correctly in Obsidian. Available for Claude Code and Claude Desktop.
Acknowledgments
Vault Cortex's remote capability exists because of @Belphemur's obsidian-headless-sync-docker — a headless Obsidian Sync client that runs in Docker without a display server. It's the piece that makes "access your vault from anywhere" possible.
Contributing
See CONTRIBUTING.md for development setup, code conventions, and PR guidelines.
License
Security
Report vulnerabilities privately — see SECURITY.md.
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/aliasunder/vault-cortex'
If you have feedback or need assistance with the MCP directory API, please join our Discord server