OpenFGA MCP

Connect OpenFGA and Auth0 FGA to AI agents via the Model Context Protocol.

Use Cases

Plan & Design - Design efficient authorization model using best practice patterns
Generate Code - Generate accurate SDK integrations with comprehensive documentation context
Manage Instances - Query and control live OpenFGA servers through AI agents

Quick Start

Offline Mode (Default)

Design models and generate code without a server:

{
  "mcpServers": {
    "OpenFGA": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "--pull=always",
        "evansims/openfga-mcp:latest"
      ]
    }
  }
}

Online Mode

Connect to OpenFGA for full management capabilities:

{
  "mcpServers": {
    "OpenFGA": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "--pull=always",
        "-e",
        "OPENFGA_MCP_API_URL=http://host.docker.internal:8080",
        "evansims/openfga-mcp:latest"
      ]
    }
  }
}

Safety: Write operations are disabled by default. Set OPENFGA_MCP_API_WRITEABLE=true to enable.

Docker Networking: For your OPENFGA_MCP_API_URL use host.docker.internal when running OpenFGA on your local machine, container names for Docker networks, or full URLs for remote instances.

Works with Claude Desktop, Claude Code, Cursor, Windsurf, Zed, and other MCP clients.

Configuration

MCP Transport

Variable	Default	Description
`OPENFGA_MCP_TRANSPORT`	`stdio`	Supports `stdio` or `http` (Streamable HTTP.)
`OPENFGA_MCP_TRANSPORT_HOST`	`127.0.0.1`	IP to listen for connections on. Only applicable when using `http` transport.
`OPENFGA_MCP_TRANSPORT_PORT`	`9090`	Port to listen for connections on. Only applicable when using `http` transport.
`OPENFGA_MCP_TRANSPORT_SSE`	`true`	Enables Server-Sent Events (SSE) streams for responses.
`OPENFGA_MCP_TRANSPORT_STATELESS`	`false`	Enables stateless mode for session-less clients.

OpenFGA

Variable	Default	Description
`OPENFGA_MCP_API_URL`		OpenFGA server URL
`OPENFGA_MCP_API_WRITEABLE`	`false`	Enables write operations
`OPENFGA_MCP_API_STORE`		Default requests to a specific store ID
`OPENFGA_MCP_API_MODEL`		Default requests to a specific model ID
`OPENFGA_MCP_API_RESTRICT`	`false`	Restrict requests to configured default store/model

OpenFGA Authentication

Authentication	Variable	Description
Pre-Shared Keys	`OPENFGA_MCP_API_TOKEN`	API Token
Client Credentials	`OPENFGA_MCP_API_CLIENT_ID`	Client ID
	`OPENFGA_MCP_API_CLIENT_SECRET`	Client Secret
	`OPENFGA_MCP_API_ISSUER`	Token Issuer
	`OPENFGA_MCP_API_AUDIENCE`	API Audience

See docker-compose.example.yml for complete examples.

Features

Management Tools

Stores: Create, list, get, delete stores
Models: Create models with DSL, list, get, verify
Permissions: Check, grant, revoke permissions; query users and objects

SDK Documentation

Comprehensive documentation for accurate code generation:

All OpenFGA SDKs (PHP, Go, Python, Java, .NET, JavaScript, Laravel)
Class and method documentation with code examples
Advanced search with language filtering

AI Prompts

Design & Planning

Domain-specific model design
RBAC to ReBAC migration
Hierarchical relationships
Performance optimization

Implementation

Step-by-step model creation
Relationship patterns
Test generation
Security patterns

Troubleshooting

Permission debugging
Security audits
Least privilege implementation

Resources & URIs

openfga://stores - List stores
openfga://store/{id}/model/{modelId} - Model details
openfga://docs/{sdk}/class/{className} - SDK documentation
openfga://docs/search/{query} - Search documentation

Smart Completions

Auto-completion for store IDs, model IDs, relations, users, and objects when connected.

Contributing | Apache 2.0 License

This server cannot be installed

security - not tested

license - permissive license

quality - not tested

How are these scores calculated?

remote-capable server

The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.

An experimental Model Context Protocol server that enables Large Language Models to read, search, and manipulate OpenFGA authorization stores, unlocking fine-grained access control for agentic AI and natural language interactions.

Related MCP Servers

OpenAPI MCP Server
ivo-toby
-
security
A
license
-
quality
A server that enables Large Language Models to discover and interact with REST APIs defined by OpenAPI specifications through the Model Context Protocol.
Last updated -
2,130
150
MIT License
MCP TapData Serverofficial
tapdata
-
security
F
license
-
quality
A Model Context Protocol server that enables Large Language Models to access and interact with database connections, including viewing schemas and performing CRUD operations on connected databases.
Last updated -
Filesystem MCP Server
cyanheads
A
security
A
license
A
quality
A Model Context Protocol server that provides AI agents with secure access to local filesystem operations, enabling reading, writing, and managing files through a standardized interface.
Last updated -
10
308
17
Apache 2.0
GeoServer MCP Server
mahdin75
A
security
A
license
A
quality
A Model Context Protocol server that connects Large Language Models to the GeoServer REST API, enabling AI assistants to query and manipulate geospatial data through natural language.
Last updated -
9
37
MIT License

View all related MCP servers

OpenFGA MCP

Use Cases

Quick Start

Offline Mode (Default)

Online Mode

Configuration

MCP Transport

OpenFGA

OpenFGA Authentication

Features

Management Tools

SDK Documentation

AI Prompts

Resources & URIs

Smart Completions

Related MCP Servers

OpenAPI MCP Server

MCP TapData Serverofficial

Filesystem MCP Server

GeoServer MCP Server

Appeared in Searches

New MCP Servers

MCP directory API