Okta MCP Server

License: Apache 2.0 Python Version

MCP (Model Context Protocol) is an open protocol introduced by Anthropic that standardizes how large language models communicate with external tools, resources or remote services.

CAUTION

Beta Software Notice: This software is currently in beta and is provided AS IS without any warranties.

Features, APIs, and functionality may change at any time without notice
Not recommended for production use or critical workloads
Support during the beta period is limited
Issues and feedback can be reported through the GitHub issue tracker

By using this beta software, you acknowledge and accept these conditions.

The Okta MCP Server integrates with LLMs and AI agents, allowing you to perform various Okta management operations using natural language. For instance, you could simply ask Claude Desktop to perform Okta management operations:

Create a new user and add them to the Engineering group
Show me all failed login attempts from the last 24 hours
List all applications that haven't been used in the past month

Empower your LLM Agents to Manage your Okta Organization

This server is an Model Context Protocol server that provides seamless integration with Okta's Admin Management APIs. It allows LLM agents to interact with Okta in a programmatic way, enabling automation and enhanced management capabilities.

Key Features

LLM-Driven Okta Management: Allows your LLM agents to perform administrative tasks within your Okta environment based on natural language instructions.
Secure Authentication: Supports both Device Authorization Grant for interactive use and Private Key JWT for secure, automated server-to-server communication.
Integration with Okta Admin Management APIs: Leverages the official Okta APIs to ensure secure and reliable interaction with your Okta org.
Extensible Architecture: Designed to be easily extended with new functionalities and support for additional Okta API endpoints.
Comprehensive Tool Support: Full CRUD operations for users, groups, applications, policies, and more.

This MCP server utilizes Okta's Python SDK to communicate with the Okta APIs, ensuring a robust and well-supported integration.

🚀 Getting Started

Prerequisites:

Python 3.8+
uv package manager
Claude Desktop or any other MCP Client
Okta account with appropriate permissions

Install the Okta MCP Server

Install Okta MCP Server and configure it to work with your preferred MCP Client.

Claude Desktop with all tools

Clone and install the server:
git clone https://github.com/okta/okta-mcp-server.git cd okta-mcp-server uv sync
Configure Claude Desktop by adding the following to your claude_desktop_config.json:
{ "mcpServers": { "okta-mcp-server": { "command": "uv", "args": [ "run", "--directory", "/path/to/okta-mcp-server", "okta-mcp-server" ], "env": { "OKTA_ORG_URL": "<OKTA_ORG_URL>", "OKTA_CLIENT_ID": "<OKTA_CLIENT_ID>", "OKTA_SCOPES": "<OKTA_SCOPES>", "OKTA_PRIVATE_KEY": "<PRIVATE_KEY_IF_NEEDED>", "OKTA_KEY_ID": "<KEY_ID_IF_NEEDED>" } } } }

VS Code

Add the following to your VS Code settings.json:

{ "mcp": { "inputs": [ { "type": "promptString", "description": "Okta Organization URL (e.g., https://dev-123456.okta.com)", "id": "OKTA_ORG_URL" }, { "type": "promptString", "description": "Okta Client ID", "id": "OKTA_CLIENT_ID", "password": true }, { "type": "promptString", "description": "Okta Scopes (separated by whitespace, e.g., 'okta.users.read okta.groups.manage')", "id": "OKTA_SCOPES" }, { "type": "promptString", "description": "Okta Private Key. Required for 'browserless' auth.", "id": "OKTA_PRIVATE_KEY", "password": true }, { "type": "promptString", "description": "Okta Key ID (KID) for the private key. Required for 'browserless' auth.", "id": "OKTA_KEY_ID", "password": true } ], "servers": { "okta-mcp-server": { "command": "uv", "args": [ "run", "--directory", "/path/to/the/okta-mcp-server", "okta-mcp-server" ], "env": { "OKTA_ORG_URL": "${input:OKTA_ORG_URL}", "OKTA_CLIENT_ID": "${input:OKTA_CLIENT_ID}", "OKTA_SCOPES": "${input:OKTA_SCOPES}", "OKTA_PRIVATE_KEY": "${input:OKTA_PRIVATE_KEY}", "OKTA_KEY_ID": "${input:OKTA_KEY_ID}" } } } } }

Other MCP Clients

To use Okta MCP Server with any other MCP Client, you can manually add this configuration to the client and restart for changes to take effect:

{ "mcpServers": { "okta-mcp-server": { "command": "uv", "args": [ "run", "--directory", "/path/to/okta-mcp-server", "okta-mcp-server" ], "env": { "OKTA_ORG_URL": "<OKTA_ORG_URL>", "OKTA_CLIENT_ID": "<OKTA_CLIENT_ID>", "OKTA_SCOPES": "<OKTA_SCOPES>", "OKTA_PRIVATE_KEY": "<PRIVATE_KEY_IF_NEEDED>", "OKTA_KEY_ID": "<KEY_ID_IF_NEEDED>" } } } }

Authenticate with Okta

The server supports two authentication methods. Choose the one that best fits your use case.

Method 1: Device Authorization Grant (Interactive)

In your Okta org, create a new App Integration.
Select OIDC - OpenID Connect and Native Application.
Under Grant type, ensure Device Authorization is checked.
Go to the Okta API Scopes tab and Grant permissions for the APIs you need (e.g., okta.users.read, okta.groups.manage).
Save the application and copy the Client ID.
Documentation: Okta Device Authorization Grant Guide

Method 2: Private Key JWT (Browserless)

Create App: In your Okta org, create a new App Integration. Select API Services. Save the app and copy the Client ID.
Configure Client Authentication:
- On the app's General tab, find the Client Credentials section and click Edit.
- Disable Require Demonstrating Proof of Possession (DPoP) header in token requests.
- Select Public key / Private key for the authentication method.
Add a Public Key: You have two options for adding a key.
- Option A: Generate Key in Okta (Recommended)
  1. In the Public keys section, click Add key.
  2. In the dialog, choose Generate new key.
  3. Okta will instantly generate a key pair. Download or save the private key (private.pem) and store it securely.
  4. Copy the Key ID (KID) displayed for the newly generated key.
- Option B: Use Your Own Key
  1. Generate a key pair locally using the following openssl commands:
    # Generate a 2048-bit RSA private key openssl genpkey -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:2048 # Extract the public key from the private key openssl rsa -in private.pem -pubout -out public.pem
  2. Click Add key and paste the contents of your public key (public.pem) into the dialog.
  3. Copy the Key ID (KID) displayed for the key you added.
Grant API Scopes: Go to the Okta API Scopes tab and Grant permissions for the APIs you need.
Assign Admin Roles: To avoid 403 Forbidden errors, go to the Admin roles tab and assign the Super Administrator role to this application.

Verify your integration

Restart your MCP Client (Claude Desktop, VS Code, etc.) and ask it to help you manage your Okta tenant:

Show me the users in my Okta organization

🛠️ Supported Tools

The Okta MCP Server provides the following tools for LLMs to interact with your Okta tenant:

Users

Tool	Description	Usage Examples
`list_users`	List all users in your Okta organization	- `Show me the users in my Okta org` - `Find users with 'john' in their name` - `What users do I have in the Engineering department?`
`get_user`	Get detailed information about a specific user	- `Show me details for user john.doe@company.com` - `Get information about user ID 00u1234567890` - `What groups is Jane Smith a member of?`
`create_user`	Create a new user in your Okta organization	- `Create a new user named John Doe with email john.doe@company.com` - `Add a new employee to the Sales department` - `Set up a contractor account`
`update_user`	Update an existing user's profile information	- `Update John Doe's department to Engineering` - `Change the phone number for user jane.smith@company.com` - `Update the manager for this user`
`deactivate_user`	Deactivate a user, making them inactive	- `Deactivate the user john.doe@company.com` - `Disable access for former employee Jane Smith` - `Suspend the contractor account temporarily`
`delete_deactivated_user`	Permanently delete a deactivated user	- `Delete the deactivated user john.doe@company.com` - `Remove former employee Jane Smith permanently` - `Clean up old contractor accounts`
`get_user_profile_attributes`	Retrieve all supported user profile attributes	- `What user profile fields are available?` - `Show me all the custom attributes we can set` - `List the standard Okta user attributes`

Groups

Tool	Description	Usage Examples
`list_groups`	List all groups in your Okta organization	- `Show me the groups in my Okta org` - `Find groups with 'Engineering' in their name` - `What security groups do we have?`
`get_group`	Get detailed information about a specific group	- `Show me details for the Engineering group` - `How many members are in the Administrators group?` - `What applications are assigned to Sales?`
`create_group`	Create a new group	- `Create a new group called DevOps Team` - `Set up a security group for the Finance department` - `Add a group for temporary contractors`
`update_group`	Update an existing group's information	- `Update the description for the Engineering group` - `Change the name of the Sales group to Revenue Team` - `Modify the Finance group settings`
`delete_group`	Delete a group (requires confirmation)	- `Delete the old Marketing group` - `Remove the temporary project group` - `Clean up unused security groups`
`list_group_users`	List all users who are members of a group	- `Who are the members of the Engineering group?` - `Show me all administrators` - `List users in the Finance department`
`list_group_apps`	List all applications assigned to a group	- `What applications does the Engineering group have access to?` - `Show apps assigned to Sales team` - `List all applications for Administrators`
`add_user_to_group`	Add a user to a group	- `Add john.doe@company.com to the Engineering group` - `Give Jane Smith access to the Finance applications` - `Add the new hire to the Sales team`
`remove_user_from_group`	Remove a user from a group	- `Remove john.doe@company.com from the Engineering group` - `Revoke Jane's admin privileges` - `Remove the contractor from the Finance group`

Applications

Tool	Description	Usage Examples
`list_applications`	List all applications in your Okta organization	- `Show me the applications in my Okta org` - `Find applications with 'API' in their name` - `What SSO applications do we have configured?`
`get_application`	Get detailed information about a specific app	- `Show me details for the Salesforce application` - `What are the callback URLs for our mobile app?` - `Get the client ID for our web application`
`create_application`	Create a new application	- `Create a new SAML application for our HR system` - `Set up a new API service application` - `Add a mobile app integration`
`update_application`	Update an existing application	- `Update the callback URLs for our web app` - `Change the logo for the Salesforce application` - `Modify the SAML settings for our HR system`
`delete_application`	Delete an application (requires confirmation)	- `Delete the old legacy application` - `Remove the unused test application` - `Clean up deprecated integrations`
`activate_application`	Activate an application	- `Activate the new HR application` - `Enable the Salesforce integration` - `Turn on the mobile app for users`
`deactivate_application`	Deactivate an application	- `Deactivate the legacy CRM application` - `Temporarily disable the mobile app` - `Turn off access to the test environment`

Policies

Tool	Description	Usage Examples
`list_policies`	List all policies in your Okta organization	- `Show me the security policies` - `What password policies do we have?` - `List all MFA enrollment policies`
`get_policy`	Get detailed information about a policy	- `Show me the details of our password policy` - `What are the MFA requirements?` - `Display the sign-on policy for contractors`
`create_policy`	Create a new policy	- `Create a new password policy for contractors` - `Set up MFA requirements for high-risk applications` - `Add a sign-on policy for remote workers`
`update_policy`	Update an existing policy	- `Update the password complexity requirements` - `Modify the MFA policy for executives` - `Change the session timeout for contractors`
`delete_policy`	Delete a policy	- `Delete the old password policy` - `Remove the deprecated MFA policy` - `Clean up unused security policies`
`activate_policy`	Activate a policy	- `Activate the new password policy` - `Enable the MFA requirements` - `Turn on the contractor sign-on policy`
`deactivate_policy`	Deactivate a policy	- `Deactivate the old security policy` - `Temporarily disable MFA for testing` - `Turn off the strict password requirements`
`list_policy_rules`	List all rules for a specific policy	- `Show me all rules for the password policy` - `What MFA rules are configured?` - `List the exceptions in our sign-on policy`
`get_policy_rule`	Get detailed information about a policy rule	- `Show me the details of the contractor MFA rule` - `What are the conditions for the VPN access rule?` - `Display the emergency access rule`
`create_policy_rule`	Create a new rule for a policy	- `Add an exception rule for executives` - `Create a rule for contractor access` - `Set up emergency access rules for IT admins`
`update_policy_rule`	Update an existing policy rule	- `Update the location restrictions for remote workers` - `Modify the device trust requirements` - `Change the risk-based authentication settings`
`delete_policy_rule`	Delete a rule from a policy	- `Delete the old contractor exception` - `Remove the deprecated VPN rule` - `Clean up unused policy exceptions`
`activate_policy_rule`	Activate a policy rule	- `Activate the new emergency access rule` - `Enable the contractor restrictions` - `Turn on the location-based access rule`
`deactivate_policy_rule`	Deactivate a policy rule	- `Deactivate the old emergency rule` - `Temporarily disable location restrictions` - `Turn off the device trust requirements for testing`

Logs

Tool

Description

Usage Examples

get_logs

Retrieve system logs from your Okta org

Show me recent login attempts

Find failed logins from the past 24 hours

Get authentication logs for user john.doe@company.com

🔐 Authentication

The Okta MCP Server uses the Okta Management API and requires authentication to access your Okta tenant.

Authentication Flow

The server uses OAuth 2.0 device authorization flow for secure authentication with Okta, or Private Key JWT for browserless authentication. Your credentials are managed securely and are never exposed in plain text.

Initial Setup

The MCP Server will automatically initiate the appropriate authentication flow based on your configuration:

Device Authorization Grant: Interactive browser-based authentication
Private Key JWT: Browserless authentication using client credentials

NOTE

Device authorization flow is not supported forprivate cloud tenants. Private Cloud users should use Private Key JWT authentication with client credentials.

IMPORTANT

Using the MCP Server will consume Management API rate limits according to your subscription plan. Refer to theRate Limit Policy for more information.

🩺 Troubleshooting

When encountering issues with the Okta MCP Server, several troubleshooting options are available to help diagnose and resolve problems.

🐞 Debug Mode

Enable debug mode for more detailed logging:

export OKTA_LOG_LEVEL=DEBUG

TIP

Debug mode is particularly useful when troubleshooting connection or authentication issues.

🚨 Common Issues

Authentication Failures
- Ensure you have the correct permissions in your Okta tenant
- Verify your OKTA_ORG_URL, OKTA_CLIENT_ID, and OKTA_SCOPES are correct
- Check that your application has the necessary API scopes granted
MCP Client Can't Connect to the Server
- Restart your MCP client after installation
- Verify the server path is correct in your configuration
- Check that uv is installed and accessible in your PATH
API Errors or Permission Issues
- Enable debug mode with export OKTA_LOG_LEVEL=DEBUG
- Verify your Okta application has the required scopes
- Ensure your application has appropriate admin roles assigned
- Check the Okta System Log for detailed error information
"Claude's response was interrupted..." Error
- This typically happens when Claude hits its context-length limit
- Try to be more specific and keep queries concise
- Break large requests into smaller, focused operations

TIP

Most connection issues can be resolved by restarting both the server and your MCP client.

📋 Debug Logs

Enable debug mode to view detailed logs:

export OKTA_LOG_LEVEL=DEBUG

You can also specify a log file:

export OKTA_LOG_FILE="/path/to/okta-mcp.log"

👨‍💻 Development

Building from Source

# Clone the repository git clone https://github.com/okta/okta-mcp-server.git cd okta-mcp-server # Install dependencies uv sync # Run the server directly uv run okta-mcp-server

Development Scripts

# Run with debug logs enabled OKTA_LOG_LEVEL=DEBUG uv run okta-mcp-server # Run tests uv run pytest # Install in development mode uv pip install -e .

NOTE

This server requiresPython 3.8 or higher and uv.

🔒 Security

The Okta MCP Server prioritizes security:

Credentials are managed through secure authentication flows
No sensitive information is stored in plain text
Authentication uses OAuth 2.0 device authorization flow or Private Key JWT
Supports fine-grained API scope permissions
Easy credential management through environment variables

IMPORTANT

For security best practices, always review the permissions requested during the authentication process to ensure they align with your security requirements.

CAUTION

Always use the principle of least privilege when granting API scopes to your Okta application.

🧪 Security Scanning

We recommend regularly scanning this server, and any other MCP-compatible servers you deploy, with community tools built to surface protocol-level risks and misconfigurations.

These scanners help identify issues across key vulnerability classes including: server implementation bugs, tool definition and lifecycle risks, interaction and data flow weaknesses, and configuration or environment gaps.

If you discover a vulnerability, please follow our responsible disclosure process.

💬 Feedback and Contributing

We appreciate feedback and contributions to this project! Before you get started, please see:

Okta's general contribution guidelines

Reporting Issues

To provide feedback or report a bug, please raise an issue on our issue tracker.

Vulnerability Reporting

Please do not report security vulnerabilities on the public GitHub issue tracker. Please follow the responsible disclosure process.

📄 License

This project is licensed under the Apache 2.0 license. See the LICENSE file for more info.

What is Okta?

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0. Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.