Skip to main content
Glama
Faust-Systems

keycloak-mcp

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
KC_ALLOW_PROD_WRITENoSet to 'true' to allow writes to production hosts when using environment variable fallback.
KEYCLOAK_MCP_CONFIGNoOverride the config file path (default ~/.config/keycloak-mcp/config.json)

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": true
}

Tools

Functions exposed to the LLM to take actions

NameDescription
list_clientsA

List the clients of a realm on a Keycloak host. Returns clientId, internal UUID (id), and name for each client.

get_clientA

Fetch the full representation of one client by clientId. Secret-bearing fields (client secret, registration access token) are always redacted.

list_protocol_mappersB

List a client's dedicated-scope protocol mappers: id, name, mapper type (protocolMapper), and config.

ensure_hardcoded_claim_mapperA

Idempotently ensure a client has an oidc-hardcoded-claim-mapper emitting the given claim. Matches existing mappers by claim name: reports 'already-present' when the config matches, a diff + update when it differs, and a create when absent. With write=false (default) it only returns the plan; write=true applies it.

delete_protocol_mapperA

Delete one of a client's protocol mappers by mapper UUID. With write=false (default) it reports which mapper would be deleted; write=true performs the deletion.

dump_client_secretA

Fetch a confidential client's current secret and write ONLY the value to a local file (mode 0600, no trailing newline). The secret value is never returned to the caller or logged — the tool returns only metadata (path, byte length). This is a read against Keycloak (no mutation), so it is not write-gated.

regenerate_client_secretA

Rotate a confidential client's secret and write ONLY the NEW value to a local file (mode 0600, no trailing newline). The secret value is never returned to the caller or logged — the tool returns only metadata. This mutates Keycloak: with write=false (default) it returns a dry-run plan and rotates nothing; with write=true it rotates. Production hosts (us/za) additionally require allowProdWrite in the config.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Faust-Systems/keycloak-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server