Okta MCP Server
Provides tools for managing Okta users, including creating, listing, getting, updating, and deleting users through the Okta API.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Okta MCP Serverlist all users with last name Smith"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Okta MCP Server (OAuth 2.1 Compliant)
An MCP (Model Context Protocol) server for Okta user management with full OAuth 2.1 compliance. This server provides tools for CRUD operations on Okta users and can be deployed to Railway or run locally with Docker.
Features
create_user - Create a new Okta user
list_users - List users with optional search filtering
get_user - Get user details by ID or login
update_user - Update user profile information
delete_user - Deactivate and delete a user
OAuth 2.1 Authentication - Industry-standard security with PKCE, Bearer tokens, and token introspection
Related MCP server: Procrastinator MCP Server
Prerequisites
Docker and Docker Compose
Okta developer account with API access
Okta OAuth 2.0 credentials (recommended) OR API token (legacy)
Getting Okta OAuth 2.0 Credentials (Recommended)
Log in to your Okta Admin Console
Navigate to Applications > Applications
Click Create App Integration
Select API Services (for machine-to-machine communication)
Give it a name (e.g., "MCP Server")
Grant scopes:
okta.users.manage,okta.users.readSave the Client ID and Client Secret
Alternative: Using API Token (Legacy)
Log in to your Okta Admin Console
Navigate to Security > API > Tokens
Click Create Token
Give it a name and copy the token value (you won't be able to see it again)
Note: OAuth 2.0 Client Credentials is recommended for better security and OAuth 2.1 compliance.
Local Development
1. Configure Environment
# Copy the example environment file
cp .env.example .env
# Edit .env with your credentials
# Option 1: OAuth 2.0 Client Credentials (Recommended)
# OKTA_DOMAIN=dev-xxxxx.okta.com
# OKTA_CLIENT_ID=0oaxxxxxxxxx
# OKTA_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxx
# DEVELOPMENT_MODE=true # For VSCode testing
# Option 2: Legacy API Token
# OKTA_DOMAIN=dev-xxxxx.okta.com
# OKTA_API_TOKEN=00xxxxxxxxxxxxxxxxxx
# DEVELOPMENT_MODE=true # For VSCode testing2. Build and Run with Docker
# Build and start the server
docker-compose up --build
# The server will be available at http://localhost:80003. Test the Server
# Check server health (no auth required)
curl http://localhost:8000/health
# Check OAuth 2.1 discovery endpoint
curl http://localhost:8000/.well-known/oauth-authorization-server
# Test MCP endpoint (requires OAuth 2.1 Bearer token)
# First, obtain an access token from Okta using OAuth 2.1 flow with PKCE
# Then use it to call the MCP endpoint:
curl -X POST http://localhost:8000/mcp \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-d '{"jsonrpc": "2.0", "id": 1, "method": "initialize", "params": {"protocolVersion": "2024-11-05", "capabilities": {}, "clientInfo": {"name": "test", "version": "1.0.0"}}}'4. Test with MCP Inspector
npx @anthropic/mcp-inspector http://localhost:8000/mcpRailway Deployment
1. Push to GitHub
Push this repository to your GitHub account.
2. Deploy to Railway
Go to Railway
Click New Project > Deploy from GitHub repo
Select your repository
Railway will auto-detect the Dockerfile
3. Configure Environment Variables
In Railway dashboard, add these environment variables:
Recommended: OAuth 2.0 Client Credentials
Variable | Description |
| Your Okta domain (e.g., |
| OAuth 2.0 Client ID from Okta |
| OAuth 2.0 Client Secret from Okta |
| OAuth 2.1 audience (optional, default: |
Alternative: Legacy API Token
Variable | Description |
| Your Okta domain (e.g., |
| Your Okta API token |
| OAuth 2.1 audience (optional, default: |
For VSCode Testing (Optional)
Variable | Description |
| Set to |
Railway automatically provides the PORT variable.
4. Get Your Server URL
After deployment, Railway provides a public URL:
https://okta-mcp-server-003-production.up.railway.appUsing with Claude Desktop
Add to your Claude Desktop MCP configuration (claude_desktop_config.json) with OAuth 2.1:
{
"mcpServers": {
"okta": {
"url": "https://okta-mcp-server-003-production.up.railway.app/mcp",
"oauth": {
"authorizationUrl": "https://YOUR-OKTA-DOMAIN/oauth2/default/v1/authorize",
"tokenUrl": "https://YOUR-OKTA-DOMAIN/oauth2/default/v1/token",
"clientId": "YOUR_OKTA_CLIENT_ID",
"clientSecret": "YOUR_OKTA_CLIENT_SECRET",
"scopes": ["openid", "profile", "mcp:read", "mcp:write"]
}
}
}
}For local development:
{
"mcpServers": {
"okta": {
"url": "http://localhost:8000/mcp",
"oauth": {
"authorizationUrl": "https://YOUR-OKTA-DOMAIN/oauth2/default/v1/authorize",
"tokenUrl": "https://YOUR-OKTA-DOMAIN/oauth2/default/v1/token",
"clientId": "YOUR_OKTA_CLIENT_ID",
"clientSecret": "YOUR_OKTA_CLIENT_SECRET",
"scopes": ["openid", "profile", "mcp:read", "mcp:write"]
}
}
}
}Note: OAuth 2.1 requires PKCE (Proof Key for Code Exchange) with S256 code challenge method. The client must support this requirement.
Using with VSCode
VSCode's MCP client doesn't natively support OAuth 2.1 flows. For VSCode integration, enable Development Mode:
Configuration
1. Set environment variable:
DEVELOPMENT_MODE=true2. Configure VSCode MCP (.vscode/mcp.json):
{
"servers": {
"okta-mcp": {
"url": "http://localhost:8000/mcp",
"type": "http"
}
}
}⚠️ Warning: Only use development mode for local testing. Never enable in production!
For detailed VSCode setup instructions, see VSCODE_INTEGRATION.md.
OAuth 2.1 Compliance
This server implements OAuth 2.1 security best practices:
✅ Security Features
PKCE Required: S256 code challenge method mandatory for all authorization flows
Bearer Token Authentication: Cryptographic JWT validation with RSA signatures
Token Validation: Full verification of signature, expiration, issuer, and audience
No Deprecated Flows: Implicit and password grants are not supported
Token Introspection: RFC 7662 compliant endpoint at
/token/introspectDiscovery Endpoints: RFC 8414 compliant metadata at
/.well-known/oauth-authorization-server
🔐 Authentication Flow
Client initiates authorization with PKCE (S256 code challenge)
User authenticates with Okta
Authorization code returned to client
Client exchanges code for access token (with code verifier)
Client uses Bearer token to access MCP endpoints
Server validates JWT signature, expiration, and claims
📋 Discovery Endpoints
/.well-known/oauth-authorization-server- OAuth 2.1 server metadata/.well-known/openid-configuration- OpenID Connect discovery/.well-known/oauth-protected-resource- Protected resource metadata/health- Health check with OAuth 2.1 compliance info/token/introspect- Token introspection (RFC 7662)
For detailed information about OAuth 2.1 changes, see OAUTH_2.1_CHANGES.md.
API Reference
create_user
Create a new Okta user.
Parameters:
email(required): User's email addressfirst_name(required): User's first namelast_name(required): User's last namelogin(optional): User's login (defaults to email)
list_users
List users with optional filtering.
Parameters:
limit(optional): Maximum users to return (default: 20)search(optional): Search query for filtering
get_user
Get user by ID or login.
Parameters:
user_id(required): User ID or login email
update_user
Update user profile.
Parameters:
user_id(required): User ID or login emailfirst_name(optional): New first namelast_name(optional): New last nameemail(optional): New email address
delete_user
Deactivate and permanently delete a user.
Parameters:
user_id(required): User ID or login email
Project Structure
okta-mcp-server/
├── src/
│ └── okta_mcp_server/
│ ├── __init__.py
│ ├── server.py # MCP server with tools
│ └── okta_client.py # Okta API wrapper
├── Dockerfile
├── docker-compose.yml
├── pyproject.toml
├── requirements.txt
├── .env.example
└── README.mdLicense
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/BalaGanaparthi/project003_OAuth2.1'
If you have feedback or need assistance with the MCP directory API, please join our Discord server