okta-auth
Provides tools for authenticating with Okta, managing sessions, and retrieving cookies for AI agents.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@okta-authcheck my Okta session status"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
okta-auth
Alpha: this project is under active development. APIs, tool signatures, and session formats may change between releases.
okta-auth is an Okta login toolkit with two entry points:
okta: interactive CLI for humansokta-auth: MCP server for AI agents that reuse saved sessions
Sessions are stored under ~/.okta-auth/sessions/. Existing sessions under
~/.okta-auth-mcp/sessions/ are migrated automatically.
Install
uv tool
uv tool install okta-auth-clipipx
pipx install okta-auth-clipip
pip install okta-auth-cliBrowser setup
The project uses Playwright for browser automation. It automatically prefers a local Chrome or Edge install when available.
If no supported system browser is found, install Playwright Chromium:
playwright install chromiumRelated MCP server: Agent Identity MCP Server
Upgrade
uv tool:uv tool upgrade okta-auth-clipipx:pipx upgrade okta-auth-clipip:pip install -U okta-auth-cli
Quick Start
1. Configure credentials
Run the built-in wizard:
okta configIf the wizard asks for a TOTP secret and you are not sure where to find it, see TOTP Secret.
The wizard supports two providers:
keyring: store credentials in the OS credential managerop: generate~/.okta-auth/op.envwithop://...references forop run
Only non-secret settings such as the default URL and provider metadata are stored
in ~/.okta-auth/config.json.
2. Log in
oktaOr pass a target URL directly:
okta https://portal.company.comThe login flow is headless by default. Use --headed to show the browser.
3. Reuse the session from MCP
Once configured, AI agents can authenticate with the saved session or with the credential provider you configured.
TOTP Secret
The TOTP secret is the Base32 key behind your authenticator app. You typically must capture it during initial MFA enrollment.
During Okta MFA setup
Go to Settings -> Security Methods in Okta.
Choose Google Authenticator or another TOTP-compatible factor.
On the QR screen, click Can't scan?
Copy the displayed Base32 secret.
Complete enrollment by entering the generated code.
This project does not currently support portals that rely only on the Okta Verify push app for MFA.
If you already enrolled and lost the secret
You usually need to remove and re-enroll the authenticator factor to get a new secret.
Credential Setup
Credential resolution order is:
Explicit CLI or MCP arguments
Environment variables
Stored keyring credentials when the selected provider is
keyring
Recommended: OS keyring
This is the default and recommended local setup:
okta config --provider keyringWhat gets stored:
username,password,totp_secret: OS keyring onlydefault_url:~/.okta-auth/config.json
Typical keyring backends:
macOS: Keychain Access
Windows: Credential Manager / Credential Locker
Linux: Secret Service or KWallet
If no secure backend is available, the wizard refuses to fall back to plaintext.
1Password CLI
If you already manage secrets in 1Password:
okta config --provider opWhat gets stored:
vault,item, field names,default_url:~/.okta-auth/config.jsonOKTA_USERNAME,OKTA_PASSWORD, optionalOKTA_TOTP_SECRETreferences:~/.okta-auth/op.env
The generated env file contains op://... references, not plaintext values.
Launch the CLI or MCP server through op run:
op run --env-file=$HOME/.okta-auth/op.env -- okta
op run --env-file=$HOME/.okta-auth/op.env -- uvx --from okta-auth-cli okta-auth1Password vault, item, and field names must be compatible with secret reference
paths. If a name contains unsupported separators such as /, use the object's
unique ID instead.
Environment variables
Environment variables are still supported for CI, ephemeral shells, or external
secret managers. They override okta config values.
export OKTA_USERNAME="you@company.com"
export OKTA_PASSWORD="your-okta-password"
export OKTA_TOTP_SECRET="JBSWY3DPEHPK3PXP"Manual 1Password setup
If you do not want to use the wizard, you can set up op run manually.
Create a login item:
op item create --category login --title "Okta MCP" \
username="you@company.com" \
password="your-okta-password" \
totp_secret="JBSWY3DPEHPK3PXP"Create
~/.okta-auth/op.env:
OKTA_USERNAME=op://Personal/Okta MCP/username
OKTA_PASSWORD=op://Personal/Okta MCP/password
OKTA_TOTP_SECRET=op://Personal/Okta MCP/totp_secretLaunch through
op run:
op run --env-file=$HOME/.okta-auth/op.env -- uvx --from okta-auth-cli okta-authCLI
Common commands
okta [url]: log in and save a sessionokta config: open the credential wizardokta config --provider keyring: force keyring configurationokta config --provider op: force 1Password configurationokta config --show: show current config statusokta config --reset: remove saved config and credentialsokta check <url>: verify a stored sessionokta list: list stored sessionsokta delete <url>: delete a stored sessionokta cookies <url>: inspect stored cookies
Example
okta https://portal.company.com --username you@company.com --headedMCP Server
MCP tools
Tool | Description |
| Authenticate to a target URL and store session state |
| Verify whether a stored session is still valid |
| List saved sessions and metadata |
| Remove a stored session |
| Retrieve cookies from a stored session |
Claude Code
claude mcp add okta-auth -- uvx --from okta-auth-cli okta-authIf you use 1Password:
claude mcp add okta-auth -- op run --env-file=$HOME/.okta-auth/op.env -- uvx --from okta-auth-cli okta-authClaude Desktop / Cursor / Windsurf
Default:
{
"mcpServers": {
"okta-auth": {
"command": "uvx",
"args": ["--from", "okta-auth-cli", "okta-auth"]
}
}
}With 1Password:
{
"mcpServers": {
"okta-auth": {
"command": "op",
"args": ["run", "--env-file=/Users/yourname/.okta-auth/op.env", "--", "uvx", "--from", "okta-auth-cli", "okta-auth"]
}
}
}Use okta for the interactive CLI. Use okta-auth only when wiring the package
into an MCP client.
Security
This project is intended for local trusted execution.
Session files and cookies are sensitive credentials.
Prefer
okta configover passing credentials directly on the command line.Prefer
keyringorop runover plaintext shell files.Never post cookie values, passwords, or TOTP secrets in issues or logs.
Development
uv venv && source .venv/bin/activate
uv pip install -e '.[dev]'
playwright install chromiumRun checks locally:
ruff format --check .
ruff check .
pytestThis server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/bunizao/okta-auth'
If you have feedback or need assistance with the MCP directory API, please join our Discord server