@beyondidentity/mcp
OfficialClick on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@@beyondidentity/mcplist all identities in the default realm"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
@beyondidentity/mcp
An MCP (Model Context Protocol) server that gives AI agents direct access to the Beyond Identity API — no admin panel required. Agents can manage identities, groups, applications, SSO configurations, credentials, and every other Beyond Identity resource through natural tool calls.
The server auto-detects which Beyond Identity platform you're using from your API key and registers the appropriate tools:
Secure Access (v1): 104 tools for the modern platform
Secure Workforce (v0): 35 tools for the legacy platform
Quick Start
Add the server to your MCP client configuration:
{
"mcpServers": {
"beyondidentity": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@beyondidentity/mcp"],
"env": {
"API_KEY": "your-jwt-api-key"
}
}
}
}For EU region tenants:
{
"mcpServers": {
"beyondidentity": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@beyondidentity/mcp"],
"env": {
"API_KEY": "your-jwt-api-key",
"REGION": "EU"
}
}
}
}That's it. The server extracts your tenant ID from the JWT and determines the correct platform and base URL automatically.
Related MCP server: Britive MCP Server
Environment Variables
Variable | Required | Default | Description |
| Yes | — | Beyond Identity API key (JWT). Obtained from the admin console under Settings > API Access. |
| No |
|
|
| No | (computed from platform + region) | Override the API host. Use for non-production environments (e.g. staging, local mock). When set, takes precedence over |
How It Works
Platform Detection
The server inspects your JWT at startup to determine which platform to target:
If the token contains a
bi_tclaim, you're on Secure Access (v1). Thebi_tvalue is your tenant ID, and the server hitsapi-us.beyondidentity.comorapi-eu.beyondidentity.com.If there is no
bi_tclaim, the server falls back to thesubclaim and targets Secure Workforce (v0) atapi.byndid.comorapi-eu.byndid.com.
Only one set of tools is registered per session. Agents never see version numbers or need to think about which platform they're on.
Tool Discovery
With 100+ possible tools, agents need a way to find the right one. The search_tools tool accepts a natural language query and returns the most relevant tools:
search_tools("add a user to a group")
→ add_group_members, create_identity, list_groups, ...It uses keyword matching, synonym expansion (user matches identity, app matches application, cred matches credential/passkey), and CRUD verb detection (create matches POST endpoints, delete matches DELETE endpoints).
Automatic Parameter Injection
On the v1 platform, every API path looks like /v1/tenants/{tenant_id}/realms/{realm_id}/.... The server injects tenant_id automatically from the JWT — agents never provide it. The realm_id is a required parameter on realm-scoped tools; agents call list_realms first to discover available realms.
On v0, paths are simpler (/v2/...) with no tenant or realm in the URL — the token handles tenant scoping.
Error Handling
The server validates your API key at startup with clear messages for common problems:
Not a JWT (wrong segment count)
Corrupted payload (bad base64 or invalid JSON)
Missing expected claims (
bi_torsub)Invalid region value
At runtime, API errors are returned as structured tool results with HTTP status codes and error details, not thrown as exceptions that crash the conversation.
Available Tools
Secure Access (v1) — 104 tools
Tool | Description |
| Retrieve an existing tenant |
| Patch a tenant |
Tool | Description |
| List realms for a tenant |
| Create a new realm |
| Retrieve an existing realm |
| Patch a realm |
| Delete a realm |
Tool | Description |
| List groups for a realm |
| Create a new group |
| Retrieve an existing group |
| Patch a group |
| Delete a group |
| Add members to a group |
| Delete members from a group |
| List members for a group |
| List role memberships for a group |
Tool | Description |
| List identities for a realm |
| Create a new identity |
| Retrieve an existing identity |
| Patch an identity |
| Delete an identity |
| Batch delete identities |
| List group memberships for an identity |
| List role memberships for an identity |
Tool | Description |
| List roles for a resource server |
| Create a new role |
| Retrieve an existing role |
| Patch a role |
| Delete a role |
| Assign members to a role |
| Unassign members from a role |
| List members for a role |
| Assign scopes to a role |
| Unassign scopes from a role |
| List scopes for a role |
Tool | Description |
| List credentials for an identity |
| Retrieve an existing credential |
| Revoke a credential |
Tool | Description |
| List credential binding jobs for an identity |
| Create a new credential binding job |
| Retrieve an existing credential binding job |
| Revoke an active credential binding job |
| Create a new batch credential binding job |
| Retrieve an existing batch credential binding job |
| List results of a batch credential binding job |
Tool | Description |
| Create a new theme |
| Get the active theme |
| Retrieve an existing theme |
| Patch a theme |
Tool | Description |
| List applications for a realm |
| Create a new application |
| Retrieve an existing application |
| Patch an application |
| Delete an application |
Tool | Description |
| List authenticator configurations for a realm |
| Create a new authenticator configuration |
| Retrieve an existing authenticator configuration |
| Patch an authenticator configuration |
| Delete an authenticator configuration |
Tool | Description |
| List resource servers for a realm |
| Create a new resource server |
| Retrieve an existing resource server |
| Patch a resource server |
| Delete a resource server |
Tool | Description |
| List tokens |
| Revoke a token |
Tool | Description |
| List SSO configs for a realm |
| Create a new SSO config |
| Retrieve an existing SSO config |
| Update an SSO config |
| Delete an SSO config |
| Associate identities with an SSO config |
| Delete identities from an SSO config |
| List identities associated with an SSO config |
| Check if an identity is assigned to an SSO config |
| List SSO configs associated with an identity |
| Associate groups with an SSO config |
| Delete groups from an SSO config |
| List groups associated with an SSO config |
| List SSO configs associated with a group |
| Check if groups are associated with an SSO config |
| Get the SSO config ID for an application |
| Test an SSO config |
Tool | Description |
| List identity providers by realm |
| Create a new identity provider |
| Retrieve an identity provider |
| Update an identity provider |
| Delete an identity provider |
Tool | Description |
| Get flow type configuration |
| Update flow type configuration |
Tool | Description |
| List all SCIM users |
| Create a new SCIM user |
| Retrieve an existing SCIM user |
| Replace a SCIM user |
| Patch a SCIM user |
| Delete a SCIM user |
| List all SCIM groups |
| Create a new SCIM group |
| Retrieve an existing SCIM group |
| Patch a SCIM group |
| Delete a SCIM group |
| List all SCIM resource types |
| List all SCIM schemas |
| Retrieve the SCIM service provider configuration |
Secure Workforce (v0) — 35 tools
Tool | Description |
| List all groups for a tenant |
| Create a new group |
| Retrieve an existing group |
| Patch a group |
| Delete a group |
| List all users for a group |
| Add users to a group |
| Delete users from a group |
Tool | Description |
| List all users for a tenant |
| Create a new user |
| Retrieve an existing user |
| Update a user |
| Delete a user |
| List all groups for a user |
Tool | Description |
| Create a new credential binding job |
| Get a credential binding job |
Tool | Description |
| List passkeys |
| Delete a passkey |
| List passkey tags |
| Set passkey tags |
Tool | Description |
| Retire the intermediate tenant certificate |
Tool | Description |
| List all SCIM users |
| Create a new SCIM user |
| Retrieve an existing SCIM user |
| Replace a SCIM user |
| Patch a SCIM user |
| Delete a SCIM user |
| List all SCIM groups |
| Create a new SCIM group |
| Retrieve an existing SCIM group |
| Patch a SCIM group |
| Delete a SCIM group |
| List all SCIM resource types |
| List all SCIM schemas |
| Retrieve the SCIM service provider configuration |
Project Architecture
bi-mcp/
├── openapi.yaml # Secure Access (v1) OpenAPI spec
├── openapi-v0.yaml # Secure Workforce (v0) OpenAPI spec
├── package.json
├── tsconfig.json
├── scripts/
│ └── generate.ts # Reads both specs, emits tool code
├── src/
│ ├── index.ts # Entry point — detects platform, registers tools
│ ├── config.ts # JWT validation, platform detection, region routing
│ ├── client.ts # HTTP client with auth and path param injection
│ ├── search.ts # search_tools implementation
│ ├── types.ts # Shared types (Platform, Region, Config, ApiError, ToolMeta)
│ └── generated/ # Auto-generated — do not edit
│ ├── v1-tools.ts # 104 Secure Access tool registrations
│ ├── v1-registry.ts # Tool metadata for v1 search
│ ├── v0-tools.ts # 35 Secure Workforce tool registrations
│ └── v0-registry.ts # Tool metadata for v0 search
└── dist/ # Compiled JS (gitignored)Code Generation
All tool definitions and HTTP handlers are auto-generated from the OpenAPI specifications. The generator (scripts/generate.ts) does the following:
Parses both YAML specs and dereferences all
$refpointersExtracts every operation (path + HTTP method + operationId)
Converts each
operationIdto asnake_casetool nameBuilds Zod input schemas from the OpenAPI request parameters and body definitions
Generates tool handler functions that call the
ApiClientwith the correct method, path, and parametersAnnotates read-only tools (
GET) and destructive tools (DELETE) for MCP clients that surface this information
To regenerate after spec changes:
npm run generateThe generated files are committed to the repository so consumers don't need to run the generator themselves.
HTTP Client
The ApiClient class (src/client.ts) handles:
Bearer token authentication on every request
Path parameter substitution — replaces
{tenant_id},{realm_id},{identity_id}, etc. in URL templatesTenant ID injection — on v1, the tenant ID from the JWT is inserted into every path automatically
Query parameter serialization — optional params are omitted, not sent as empty strings
Error normalization — HTTP errors are caught and returned as structured
ApiErrorobjects with status code, error code, and message
Development
# Install dependencies
npm install --ignore-scripts
# Download fresh OpenAPI specs
curl -s https://developer.beyondidentity.com/api/v1/openapi.yaml -o openapi.yaml
curl -s https://docs.beyondidentity.com/api/v0/openapi.yaml -o openapi-v0.yaml
# Regenerate tool code from specs.
# Internally runs scripts/patch-spec.ts first, which applies known local
# workarounds for confirmed bugs in the upstream specs (e.g. SCIM body
# wrapping, /scim/v2/Groups/ trailing slash). The patch list lives in
# scripts/spec-patches.ts and is idempotent — re-running is safe.
npm run generate
# Type-check
npx tsc --noEmit
# Full build (generate + compile)
npm run build
# Run in development mode
API_KEY="your-key" npm run dev
# Run compiled build
API_KEY="your-key" npm startAPI Documentation
Local Development MCP Config
To use a local clone of this repo instead of the published npm package, point your MCP client at the TypeScript source directly:
{
"mcpServers": {
"beyondidentity": {
"type": "stdio",
"command": "npx",
"args": ["tsx", "/path/to/bi-mcp/src/index.ts"],
"env": {
"API_KEY": "your-jwt-api-key"
}
}
}
}This runs the server from source via tsx — no build step required. Changes to src/ take effect immediately on the next MCP session. To point at a non-production environment, add BASE_URL:
{
"mcpServers": {
"beyondidentity": {
"type": "stdio",
"command": "npx",
"args": ["tsx", "/path/to/bi-mcp/src/index.ts"],
"env": {
"API_KEY": "your-jwt-api-key",
"BASE_URL": "http://localhost:8021"
}
}
}
}This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/gobeyondidentity/bi-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server