mcp-keycloak-admin
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| AUTH_MODE | Yes | Authentication mode: service_account or password. | |
| READ_ONLY | No | When true, write/destructive tools are not registered. Default: false. | false |
| KC_CLIENT_ID | No | Confidential client id (e.g. mcp-admin). Required if AUTH_MODE is service_account. | |
| ALLOWED_REALMS | No | Comma-separated allow-list of realms. Empty = all. | |
| KC_ADMIN_REALM | No | Realm holding the admin user (password mode). Default: master. | master |
| KEYCLOAK_REALM | Yes | Realm the server operates on. | |
| KC_CLIENT_SECRET | No | Client secret. Required if AUTH_MODE is service_account. | |
| KC_ADMIN_PASSWORD | No | Admin password. Required if AUTH_MODE is password. | |
| KC_ADMIN_USERNAME | No | Admin username. Required if AUTH_MODE is password. | |
| KEYCLOAK_BASE_URL | Yes | Base URL of the Keycloak server (no trailing slash). |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| keycloak_user_searchA | Read-only. Searches users in the configured realm and returns a JSON array of matches, each with id, username, email and enabled flag. Use this to discover a user's id before calling id-based tools such as keycloak_user_get, keycloak_user_update or keycloak_user_delete. All filters are optional and combined; with no filters it returns the first page of users. Results are paginated and capped at 500 per call. |
| keycloak_user_getA | Read-only. Fetches a single realm user by id and returns a JSON object with id, username, email and enabled flag, or the text "User not found." if no user has that id. Use keycloak_user_search first if you only know a username or email and need the id. Idempotent: repeated calls return the same result without changing anything. |
| keycloak_user_sessions_listA | Read-only. Returns a JSON array of a user's currently active sessions (an empty array if none). Use it to inspect where a user is logged in before deciding whether to revoke access with keycloak_user_logout. Idempotent: it never changes any state and repeated calls reflect only sessions that are still active. |
| keycloak_user_createA | Write operation that creates a new realm user and returns a confirmation message with the username. It does not set a password, so call keycloak_user_reset_password afterwards to give the account credentials; it also does not send any email. Not idempotent: calling it again with the same username creates a conflict rather than a duplicate. Use keycloak_user_update to change an existing user instead of recreating it. |
| keycloak_user_updateA | Write operation that updates an existing user's profile fields and returns a confirmation message. Only the fields you supply are changed; omitted fields are left untouched (no field is cleared by omission). Idempotent: applying the same values again leaves the user unchanged. Use keycloak_user_get first to read current values, and keycloak_user_reset_password for credentials rather than this tool. |
| keycloak_user_set_enabledA | Write operation that enables or disables a single user account by id, returning a confirmation message. Disabling blocks the user from logging in but does not delete the account or revoke existing sessions; use keycloak_user_logout to terminate active sessions, or keycloak_user_delete to remove the account. Idempotent: setting the same enabled value repeatedly leaves the account in the same state. |
| keycloak_user_send_action_emailA | Write operation that emails the user a link prompting them to complete one or more required actions (such as verifying their email or updating their password), and returns a confirmation message. The user must have a valid email address configured. Not idempotent: each call sends a fresh email. Use this for self-service flows; to set a password directly without involving the user, use keycloak_user_reset_password instead. |
| keycloak_user_reset_passwordA | Destructive write that overwrites a user's password with the supplied value, returning "Password reset." on success or a "Not reset: " message if confirmation was declined. Requires explicit confirmation: pass confirm=true, otherwise the operation is blocked pending approval. Commonly used right after keycloak_user_create to give a new account credentials. Not idempotent in effect, since it invalidates the previous password. |
| keycloak_user_logoutA | Destructive write that revokes all active sessions for a user, forcing them to re-authenticate, and returns "User logged out." on success or a "Not logged out: " message if confirmation was declined. Requires explicit confirmation: pass confirm=true, otherwise the operation is blocked pending approval. The account itself stays enabled; use keycloak_user_set_enabled to block future logins or keycloak_user_sessions_list to inspect sessions first. Effectively idempotent: once sessions are revoked, a repeat call has nothing left to revoke. |
| keycloak_user_deleteA | Destructive write that permanently removes a user from the realm, returning "User "" deleted." on success or a "Not deleted: " message otherwise. As a wrong-target guard, the supplied username must match the user that the id resolves to, and confirm must be true; otherwise the deletion is blocked. Look up the id and username with keycloak_user_get or keycloak_user_search first. Not reversible; consider keycloak_user_set_enabled to disable instead of deleting. |
| keycloak_role_listA | Read-only: lists all realm-level roles defined in the Keycloak realm (not client roles). Takes no parameters. Use this to discover available realm role names before assigning one with keycloak_user_role_assign; for roles scoped to a specific client, use keycloak_client_roles_list instead. Returns a JSON array of roles, each with id, name, and description. |
| keycloak_user_roles_getA | Read-only: lists the realm-level roles currently assigned to a single user (not client roles). Use this to inspect a user's realm role assignments before granting one with keycloak_user_role_assign or revoking one with keycloak_user_role_unassign; for client-scoped assignments use keycloak_user_client_roles_get. Returns a JSON array of roles, each with id, name, and description. |
| keycloak_client_roles_listA | Read-only: lists the client-level roles defined on a single Keycloak client (not realm roles). Use this to discover available client role names before assigning one with keycloak_user_client_role_assign; for realm-wide roles use keycloak_role_list instead. Returns a JSON array of roles (each with id, name, and description), or the message 'Client not found.' when no client matches the given ID. |
| keycloak_user_client_roles_getA | Read-only: lists the client-level roles assigned to a single user for one specific client (not realm roles). Use this to inspect a user's client role assignments before granting one with keycloak_user_client_role_assign or revoking one with keycloak_user_client_role_unassign; for realm-wide assignments use keycloak_user_roles_get. Returns a JSON array of roles (each with id, name, and description), or the message 'Client not found.' when no client matches the given ID. |
| keycloak_user_role_assignA | Write: grants a single realm-level role to a user (not a client role). This is idempotent — assigning a role the user already has succeeds without changing anything. The role must already exist in the realm; list candidates with keycloak_role_list and verify current assignments with keycloak_user_roles_get. Returns a confirmation that the role was assigned, or a message explaining why it was not (for example, the user or role was not found). |
| keycloak_user_client_role_assignA | Write: grants a single client-level role (belonging to one specific client) to a user, not a realm role. This is idempotent — assigning a role the user already has succeeds without changing anything. The role must already exist on the client; list candidates with keycloak_client_roles_list and verify current assignments with keycloak_user_client_roles_get. Returns a confirmation that the client role was assigned, or a message explaining why it was not (for example, the user, client, or role was not found). |
| keycloak_user_role_unassignA | Destructive write: revokes a single realm-level role from a user (not a client role), removing the access that role grants. This action requires explicit confirmation and will not proceed unless 'confirm' is true. Use keycloak_user_roles_get first to see the user's current realm roles; for client-scoped roles use keycloak_user_client_role_unassign instead. Returns a confirmation that the role was removed, or a message explaining why it was not (for example, confirmation was declined or the user or role was not found). |
| keycloak_user_client_role_unassignA | Destructive write: revokes a single client-level role (belonging to one specific client) from a user, removing the access that role grants; this is not a realm role. This action requires explicit confirmation and will not proceed unless 'confirm' is true. Use keycloak_user_client_roles_get first to see the user's current client roles; for realm-wide roles use keycloak_user_role_unassign instead. Returns a confirmation that the client role was removed, or a message explaining why it was not (for example, confirmation was declined or the user, client, or role was not found). |
| keycloak_client_listA | List all OAuth/OIDC clients registered in the configured Keycloak realm. Read-only and idempotent; it does not modify anything. Use this to discover clients before calling keycloak_client_get, keycloak_client_update, or keycloak_client_delete. Takes no parameters and returns a JSON array where each entry has uuid, clientId, enabled, and publicClient. |
| keycloak_client_getA | Fetch a single realm client by its clientId. Read-only and idempotent; it does not modify anything. Use keycloak_client_list first if you do not know the exact clientId. Returns a JSON object with uuid, clientId, enabled, and publicClient, or the text "Client not found." when no client matches. |
| keycloak_client_get_secretA | Read the current secret of a confidential (non-public) realm client. Read-only and idempotent; it does not change the secret. By default the secret is returned masked; pass reveal=true to return the plaintext value. Use keycloak_client_get to confirm a client is confidential first, and keycloak_client_regenerate_secret to rotate it. Returns the (masked or plaintext) secret string, or "Client not found." when no client matches. |
| keycloak_client_createA | Create a new OAuth/OIDC client in the configured realm. This is a write operation and is not idempotent: calling it again with the same clientId creates a conflict rather than reusing the existing client. Use keycloak_client_list or keycloak_client_get first to verify the clientId is not already taken, and keycloak_client_update to modify an existing client. Returns a confirmation message naming the created client. |
| keycloak_client_updateA | Update an existing client's enabled flag, public flag, redirect URIs and/or web origins. Only the fields you supply are changed; omitted fields are left untouched. This is a write operation and is idempotent: applying the same values again yields the same state. Use keycloak_client_list or keycloak_client_get to find the client first. Returns a confirmation message, or a reason string (e.g. when the client does not exist). |
| keycloak_client_regenerate_secretA | Regenerate (rotate) a confidential client's secret. This is a destructive, non-idempotent write: it invalidates the previous secret, which immediately stops working, so any system using the old value must be updated. Requires explicit confirmation via confirm=true (otherwise it aborts without changing anything). Use keycloak_client_get_secret to read the current secret without rotating. Returns the new plaintext secret, or a reason string when not regenerated. |
| keycloak_client_deleteA | Permanently delete a client from the realm. This is a destructive operation and is not idempotent: once deleted, deleting the same clientId again fails because it no longer exists. Requires explicit confirmation via confirm=true (otherwise it aborts without deleting). Use keycloak_client_get to verify the target first, and keycloak_client_update to merely disable a client instead of removing it. Returns a confirmation message, or a reason string when not deleted. |
| keycloak_client_scopes_listA | Lists every client scope defined in the realm. This is a read-only, idempotent operation that takes no parameters and does not modify Keycloak. Use it to discover available scope names before calling keycloak_client_scope_assign or keycloak_client_scope_unassign. Returns a JSON array where each entry holds the scope's id, name, and protocol. |
| keycloak_client_default_scopes_getA | Lists the default client scopes currently assigned to a single client. This is a read-only, idempotent operation that does not modify Keycloak. Use it to inspect a client's effective default scopes before assigning or unassigning one; for the full catalog of available scopes use keycloak_client_scopes_list instead. Returns a JSON array of the assigned scopes (each with id, name, and protocol), or the text "Client not found." when no client matches the given clientId. |
| keycloak_client_mappers_listA | Lists the protocol mappers configured on a single client, aggregated across the client and its assigned scopes. This is a read-only, idempotent operation that does not modify Keycloak. Use it to inspect how tokens issued for the client are shaped; to first find a client's scopes use keycloak_client_default_scopes_get. Returns the protocol mappers as a JSON array, or the text "Client not found." when no client matches the given clientId. |
| keycloak_client_scope_assignA | Assigns an existing realm client scope to a client as a default scope. This is a write operation; it is idempotent, so re-assigning an already-assigned scope leaves the client unchanged. Use keycloak_client_scopes_list to find a valid scope name and keycloak_client_default_scopes_get to check current assignments before calling this. Returns a confirmation message when the scope is assigned, or a message starting with "Not assigned:" with the reason (for example when the client or scope does not exist). |
| keycloak_client_scope_unassignA | Removes a default client scope from a client. This is a destructive write operation and is gated by an explicit confirmation step, so it does nothing unless confirm is true. It is not idempotent in effect: the first successful call detaches the scope, and a later call once the scope is gone reports that it was not removed. Use keycloak_client_default_scopes_get first to see which scopes are currently assigned. Returns a confirmation message when the scope is removed, or a message starting with "Not removed:" with the reason (for example missing confirmation, or an unknown client or scope). |
| keycloak_group_listA | Read-only. Lists the realm's top-level groups. Use this to discover group IDs and names before calling group write tools such as keycloak_group_member_add, keycloak_group_role_assign, or keycloak_group_delete. Idempotent and takes no parameters; returns a JSON array of objects, each with the group id, name, and path. |
| keycloak_group_members_listA | Read-only and idempotent. Lists the users that are direct members of the given group. Resolve the group ID first with keycloak_group_list. Returns a JSON array of user objects, each with id, username, email (or null), and enabled status. |
| keycloak_user_groups_listA | Read-only and idempotent. Lists the groups the given user belongs to. Resolve the user ID first with a user listing tool. Returns a JSON array of group objects, each with id, name, and path. |
| keycloak_group_createA | Write operation. Creates a new top-level group in the realm with the given name. Not idempotent: calling it again with the same name creates or attempts another group rather than reusing one. Use keycloak_group_list afterward to obtain the new group's id. Returns a confirmation message containing the created group's name. |
| keycloak_group_member_addA | Write operation. Adds an existing user to an existing group by their IDs. Idempotent: adding a user already in the group leaves membership unchanged. Resolve the IDs first with keycloak_group_list and a user listing tool; to undo, use keycloak_group_member_remove. Returns a fixed confirmation message. |
| keycloak_group_role_assignA | Write operation. Grants an existing realm role to a group, so the group's members inherit that role. Idempotent: re-assigning an already-granted role makes no further change. Resolve the group ID with keycloak_group_list and ensure the realm role exists beforehand. Returns a message stating the role was assigned, or, if it could not be, that it was not assigned with the reason. |
| keycloak_group_member_removeA | Destructive write operation that requires confirmation. Removes a user from a group by their IDs. Not idempotent in effect since it gates on confirmation; resolve IDs with keycloak_group_list and keycloak_group_members_list first, and use keycloak_group_member_add to reverse it. Returns a message stating the user was removed, or, if confirmation was withheld, that it was not removed with the reason. |
| keycloak_group_deleteA | Destructive write operation that requires confirmation. Permanently deletes a group by its ID, including its membership and role assignments. This cannot be undone; find the ID with keycloak_group_list first. Returns a message confirming deletion, or, if confirmation was withheld, that it was not deleted with the reason. |
| keycloak_idp_listA | Lists all identity providers configured in the target realm. Read-only and idempotent; it makes no changes. Use it to discover available providers before calling keycloak_idp_get, keycloak_idp_mappers_list, or keycloak_idp_delete. Takes no parameters and returns a JSON array of providers, each with alias, providerId, enabled, and displayName. |
| keycloak_idp_getA | Fetches a single identity provider by its alias from the target realm. Read-only and idempotent; it makes no changes. Use it to inspect one provider after finding its alias with keycloak_idp_list. Returns a JSON object with alias, providerId, enabled, and displayName, or the text "Identity provider not found." if no provider matches the alias. |
| keycloak_idp_mappers_listA | Lists the mappers configured on a single identity provider, identified by its alias. Mappers control how claims and attributes from the external provider are mapped into Keycloak users. Read-only and idempotent; it makes no changes. Use it after keycloak_idp_list or keycloak_idp_get to inspect a provider's mappers. Returns a JSON array of mapper definitions. |
| keycloak_idp_createA | Creates a new identity provider in the target realm. This is a write operation and is not idempotent: calling it again with an existing alias will fail rather than update. Check keycloak_idp_list first to avoid alias collisions, and use keycloak_idp_get afterward to verify the result. Returns a confirmation message naming the created provider. |
| keycloak_idp_deleteA | Permanently deletes an identity provider from the target realm by its alias. This is a destructive write operation that requires confirmation: it proceeds only when confirm is true, otherwise it is skipped. It is not idempotent, since deleting an already-removed provider has no provider to remove. Use keycloak_idp_list or keycloak_idp_get first to confirm the alias. Returns a message stating whether the provider was deleted or, if not, the reason. |
| keycloak_federation_listA | Lists all user federation providers (such as LDAP or Kerberos) configured in the current realm. Read-only and idempotent; it does not modify any configuration. Use this to discover available providers and obtain their ids before calling keycloak_federation_get for details or keycloak_federation_sync to trigger a sync. Returns a JSON array where each entry contains the provider id, name, and providerId; an empty array means no providers are configured. |
| keycloak_federation_getA | Fetches a single user federation provider (such as LDAP or Kerberos) by its component id in the current realm. Read-only and idempotent; it does not modify any configuration. Use keycloak_federation_list first to obtain a valid id, then call this tool to inspect that specific provider. Returns a JSON object with the provider id, name, and providerId, or the text "Federation provider not found." when no provider matches the given id. |
| keycloak_federation_syncA | Triggers a user synchronization from a user federation provider (such as LDAP) into the current realm. This is a write operation that imports or updates users; it is not destructive but is not idempotent, since each call re-runs the sync and the imported counts can differ between runs. Use keycloak_federation_list or keycloak_federation_get first to confirm the provider id, then run this to refresh users. Returns a JSON object describing the sync result reported by Keycloak. |
| keycloak_auth_flows_listA | Lists every authentication flow defined in the currently configured Keycloak realm. This is a read-only, idempotent operation that takes no parameters and does not modify any data. Returns a JSON array of flow objects (including alias, description, provider id, top-level and built-in indicators) as formatted text. Use it to inspect or audit the realm's login, registration, and reset-credential flows before configuring related authentication settings. |
| keycloak_auth_required_actions_listA | Lists every required action configured in the currently configured Keycloak realm (for example Verify Email, Update Password, or Configure OTP). This is a read-only, idempotent operation that takes no parameters and does not change any data. Returns a JSON array of required-action objects (including alias, name, enabled, defaultAction, and priority) as formatted text. Use it to discover available aliases before enabling or disabling a required action with keycloak_auth_required_action_set_enabled. |
| keycloak_auth_required_action_set_enabledA | Enables or disables a single required action in the currently configured Keycloak realm, identified by its alias. This is a write operation that is not destructive and is idempotent: setting an already-matching state leaves the action unchanged. Call keycloak_auth_required_actions_list first to obtain valid aliases. Returns a short text confirmation stating whether the action was enabled or disabled. |
| keycloak_authz_resources_listA | Lists the authorization-services resources defined on a Keycloak client (the protected resources that policies and permissions apply to). Read-only and idempotent: it performs no writes and returns the same data for unchanged configuration. Use it to inspect a client's fine-grained authorization model; call keycloak_clients_list first to obtain the client's internal id, and pair it with keycloak_authz_policies_list and keycloak_authz_permissions_list for the full picture. Returns a JSON array of resource entries, or the text "Client not found." when no client matches the given id. |
| keycloak_authz_policies_listA | Lists the authorization-services policies defined on a Keycloak client (the rules, such as role, user, or JS policies, that decide whether access is granted). Read-only and idempotent: it performs no writes and returns the same data for unchanged configuration. Use it to review the policies that back a client's permissions; call keycloak_clients_list first to obtain the client's internal id, and combine with keycloak_authz_resources_list and keycloak_authz_permissions_list to understand the whole authorization model. Returns a JSON array of policy entries, or the text "Client not found." when no client matches the given id. |
| keycloak_authz_permissions_listA | Lists the authorization-services permissions defined on a Keycloak client (the bindings that tie resources and/or scopes to the policies that govern them). Read-only and idempotent: it performs no writes and returns the same data for unchanged configuration. Use it to see how a client's resources are protected; call keycloak_clients_list first to obtain the client's internal id, and pair with keycloak_authz_resources_list and keycloak_authz_policies_list for full context. Returns a JSON array of permission entries, or the text "Client not found." when no client matches the given id. |
| keycloak_events_loginA | Read-only. Returns recent user login events from the realm's login event log (such as LOGIN, LOGIN_ERROR, and LOGOUT), as a JSON array ordered by the event log's default ordering. Use this to audit authentication activity or investigate failed logins; for administrative changes (user/role/config updates) use keycloak_events_admin instead. This tool is idempotent and never modifies Keycloak. |
| keycloak_events_adminA | Read-only. Returns recent administrative events from the realm's admin event log (such as CREATE, UPDATE, and DELETE operations on users, roles, clients, and configuration) as a JSON array. Use this to audit who changed what in the realm; for end-user authentication activity use keycloak_events_login instead. This tool is idempotent and never modifies Keycloak. |
| keycloak_realm_get_configA | Read-only. Returns a curated subset of the realm's configuration as a JSON object, including realm name and enabled state, self-registration and password-reset flags, email verification and login-with-email settings, brute-force protection, the SSL requirement, and token and SSO session lifespans. Use this to inspect security-relevant realm settings without retrieving the full realm representation. Takes no parameters; it is idempotent and never modifies Keycloak. |
| keycloak_server_infoA | Read-only. Returns a small JSON summary of the connected Keycloak server, containing the 'keycloakVersion' field (the server version, or null when it cannot be determined). Use this for a quick connectivity and version check; for realm-specific settings use keycloak_realm_get_config instead. Takes no parameters; it is idempotent and never modifies Keycloak. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/mrz1880/mcp-keycloak-admin'
If you have feedback or need assistance with the MCP directory API, please join our Discord server