opal-mcp
OfficialClick on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@opal-mcpshow me all my access rules"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
opal-mcp
Developer-friendly & type-safe Typescript SDK specifically catered to leverage opal-mcp API.
Summary
Opal API: The Opal API is a RESTful API that allows you to interact with the Opal Security platform programmatically.
Related MCP server: keyshade-mcp
Table of Contents
Model Context Protocol (MCP) Server
This SDK is also an installable MCP server where the various SDK methods are exposed as tools that can be invoked by AI applications.
⚠️ WARNING: Node.js v20 or greater is required to run the MCP server from npm.
Generating an API Key
To authenticate with the Opal API, you'll need to generate an API token:
Log in to the Opal dashboard as an Admin
Navigate to the Settings page
Select the API Tokens section
Click "Generate new token"
Choose the appropriate access level:
Read-only: For applications that only need to view resources
Full-access: For applications that need to create or modify resources
Set an expiration date (optional but recommended for security)
Add a descriptive label to identify the token's purpose
Save the token securely - it will only be displayed once
If a token is compromised, you can revoke it at any time from the Opal Admin page.
For more information, see the Opal API Authentication Documentation.
Environment Variables
The following environment variables can be used to configure the SDK and MCP server:
Variable Name | Description | Default |
| The API token for MCP server authentication | Required for MCP server |
| The port number for the MCP server |
|
| The base URL for the Opal API |
|
| Logging level for the MCP server |
|
Installation
The library can be installed with either npm, pnpm, bun or yarn package managers.
NPM
npm add opal-mcpPNPM
pnpm add opal-mcpBun
bun add opal-mcpYarn
yarn add opal-mcp zod
# Note that Yarn does not install peer dependencies automatically. You will need
# to install zod as shown above.This package is published with CommonJS and ES Modules (ESM) support.
Add the following server definition to your claude_desktop_config.json file:
{
"mcpServers": {
"OpalMcp": {
"command": "npx",
"args": [
"-y", "--package", "opal-mcp",
"--",
"mcp", "start",
"--bearer-auth", "<API_TOKEN>"
]
}
}
}Create a .cursor/mcp.json file in your project root with the following content:
{
"mcpServers": {
"OpalMcp": {
"command": "npx",
"args": [
"-y", "--package", "opal-mcp",
"--",
"mcp", "start",
"--bearer-auth", "<API_TOKEN>"
]
}
}
}You can also run MCP servers as a standalone binary with no additional dependencies. You must pull these binaries from available Github releases:
curl -L -o mcp-server \
https://github.com/opalsecurity/opal-mcp/releases/download/v0.0.6/mcp-server-bun-darwin-arm64 && \
chmod +x mcp-serverIf the repo is a private repo you must add your Github PAT to download a release -H "Authorization: Bearer {GITHUB_PAT}".
{
"mcpServers": {
"Todos": {
"command": "./DOWNLOAD/PATH/mcp-server",
"args": [
"start"
]
}
}
}For a full list of server arguments, run:
npx -y --package opal-mcp -- mcp start --helpRunning the MCP Server with Docker
The SDK includes a Dockerfile and docker-compose.yaml for easy containerization and deployment.
Using docker-compose
Create a
.envfile with your configuration:BEARER_AUTH=your_api_key_here PORT=32000 SERVER_URL=https://api.opal.dev/v1 LOG_LEVEL=infoRun the server using docker-compose:
docker-compose up -dConfigure your MCP client to connect to the server by adding the following to your configuration file:
{ "mcpServers": { "opal-mcp": { "url": "http://localhost:32000/sse", "env": { "API_KEY": "your_api_key_here" } } } }
Building and running manually
You can also build and run the Docker image directly:
# Build the image
docker build -t opal-mcp-server .
# Run the container
docker run -p 32000:32000 -e BEARER_AUTH=your_api_key_here opal-mcp-serverTroubleshooting MCP
Here are some common issues you might encounter when using the MCP server and how to resolve them:
Connection Issues
Server Not Starting
Verify Node.js version is v20 or greater
Check if port 32000 is already in use
Ensure you have proper permissions to run the server
Try running with
LOG_LEVEL=debugfor more detailed output
Authentication Failures
Verify your API token is valid and not expired
Check if the token has the correct permissions
Ensure the token is properly set in the environment variables
Confirm the
SERVER_URLpoints to the correct environment
Performance Issues
Slow Response Times
Check network connectivity to the Opal API
Be aware of the token limit for the model you are using and the number of paginated results
Unlikely. Verify you're not hitting rate limits Opal API Rate Limits
Integration Issues
Cursor/Claude Not Connecting
Verify your
mcp.jsonconfiguration is correctEnsure the MCP server is running before starting Cursor/Claude
Check if the bearer auth token is properly formatted
Confirm the SSE endpoint URL is accessible
Ensure only one Cursor/Claude window is open
Common Error Messages
Error: listen EADDRINUSE: address already in use :::32000Another process is using port 32000
Either stop the other process or change the PORT environment variable
Error: Invalid bearer auth tokenThe provided API token is invalid or malformed
Generate a new token from the Opal dashboard
Error: Node.js version must be >= 20.0.0Update your Node.js installation to version 20 or greater
For additional help, you can:
Set
LOG_LEVEL=debugfor more detailed logsCheck the Opal API Documentation
File an issue on the GitHub repository
Available Resources and Operations
accessRules
createAccessRule - Creates a new access rule config for the given group_id.
getAccessRule - Returns a list of access rule config given the group_id of the access rule.
updateAccessRule - Updates the access rule config for the given group_id.
apps
getApps - Returns a list of
Appobjects.getApp - Returns an
Appobject.getSyncErrors - Returns a list of recent sync errors that have occurred since the last successful sync.
bundles
getBundles - Returns a list of
Bundleobjects.createBundle - Creates a bundle.
getBundle - Returns a
Bundleobject.deleteBundle - Deletes a bundle.
updateBundle - Updates a bundle.
getBundleResources - Returns a list of
Resourceobjects in a given bundle.addBundleResource - Adds a resource to a bundle.
removeBundleResource - Removes a resource from a bundle.
getBundleGroups - Returns a list of
Groupobjects in a given bundle.addBundleGroup - Adds a group to a bundle.
removeBundleGroup - Removes a group from a bundle.
getBundleVisibility - Gets the visibility of the bundle.
setBundleVisibility - Sets the visibility of the bundle.
configurationTemplates
getConfigurationTemplates - Returns a list of
ConfigurationTemplateobjects.createConfigurationTemplate - Creates a configuration template.
updateConfigurationTemplate - Update a configuration template.
deleteConfigurationTemplate - Deletes a configuration template.
events
events - Returns a list of
Eventobjects.
groupBindings
getGroupBindings - Returns a list of
GroupBindingobjects.createGroupBinding - Creates a group binding.
updateGroupBindings - Bulk updates a list of group bindings.
getGroupBinding - Returns a
GroupBindingobject.deleteGroupBinding - Deletes a group binding.
groups
getGroups - Returns a list of groups for your organization.
updateGroups - Bulk updates a list of groups.
createGroup - Creates an Opal group or imports a remote group.
getGroup - Returns a
Groupobject.deleteGroup - Deletes a group.
getGroupMessageChannels - Gets the list of audit and reviewer message channels attached to a group.
setGroupMessageChannels - Sets the list of audit message channels attached to a group.
getGroupOnCallSchedules - Gets the list of on call schedules attached to a group.
setGroupOnCallSchedules - Sets the list of on call schedules attached to a group.
getGroupResources - Gets the list of resources that the group gives access to.
setGroupResources - Sets the list of resources that the group gives access to.
getGroupContainingGroups - Gets the list of groups that the group gives access to.
addGroupContainingGroup - Creates a new containing group.
getGroupContainingGroup - Gets a specific containing group for a group.
removeGroupContainingGroup - Removes a containing group from a group.
addGroupResource - Adds a resource to a group.
getGroupVisibility - Gets the visibility of this group.
setGroupVisibility - Sets the visibility of this group.
getGroupReviewers- Gets the list of owner IDs of the reviewers for a group. :warning: DeprecatedsetGroupReviewers- Sets the list of reviewers for a group. :warning: DeprecatedgetGroupReviewerStages- Gets the list of reviewer stages for a group. :warning: DeprecatedsetGroupReviewerStages- Sets the list of reviewer stages for a group. :warning: DeprecatedgetGroupTags - Returns all tags applied to the group.
getGroupUsers - Gets the list of users for this group.
updateGroupUser - Updates a user's access level or duration in this group.
addGroupUser - Adds a user to this group.
deleteGroupUser - Removes a user's access from this group.
idpGroupMappings
getIdpGroupMappings - Returns the configured set of available
IdpGroupMappingobjects for an Okta app.updateIdpGroupMappings - Updates the list of available
IdpGroupMappingobjects for an Okta app.deleteIdpGroupMappings - Deletes an
IdpGroupMappingobject.
messageChannels
getMessageChannels - Returns a list of
MessageChannelobjects.createMessageChannel - Creates a
MessageChannelobjects.getMessageChannel - Gets a
MessageChannelobject.
nonHumanIdentities
getNhis - Returns a list of non-human identities for your organization.
onCallSchedules
getOnCallSchedules - Returns a list of
OnCallScheduleobjects.createOnCallSchedule - Creates a
OnCallScheduleobjects.getOnCallSchedule - Gets a
OnCallScheduleobject.
owners
getOwners - Returns a list of
Ownerobjects.createOwner - Creates an owner.
updateOwners - Bulk updates a list of owners.
getOwner - Returns an
Ownerobject.deleteOwner - Deletes an owner.
getOwnerFromName - Returns an
Ownerobject. Does not support owners with/in their name, use /owners?name=... instead.getOwnerUsers - Gets the list of users for this owner, in escalation priority order if applicable.
setOwnerUsers - Sets the list of users for this owner. If escalation is enabled, the order of this list is the escalation priority order of the users. If the owner has a source group, adding or removing users from this list won't be possible.
requests
getRequests - Returns a list of requests for your organization that is visible by the admin.
createRequest - Create an access request
getRequestsRelay- Returns a paginated list of requests using Relay-style cursor pagination. :warning: DeprecatedgetRequest - Returns a request by ID.
approveRequest - Approve an access request
resources
getResources - Returns a list of resources for your organization.
updateResources - Bulk updates a list of resources.
createResource - Creates a resource. See here for details about importing resources.
getResource - Retrieves a resource.
deleteResource - Deletes a resource.
getResourceMessageChannels - Gets the list of audit message channels attached to a resource.
setResourceMessageChannels - Sets the list of audit message channels attached to a resource.
getResourceVisibility - Gets the visibility of this resource.
setResourceVisibility - Sets the visibility of this resource.
getResourceReviewers - Gets the list of owner IDs of the reviewers for a resource.
setResourceReviewers - Sets the list of reviewers for a resource.
getResourceReviewerStages - Gets the list reviewer stages for a resource.
setResourceReviewerStages - Sets the list of reviewer stages for a resource.
getResourceNhis - Gets the list of non-human identities with access to this resource.
getResourceUsers - Gets the list of users for this resource.
addResourceNhi - Gives a non-human identity access to this resource.
deleteResourceNhi - Removes a non-human identity's direct access from this resource.
addResourceUser - Adds a user to this resource.
updateResourceUser - Updates a user's access level or duration on this resource.
deleteResourceUser - Removes a user's direct access from this resource.
getResourceUser - Returns information about a specific user's access to a resource.
resourceUserAccessStatusRetrieve- Get user's access status to a resource. :warning: DeprecatedgetResourceTags - Returns all tags applied to the resource.
getResourceScopedRolePermissions - Returns all the scoped role permissions that apply to the given resource. Only OPAL_SCOPED_ROLE resource type supports this field.
setResourceScopedRolePermissions - Sets all the scoped role permissions on an OPAL_SCOPED_ROLE resource.
scopedRolePermissions
getResourceScopedRolePermissions - Returns all the scoped role permissions that apply to the given resource. Only OPAL_SCOPED_ROLE resource type supports this field.
setResourceScopedRolePermissions - Sets all the scoped role permissions on an OPAL_SCOPED_ROLE resource.
sessions
sessions - Returns a list of
Sessionobjects.
tags
getTagByID - UNSTABLE. May be removed at any time. Gets a tag with the given id.
deleteTagByID - UNSTABLE. May be removed at any time. Deletes a tag with the given id.
getTag - Gets a tag with the given key and value.
createTag - Creates a tag with the given key and value.
getTags - Returns a list of tags created by your organization.
addUserTag - Applies a tag to a user.
removeUserTag - Removes a tag from a user.
addGroupTag - Applies a tag to a group.
removeGroupTag - Removes a tag from a group.
addResourceTag - Applies a tag to a resource.
removeResourceTag - Removes a tag from a resource.
uars
getUARs - Returns a list of
UARobjects.createUar - Starts a User Access Review.
getUar - Retrieves a specific UAR.
users
user - Retrieves detailed user information from Opal. This endpoint is designed to fetch user details by either user ID (UUID) or email address. The endpoint follows a strict precedence rule where user_id takes priority over email if both are provided.
Key Implementation Notes:
Exactly one identifier (user_id OR email) must be provided
Returns a complete User object with all associated metadata
Suitable for user verification and profile data retrieval
Recommended for MCP user synchronization workflows
Authentication:
Requires valid API authentication
Respects standard Opal authorization rules
getUsers - Returns a list of users for your organization.
getUserTags - Returns all tags applied to the user.
Pagination
Some of the endpoints in this SDK support pagination. To use pagination, you
make your SDK calls as usual, but the returned response object will also be an
async iterable that can be consumed using the for await...of
syntax.
Here's an example of one such pagination call:
import { OpalMcp } from "opal-mcp";
const opalMcp = new OpalMcp({
bearerAuth: process.env["OPALMCP_BEARER_AUTH"] ?? "",
});
async function run() {
const result = await opalMcp.bundles.getBundles({
pageSize: 200,
cursor: "cD0yMDIxLTAxLTA2KzAzJTNBMjQlM0E1My40MzQzMjYlMkIwMCUzQTAw",
contains: "Engineering",
});
for await (const page of result) {
console.log(page);
}
}
run();
Maturity
This SDK is in beta, and there may be breaking changes between versions without a major version update. Therefore, we recommend pinning usage to a specific package version. This way, you can install the same version each time without breaking changes unless you are intentionally looking for the latest version.
Contributions
While we value open-source contributions to this SDK, this library is generated programmatically. Any manual changes added to internal files will be overwritten on the next generation. We look forward to hearing your feedback. Feel free to open a PR or an issue with a proof of concept and we'll do our best to include it in a future release.
SDK Created by Speakeasy
See CONTRIBUTING.md for guidelines on contributing to this project.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/opalsecurity/opal-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server