Keycloak MCP Server
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| KEYCLOAK_URL | Yes | The URL of the Keycloak server (e.g., http://localhost:8080). Required. | |
| KEYCLOAK_CLIENT_ID | No | Client ID for client credentials authentication flow. | |
| KEYCLOAK_VERIFY_SSL | No | Whether to verify SSL certificates (default: true). Optional. | true |
| KEYCLOAK_ADMIN_REALM | No | The admin realm (default: master). Optional. | master |
| KEYCLOAK_CLIENT_SECRET | No | Client secret for client credentials authentication flow. | |
| KEYCLOAK_ADMIN_PASSWORD | No | Password for password authentication flow. | |
| KEYCLOAK_ADMIN_USERNAME | No | Username for password authentication flow. |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| clear_all_brute_force_failuresB | Clear all user login failures for the realm, allowing all users to attempt login again. |
| clear_user_brute_force_failuresA | Clear login failures for a specific user, allowing them to attempt login again. |
| get_user_brute_force_statusB | Get the brute force detection status for a specific user, including number of failures and disabled state. |
| list_authenticator_providersB | List all authenticator providers available in the realm. |
| list_client_authenticator_providersA | List all client authenticator providers available in the realm. |
| get_authenticator_config_descriptionB | Get the configuration description for a specific authenticator provider. |
| delete_authenticator_configB | Delete an authenticator configuration by ID. |
| get_authenticator_configB | Get an authenticator configuration by ID. |
| update_authenticator_configB | Update an authenticator configuration by ID. |
| create_execution_configB | Create a new configuration for an authentication execution. |
| get_execution_configB | Get the configuration for an authentication execution by execution ID and config ID. |
| delete_auth_executionC | Delete an authentication execution by ID. |
| get_auth_executionC | Get an authentication execution by ID. |
| lower_auth_execution_priorityB | Lower the priority of an authentication execution (move it down in the flow). |
| raise_auth_execution_priorityC | Raise the priority of an authentication execution (move it up in the flow). |
| add_auth_executionB | Add a new authentication execution to the realm. |
| copy_auth_flowB | Copy an existing authentication flow under a new name. |
| add_execution_to_flowC | Add a new execution to an authentication flow. |
| add_flow_with_executionC | Add a new flow with a new execution to an existing authentication flow. |
| get_flow_executionsC | Get all executions for an authentication flow. |
| update_flow_executionsC | Update the executions of an authentication flow. |
| list_auth_flowsB | List all authentication flows in the realm. |
| delete_auth_flowB | Delete an authentication flow by ID. |
| get_auth_flowB | Get an authentication flow by ID. |
| update_auth_flowB | Update an authentication flow by ID. |
| create_auth_flowC | Create a new authentication flow in the realm. |
| list_form_action_providersC | List all form action providers available in the realm. |
| list_form_providersB | List all form providers available in the realm. |
| get_per_client_config_descriptionB | Get the per-client configuration description for authentication. |
| register_required_actionC | Register a new required action in the realm. |
| delete_required_action_configB | Delete the configuration for a required action by alias. |
| get_required_action_config_descriptionB | Get the configuration description for a required action by alias. |
| get_required_action_configB | Get the configuration for a required action by alias. |
| update_required_action_configC | Update the configuration for a required action by alias. |
| delete_required_actionC | Delete a required action by alias. |
| get_required_actionB | Get a required action by alias. |
| update_required_actionC | Update a required action by alias. |
| lower_required_action_priorityA | Lower the priority of a required action (move it down in the list). |
| raise_required_action_priorityB | Raise the priority of a required action (move it up in the list). |
| list_required_actionsC | List all required actions in the realm. |
| list_unregistered_required_actionsB | List all unregistered required actions in the realm. |
| download_client_keystoreC | Download the keystore file for a client certificate, using the provided keystore configuration. |
| generate_and_download_client_keypairB | Generate a new keypair and certificate for the client, and download the resulting keystore. |
| generate_client_certificateC | Generate a new certificate and keypair for a client attribute. |
| get_client_key_infoC | Get key information for a client certificate attribute, including certificate and key metadata. |
| upload_client_certificate_onlyA | Upload only a certificate for a client attribute, without updating the private key. |
| upload_client_certificate_and_keyC | Upload a certificate and its private key for a client attribute. |
| list_client_initial_access_tokensB | List all client initial access tokens for the realm. |
| delete_client_initial_access_tokenB | Delete a client initial access token. |
| create_client_initial_access_tokenB | Create a new client initial access token. |
| list_client_registration_policy_providersA | List all client registration policy providers for the realm. |
| get_available_group_client_rolesB | Get available client-level roles that can be mapped to the group. |
| get_effective_group_client_role_mappingsB | Get effective (composite) client-level role mappings for the group. |
| delete_group_client_role_mappingsB | Delete client-level role mappings from the group. |
| get_group_client_role_mappingsC | Get client-level role mappings for the group. |
| add_group_client_role_mappingsB | Add client-level role mappings to the group. |
| get_available_user_client_rolesB | Get available client-level roles that can be mapped to the user. |
| get_effective_user_client_role_mappingsA | Get effective (composite) client-level role mappings for the user. |
| delete_user_client_role_mappingsB | Delete client-level role mappings from the user. |
| get_user_client_role_mappingsB | Get client-level role mappings for the user. |
| add_user_client_role_mappingsB | Add client-level role mappings to the user. |
| list_client_scopesB | List all client scopes for the realm. |
| create_client_scopeC | Create a new client scope. |
| get_client_scopeC | Get a client scope by ID. |
| update_client_scopeB | Update a client scope. |
| delete_client_scopeC | Delete a client scope. |
| list_client_templatesA | List all client templates for the realm (legacy). |
| create_client_templateC | Create a new client template (legacy). |
| get_client_templateC | Get a client template by ID (legacy). |
| update_client_templateC | Update a client template (legacy). |
| delete_client_templateC | Delete a client template (legacy). |
| list_clientsC | List all clients in the realm. |
| create_clientB | Create a new client in the realm. |
| get_clientB | Get a client by UUID. |
| update_clientC | Update a client. |
| delete_clientC | Delete a client. |
| get_client_secretC | Get the client secret for a client. |
| generate_client_secretB | Generate a new secret for a client. |
| invalidate_rotated_client_secretB | Invalidate the rotated secret for a client. |
| get_rotated_client_secretC | Get the rotated secret for a client. |
| list_client_default_scopesC | List default client scopes for a client. |
| add_client_default_scopeC | Add a default client scope to a client. |
| remove_client_default_scopeB | Remove a default client scope from a client. |
| list_client_optional_scopesC | List optional client scopes for a client. |
| add_client_optional_scopeC | Add an optional client scope to a client. |
| remove_client_optional_scopeA | Remove an optional client scope from a client. |
| generate_example_access_tokenB | Generate an example access token for evaluating client scopes. |
| generate_example_id_tokenA | Generate an example ID token for evaluating client scopes. |
| generate_example_userinfoB | Generate example userinfo for evaluating client scopes. |
| get_client_evaluated_protocol_mappersB | Get evaluated protocol mappers for a client. |
| get_client_granted_scope_mappingsC | Get granted scope mappings for a client by role container. |
| get_client_not_granted_scope_mappingsB | Get not-granted scope mappings for a client by role container. |
| get_client_installation_providerC | Get the installation provider configuration for a client. |
| get_client_management_permissionsB | Get management permissions for a client. |
| update_client_management_permissionsC | Update management permissions for a client. |
| unregister_client_cluster_nodeB | Unregister a cluster node from the client. |
| register_client_cluster_nodeB | Register a cluster node with the client. |
| push_client_revocation_policyB | Push the revocation policy to all registered cluster nodes for the client. |
| get_client_registration_access_tokenC | Get the registration access token for a client. |
| generate_client_registration_access_tokenA | Generate a new registration access token for a client. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/paoloamato2/keycloak-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server