Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| LOG_LEVEL | No | DEBUG, INFO, WARN, ERROR (default: INFO) | INFO |
| ZITADEL_ISSUER | Yes | Zitadel instance URL | |
| ZITADEL_ORG_ID | Yes | Organization ID | |
| ZITADEL_PROJECT_ID | No | Default project ID for role operations | |
| PORTAL_DATABASE_URL | No | Postgres connection string (enables portal tools) | |
| ZITADEL_SERVICE_ACCOUNT_KEY_ID | Yes | Key ID from the JSON key file | |
| ZITADEL_SERVICE_ACCOUNT_USER_ID | Yes | Service account user ID | |
| ZITADEL_SERVICE_ACCOUNT_PRIVATE_KEY | Yes | Base64-encoded RSA private key (the key field from the downloaded JSON) |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| zitadel_list_users | List or search users in the Zitadel instance. Returns user details including name, email, status, and login names. |
| zitadel_get_user | Get detailed information about a specific user by their user ID. |
| zitadel_create_user | Create a new human user in Zitadel. An invitation email will be sent automatically so the user can set their password. |
| zitadel_deactivate_user | Deactivate a user account. The user will no longer be able to log in. Requires confirm: true. |
| zitadel_reactivate_user | Reactivate a previously deactivated user account. |
| zitadel_lock_user | Lock a user account. The user will not be able to log in until unlocked. Requires confirm: true. |
| zitadel_unlock_user | Unlock a previously locked user account. |
| zitadel_delete_user | Permanently delete a user. This action cannot be undone. Requires confirm: true. Consider using zitadel_deactivate_user instead (reversible). |
| zitadel_list_projects | List all projects in the Zitadel organization. |
| zitadel_get_project | Get details of a specific project by its ID. |
| zitadel_create_project | Create a new project in Zitadel. Projects contain applications, roles, and grants. |
| zitadel_list_apps | List all applications in a Zitadel project. |
| zitadel_get_app | Get details of a specific application including its Client ID and OIDC configuration. |
| zitadel_create_oidc_app | Create a new OIDC application in a Zitadel project. Returns the Client ID (and Client Secret for confidential clients). Configure redirect URIs, response types, and grant types. |
| zitadel_update_app | Update an OIDC application's configuration (redirect URIs, auth method, etc.). |
| zitadel_list_project_roles | List all roles defined in a Zitadel project (e.g., "admin", "app:finance"). |
| zitadel_create_project_role | Create a new role in a Zitadel project. Use key format "app:{slug}" for app-specific access roles. |
| zitadel_list_user_grants | List role grants for a specific user, showing which roles they have been assigned. |
| zitadel_create_user_grant | Assign roles to a user by creating a grant. Validates that the roles exist in the project before granting. |
| zitadel_remove_user_grant | Remove a role grant from a user by grant ID. Requires confirm: true. |
| zitadel_create_service_user | Create a new service account (machine user) for API access. Service accounts authenticate via JWT keys, not passwords. |
| zitadel_create_service_user_key | Generate a new key pair for a service account. The private key is returned ONLY at creation time — save it immediately. |
| zitadel_list_service_user_keys | List existing keys for a service account. Shows key metadata only (not private keys). |
| zitadel_get_org | Get details of the current organization (based on the configured ZITADEL_ORG_ID). |
| zitadel_get_auth_config | Get the environment variables needed for a new application's .env.local file. Fetches the app details and formats them as ready-to-paste configuration. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |