Identity Admin MCP Server
Provides a contract for Telegram gateways to authenticate and render identity admin tools, including pagination and approval summaries.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Identity Admin MCP Serverlist pending approvals for project alpha"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
# Identity Admin MCP Server
Cloudflare Worker MCP server that exposes a focused Identity-Service admin toolset.
Endpoints
GET /healthzis public and returns service health./mcpis the MCP Streamable HTTP endpoint and requiresAuthorization: Bearer <MCP_CLIENT_TOKEN>.
Related MCP server: Remote MCP Server on Cloudflare
Configuration
Secrets must be configured outside source control:
pnpm install
pnpm exec wrangler secret put MCP_CLIENT_TOKEN
pnpm exec wrangler secret put IDENTITY_ADMIN_TOKENNon-secret variables:
IDENTITY_BASE_URL: Identity-Service base URL.MCP_DEFAULT_CHANNEL: default mutation channel when a tool call omitschannel(mcpby default).
For local development, use an uncommitted .dev.vars file.
Tools
Admin operation mutation tools require an explicit idempotencyKey, generate a per-call correlationId, default channel from MCP_DEFAULT_CHANNEL, and call Identity-Service only through @cesco_valle/identity-auth-sdk/admin. auth.decideApproval decides an already-anchored approval using the Identity contract.
auth.createUserauth.assignProjectRoleauth.revokeProjectAccessauth.revokeSessionauth.banUserauth.unbanUserauth.readmitProjectMembershipauth.decideApprovalauth.listProjectUsersauth.getUserAccessStatusauth.listPendingApprovals
Conversational clients
Tool calls return both redacted JSON text content and matching structuredContent so Claude, Codex, Telegram gateways, and other conversational clients can show readable summaries while using structured data for UI state. List-style Identity responses keep the raw redacted result intact and may add structuredContent.client.list with defensive metadata such as itemCount, detected item key, pagination fields, and action hints.
The server also exposes guidance resources/prompts for safe admin workflow, pagination, Telegram gateway responsibilities, and the no-direct-DB Identity boundary when supported by the installed MCP TypeScript SDK.
Telegram gateway contract
A Telegram gateway should authenticate to /mcp with Authorization: Bearer <MCP_CLIENT_TOKEN>, keep /healthz as a public health check, render concise text content to operators, and use structuredContent for buttons, pagination state, approval summaries, and safe follow-up actions. It must not forward secrets to chat clients.
Architecture decisions
ADR-0001: runtime and deployment model.
ADR-0002: discrete
auth.*tool boundary.ADR-0003: local agent instructions and ADR skill lock.
Commands
pnpm typecheck
pnpm test
pnpm build
pnpm devSecurity notes
No OAuth v1.
No direct database access.
Tool responses include JSON text content and matching
structuredContent, with common secret fields redacted in both.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/C3SC0-V4113/Identity-Service-MCP'
If you have feedback or need assistance with the MCP directory API, please join our Discord server