Back to MCP Servers

Auth0 MCP Server

Official Auth0 MCP server. Manage applications, APIs, actions, forms, and logs in your Auth0 tenant through natural language.

Developer Tools by Auth0 (Okta) OAuth2 active
GitHub Docs npm: @auth0/auth0-mcp-server
Overview

The Auth0 MCP Server is the official integration from Auth0 (Okta) that connects LLM clients such as Claude Desktop, Cursor, Windsurf, VS Code, and Gemini CLI to the Auth0 Management API. It lets developers configure their Auth0 tenant using natural language: creating applications, registering APIs, writing and deploying Actions, querying logs, and managing Forms without leaving their AI workspace or touching the Auth0 dashboard.

The server runs locally via npx @auth0/auth0-mcp-server and authenticates the user with the OAuth 2.0 Device Authorization Flow. Access and refresh tokens are stored in the operating system keychain rather than plain text files, and sensitive fields like client_secret are automatically redacted in tool responses. Permissions are explicit and granular: users pick which scopes to grant during init, and operators can further restrict behavior with --read-only or with --tools glob patterns.

The project is currently marked as Beta and is maintained by Auth0 in their official GitHub organization. It covers the most common tenant management surfaces (Applications, Resource Servers, Application Grants, Actions, Logs, Forms) and is designed to work with any MCP-compatible client through a standard stdio config.

Tools

Tool Description
auth0_list_applications List or search applications in the tenant
auth0_get_application Retrieve details for a specific application
auth0_create_application Create a new Auth0 application (SPA, native, web, or M2M)
auth0_update_application Update an existing application's settings
auth0_list_resource_servers List configured APIs (resource servers)
auth0_get_resource_server Get details of a specific API
auth0_create_resource_server Register a new API in the tenant
auth0_update_resource_server Adjust settings on an existing API
auth0_create_application_grant Authorize an application to access an API with specific scopes
auth0_list_actions List Auth0 Actions configured in the tenant
auth0_get_action Retrieve an Action's code and metadata
auth0_create_action Create a new Auth0 Action
auth0_update_action Modify an existing Action's logic
auth0_deploy_action Deploy an Action to production
auth0_list_logs Retrieve tenant authentication logs
auth0_get_log Examine a specific log entry
auth0_list_forms List Auth0 Forms
auth0_get_form View a form's configuration
auth0_create_form Create a custom form
auth0_update_form Update form settings
auth0_publish_form Publish a form live
auth0_save_credentials_to_file Export application credentials to a .env.local file with automatic .gitignore entry
Setup Guide

Prerequisites

  • Node.js v18 or higher
  • An active Auth0 account with permission to manage the target tenant
  • An MCP-compatible client (Claude Desktop, Cursor, Windsurf, VS Code, or Gemini CLI)

Quick install

The init command authenticates via OAuth 2.0 device flow, stores tokens in the system keychain, and writes the MCP client config automatically.

# Claude Desktop (default)
npx @auth0/auth0-mcp-server init

# Read-only mode
npx @auth0/auth0-mcp-server init --read-only

# Other clients
npx @auth0/auth0-mcp-server init --client windsurf
npx @auth0/auth0-mcp-server init --client cursor
npx @auth0/auth0-mcp-server init --client vscode
npx @auth0/auth0-mcp-server init --client gemini

During init you can select scopes, e.g.:

npx @auth0/auth0-mcp-server init --scopes 'read:*,create:clients'

Manual config (any MCP client)

{
  "mcpServers": {
    "auth0": {
      "command": "npx",
      "args": ["-y", "@auth0/auth0-mcp-server", "run"],
      "capabilities": ["tools"],
      "env": {
        "DEBUG": "auth0-mcp"
      }
    }
  }
}

Limiting tool surface

Use glob patterns to expose only specific tools:

npx @auth0/auth0-mcp-server init --tools 'auth0_list_*,auth0_get_*'

Private Cloud (client credentials)

npx @auth0/auth0-mcp-server init \
  --auth0-domain <domain> \
  --auth0-client-id <id> \
  --auth0-client-secret <secret>

Session management

npx @auth0/auth0-mcp-server session   # check auth status
npx @auth0/auth0-mcp-server logout    # remove stored tokens

Environment variables

  • AUTH0_MCP_READ_ONLY: enable read-only mode
  • AUTH0_MCP_TOOLS: comma-separated tool patterns
  • AUTH0_MCP_ANALYTICS: set to false to opt out of analytics
  • DEBUG=auth0-mcp: verbose logging
Use Cases
  • Spin up a new SPA or M2M application and copy the client credentials into a project's .env.local without opening the dashboard
  • Author and deploy Auth0 Actions (post-login token customization, MFA enforcement, custom claims) directly from a coding agent
  • Debug login failures by asking the agent to fetch and summarize recent tenant logs filtered by user, IP, or error code
  • Register a new API (resource server) with scopes and grant an existing application access to it in one prompt
  • Build and publish custom signup or progressive profiling Forms from a natural language description
Example Prompts
  • "Create a new SPA application called 'Marketing Site' with callback https://marketing.example.com/callback and save the credentials to .env.local."
  • "Show me failed login logs for user@example.com from the last 24 hours and explain the most common error."
  • "Write a post-login Action that adds the user's app_metadata.role as a custom claim and deploy it."
  • "Register an API with identifier https://api.example.com and scopes read:orders and write:orders, then grant my 'Backend Service' application access."
  • "List all my applications and tell me which ones still allow the implicit grant."
Pros
  • Official Auth0 server published under the auth0 GitHub org and the @auth0/auth0-mcp-server npm scope
  • Strong security defaults: OAuth 2.0 device flow, keychain-backed token storage, automatic redaction of secrets, no scopes granted by default
  • Fine-grained access controls via --read-only, --tools glob patterns, and per-scope selection during init
  • Broad client support out of the box (Claude Desktop, Cursor, Windsurf, VS Code, Gemini CLI) with auto-generated config
Limitations
  • Marked as Beta and provided "AS IS"; tool surface and behavior may change without notice
  • Tool coverage is focused on apps, APIs, Actions, logs, and Forms; other Management API areas (users, roles, organizations, branding) are not exposed as first-class tools
  • Runs locally only; there is no hosted endpoint, so each developer machine must authenticate and store tokens
Alternatives
  • WorkOS MCP server for teams using WorkOS for auth and SSO administration
  • Clerk community MCP integrations for Clerk-based identity management
  • Direct use of the Auth0 Deploy CLI or Management API via a generic HTTP MCP server when you need broader endpoint coverage
More Developer Tools MCP Servers
AWS API
Bridge that lets AI assistants manage AWS infrastructure by executing validated AWS CLI commands across every AWS service.
AWS CDK
Official AWS Labs MCP server that guides agents through AWS CDK development with prescriptive patterns, CDK Nag security validation, and Solutions Constructs discovery.
AWS CloudWatch
Official AWS Labs MCP server for CloudWatch. Query metrics, analyze logs, investigate alarms, and run PromQL queries for AI-powered root cause analysis.
Aiven
Official MCP server for the Aiven cloud data platform. Manage PostgreSQL, Apache Kafka, and other Aiven services from AI assistants.