Back to MCP Servers

Okta MCP Server

Official Okta MCP server for managing users, groups, apps, policies, branding, and logs across an Okta org via natural language.

Developer Tools by Okta OAuth2 active
GitHub Docs
Overview

The Okta MCP Server is the official Model Context Protocol implementation maintained by Okta for connecting LLM agents to Okta's Admin Management APIs. It exposes natural language access to identity operations such as creating users, managing groups, listing applications, configuring authentication policies, reviewing system logs, and managing branded sign-in experiences. The server is built on the Okta Python SDK and supports two OAuth 2.0 authentication flows: Device Authorization Grant for interactive sessions and Private Key JWT for browserless or automated use.

A notable design feature is scope-based tool loading: the server reads the OAuth scopes granted at startup (via the OKTA_SCOPES environment variable) and silently disables any tool that lacks the required permissions. This keeps the agent's available capabilities aligned with the principle of least privilege. Destructive actions like deactivating users or deleting policies use the MCP Elicitation API to prompt for confirmation before executing.

Tool coverage spans users, groups, applications, authentication and access policies, device assurance, system logs, brands and themes, custom pages, email templates and settings, custom domains, and email domains, covering most of the day-to-day surface area an Okta admin operates on.

Tools

Tool Description
list_users / get_user / create_user / update_user / deactivate_user / delete_deactivated_user / get_user_profile_attributes Full lifecycle management of Okta users including create, read, update, deactivate, and final delete operations.
list_groups / get_group / create_group / update_group / delete_group / list_group_users / list_group_apps / add_user_to_group / remove_user_from_group Create and manage Okta groups, query group membership and assigned apps, and add or remove users.
list_applications / get_application / create_application / update_application / delete_application / activate_application / deactivate_application Manage Okta application integrations including activation state and configuration.
list_policies / get_policy / create_policy / update_policy / delete_policy / activate_policy / deactivate_policy / list_policy_rules / get_policy_rule / create_policy_rule / update_policy_rule / delete_policy_rule / activate_policy_rule / deactivate_policy_rule Manage authentication, password, MFA, and access policies along with their rules.
list_device_assurance_policies / get_device_assurance_policy / create_device_assurance_policy / replace_device_assurance_policy / delete_device_assurance_policy Manage device assurance policies that enforce device posture requirements.
get_logs Query the Okta System Log for authentication, admin, and security events.
list_brands / get_brand / list_brand_domains / create_brand / replace_brand / delete_brand Manage Okta brands used for end-user experiences.
list_brand_themes / get_brand_theme / replace_brand_theme / upload_brand_theme_logo / delete_brand_theme_logo / upload_brand_theme_favicon / delete_brand_theme_favicon / upload_brand_theme_background_image / delete_brand_theme_background_image Manage themes and visual assets (logo, favicon, background image) for branded experiences.
Custom Pages tools Manage sign-in, error, and sign-out page customizations for a brand.
list_email_templates / get_email_template / list_email_customizations / get_email_customization / create_email_customization / replace_email_customization / delete_email_customization / delete_all_email_customizations / get_email_customization_preview / get_email_default_content / get_email_default_content_preview / get_email_settings / replace_email_settings / send_test_email Manage email templates, customizations, settings, and test sends.
list_custom_domains / get_custom_domain / create_custom_domain / replace_custom_domain / delete_custom_domain / upsert_custom_domain_certificate / verify_custom_domain Configure custom Okta domains and their TLS certificates.
list_email_domains / get_email_domain / create_email_domain / replace_email_domain / delete_email_domain / verify_email_domain Manage and verify custom email-sending domains.
Setup Guide

Prerequisites

  • Active Okta org with admin permissions to create app integrations and grant API scopes
  • Python 3.8+ or Docker
  • uv package manager (if running without Docker)
  • An MCP-compatible client (Claude Desktop, etc.)

Create an Okta app integration

Choose one auth flow:

  • Device Authorization Grant (interactive): Create an OIDC Native Application, enable the Device Authorization grant type, and grant the API scopes you want to expose.
  • Private Key JWT (browserless): Create an API Services app, generate or upload an RSA key pair, grant API scopes, and assign appropriate admin roles. Save the Client ID, Key ID, and private key.

Install

Option A: Docker

git clone https://github.com/okta/okta-mcp-server.git
cd okta-mcp-server
cp .env.example .env
docker-compose up -d

Option B: uv

git clone https://github.com/okta/okta-mcp-server.git
cd okta-mcp-server
uv sync

Claude Desktop config (Docker + Private Key JWT)

{
  "mcpServers": {
    "okta-mcp-server": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-e", "OKTA_ORG_URL",
        "-e", "OKTA_CLIENT_ID",
        "-e", "OKTA_SCOPES",
        "-e", "OKTA_PRIVATE_KEY",
        "-e", "OKTA_KEY_ID",
        "okta-mcp-server"
      ],
      "env": {
        "OKTA_ORG_URL": "https://your-org.okta.com",
        "OKTA_CLIENT_ID": "your-client-id",
        "OKTA_SCOPES": "okta.users.read okta.groups.read",
        "OKTA_PRIVATE_KEY": "-----BEGIN RSA PRIVATE KEY-----\nYour key\n-----END RSA PRIVATE KEY-----",
        "OKTA_KEY_ID": "your-key-id"
      }
    }
  }
}

Claude Desktop config (uv + Device Authorization)

{
  "mcpServers": {
    "okta-mcp-server": {
      "command": "uv",
      "args": [
        "run",
        "--directory",
        "/path/to/okta-mcp-server",
        "okta-mcp-server"
      ],
      "env": {
        "OKTA_ORG_URL": "https://your-org.okta.com",
        "OKTA_CLIENT_ID": "your-client-id",
        "OKTA_SCOPES": "okta.users.read okta.groups.read"
      }
    }
  }
}

Environment variables

  • OKTA_ORG_URL: Your Okta org URL (e.g. https://your-org.okta.com)
  • OKTA_CLIENT_ID: Client ID of the Okta app integration
  • OKTA_SCOPES: Space-separated list of OAuth scopes. Tools are loaded only for scopes granted here.
  • OKTA_PRIVATE_KEY: (Private Key JWT only) PEM-formatted RSA private key
  • OKTA_KEY_ID: (Private Key JWT only) Key ID for the public key registered in Okta
  • OKTA_LOG_LEVEL: Optional. Set to DEBUG for verbose logging.

The server enforces least privilege via scope-based tool loading: any tool whose required scope is not listed in OKTA_SCOPES will not appear to the model.

Use Cases
  • Onboard a new hire: create their Okta user, add them to the right groups, and assign apps in one conversation.
  • Investigate a security incident by querying the System Log for failed sign-ins, MFA challenges, or admin actions in a time window.
  • Audit and clean up: list inactive users, applications without assignments, or groups with stale membership and deactivate them.
  • Roll out a new authentication or MFA policy and create the rules that scope it to specific groups or apps.
  • Manage branded sign-in experiences by updating brand themes, custom pages, email templates, and verifying custom domains.
Example Prompts
  • "Create a new user jane.doe@acme.com in Okta and add her to the Engineering and All-Employees groups."
  • "Show me all failed login events in the System Log from the last 24 hours grouped by user."
  • "List every application in our Okta org that has zero group assignments and deactivate them after confirming."
  • "Update the authentication policy for the Salesforce app to require MFA for users outside the office network."
  • "Replace the brand theme logo and send a test email using the Welcome email template."
Pros
  • Officially maintained by Okta, with coverage that tracks the Admin Management APIs closely.
  • Scope-based tool loading enforces least privilege automatically based on the OAuth scopes you grant.
  • Supports both interactive (Device Authorization) and headless (Private Key JWT) auth flows.
  • Confirmation prompts on destructive operations via the MCP Elicitation API reduce the risk of accidental deletes or deactivations.
Limitations
  • Self-hosted only: requires running Docker or a Python environment locally, plus configuring an Okta app integration and scopes before first use.
  • Private Key JWT setup involves managing RSA keys and admin role assignments, which is non-trivial for casual users.
  • Subject to Okta's per-org API rate limits, which can throttle bulk operations on large tenants.
Alternatives
  • Auth0 MCP server for managing Auth0 tenants (Okta's sister identity product).
  • Microsoft Entra ID / Graph MCP integrations for managing users, groups, and apps in Azure AD.
  • Direct use of the Okta Terraform Provider or the Okta CLI when deterministic, declarative management is preferred over LLM-driven operations.
More Developer Tools MCP Servers
AWS API
Bridge that lets AI assistants manage AWS infrastructure by executing validated AWS CLI commands across every AWS service.
AWS CDK
Official AWS Labs MCP server that guides agents through AWS CDK development with prescriptive patterns, CDK Nag security validation, and Solutions Constructs discovery.
AWS CloudWatch
Official AWS Labs MCP server for CloudWatch. Query metrics, analyze logs, investigate alarms, and run PromQL queries for AI-powered root cause analysis.
Aiven
Official MCP server for the Aiven cloud data platform. Manage PostgreSQL, Apache Kafka, and other Aiven services from AI assistants.