Okta MCP Server
OfficialLets AI assistants manage your Okta identity platform through natural language commands. Automate user management, security monitoring, and access control tasks by simply asking your AI to perform Okta admin operations.
Official Okta MCP server for managing identity and access management through AI. Automate user provisioning, group management, security log analysis, and access control workflows. Supports natural language queries for Okta admin tasks with enterprise-grade authentication and least-privilege security.
What it does
- Create and manage Okta users with group assignments
- Monitor failed login attempts and security events
- Analyze application usage and access patterns
- Automate user provisioning workflows
- Query security logs with natural language
- Manage group memberships and permissions
Best for
About Okta MCP Server
Okta MCP Server is an official MCP server published by Okta that provides AI assistants with tools and capabilities via the Model Context Protocol. Official Okta MCP server for managing identity and access management through AI. Automate user provisioning, group manag It is categorized under cloud infrastructure, auth security, developer tools.
How to install
You can install Okta MCP Server in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.
License
Okta MCP Server is released under the Apache-2.0 license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
MCP (Model Context Protocol) is an open protocol introduced by Anthropic that standardizes how large language models communicate with external tools, resources or remote services.
The Okta MCP Server integrates with LLMs and AI agents, allowing you to perform various Okta management operations using natural language. For instance, you could simply ask Claude Desktop to perform Okta management operations:
-
Create a new user and add them to the Engineering group
-
Show me all failed login attempts from the last 24 hours
-
List all applications that haven't been used in the past month
Empower your LLM Agents to Manage your Okta Organization
This server is an Model Context Protocol server that provides seamless integration with Okta's Admin Management APIs. It allows LLM agents to interact with Okta in a programmatic way, enabling automation and enhanced management capabilities.
Key Features
- LLM-Driven Okta Management: Allows your LLM agents to perform administrative tasks within your Okta environment based on natural language instructions.
- Secure Authentication: Supports both Device Authorization Grant for interactive use and Private Key JWT for secure, automated server-to-server communication.
- Interactive Confirmation via Elicitation: Destructive operations (deletes, deactivations) prompt the user for confirmation through the MCP Elicitation API before proceeding, with automatic fallback for clients that do not yet support the feature.
- Integration with Okta Admin Management APIs: Leverages the official Okta APIs to ensure secure and reliable interaction with your Okta org.
- Extensible Architecture: Designed to be easily extended with new functionalities and support for additional Okta API endpoints.
- Comprehensive Tool Support: Full CRUD operations for users, groups, applications, policies, and more.
This MCP server utilizes Okta's Python SDK to communicate with the Okta APIs, ensuring a robust and well-supported integration.
🚀 Getting Started
Prerequisites:
- Python 3.8+ OR Docker
- uv package manager (if not using Docker)
- Claude Desktop or any other MCP Client
- Okta account with appropriate permissions
Install the Okta MCP Server
Install Okta MCP Server and configure it to work with your preferred MCP Client.
Choose one of the following installation methods:
🐳 Option 1: Docker (Recommended)
Docker provides a consistent environment without needing to install Python or uv locally.
-
Clone the repository:
git clone https://github.com/okta/okta-mcp-server.git cd okta-mcp-server -
Create a
.envfile from the example:cp .env.example .env # Edit .env and add your Okta credentials -
Build and run with Docker Compose:
docker-compose up -d -
Configure your MCP Client to use the Docker container:
Claude Desktop with Docker (Private Key JWT - Recommended for Docker):
This method requires no browser interaction and is ideal for containerized environments.
{
"mcpServers": {
"okta-mcp-server": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-e", "OKTA_ORG_URL",
"-e", "OKTA_CLIENT_ID",
"-e", "OKTA_SCOPES",
"-e", "OKTA_PRIVATE_KEY",
"-e", "OKTA_KEY_ID",
"okta-mcp-server"
],
"env": {
"OKTA_ORG_URL": "https://your-org.okta.com",
"OKTA_CLIENT_ID": "your-client-id",
"OKTA_SCOPES": "okta.users.read okta.groups.read",
"OKTA_PRIVATE_KEY": "-----BEGIN RSA PRIVATE KEY-----\nYour private key content here\n-----END RSA PRIVATE KEY-----",
"OKTA_KEY_ID": "your-key-id"
}
}
}
}
Claude Desktop with Docker (Device Authorization Grant):
This method requires browser-based authentication. When the server starts, it will display an authentication URL in the logs. Copy and paste this URL into your browser to complete the authentication.
Note: Docker containers cannot open a browser on the host automatically. You must manually copy the URL from
docker logs okta-mcp-serverand paste it into your browser.
{
"mcpServers": {
"okta-mcp-server": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-v", "okta-keyring:/home/appuser/.local/share/python_keyring",
"-e", "OKTA_ORG_URL",
"-e", "OKTA_CLIENT_ID",
"-e", "OKTA_SCOPES",
"-e", "PYTHON_KEYRING_BACKEND=keyrings.alt.file.PlaintextKeyring",
"okta-mcp-server"
],
"env": {
"OKTA_ORG_URL": "https://your-org.okta.com",
"OKTA_CLIENT_ID": "your-client-id",
"OKTA_SCOPES": "okta.users.read okta.groups.read"
}
}
}
}
The -v okta-keyring:/home/appuser/.local/share/python_keyring volume persists tokens between container restarts.
VS Code with Docker (Private Key JWT - Recommended for Docker):
{
"mcp": {
"inputs": [
{
"type": "promptString",
"description": "Okta Organization URL (e.g., https://dev-123456.okta.com)",
"id": "OKTA_ORG_URL"
},
{
"type": "promptString",
"description": "Okta Client ID",
"id": "OKTA_CLIENT_ID",
"password": true
},
{
"type": "promptString",
"description": "Okta Scopes (separated by whitespace)",
"id": "OKTA_SCOPES"
},
{
"type": "promptString",
"description": "Okta Private Key (for browserless auth)",
"id": "OKTA_PRIVATE_KEY",
"password": true
},
{
"type": "promptString",
"description": "Okta Key ID (for browserless auth)",
"id": "OKTA_KEY_ID",
"password": true
}
],
"servers": {
"okta-mcp-server": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-e", "OKTA_ORG_URL=${input:OKTA_ORG_URL}",
"-e", "OKTA_CLIENT_ID=${input:OKTA_CLIENT_ID}",
"-e", "OKTA_SCOPES=${input:OKTA_SCOPES}",
"-e", "OKTA_PRIVATE_KEY=${input:OKTA_PRIVATE_KEY}",
"-e", "OKTA_KEY_ID=${input:OKTA_KEY_ID}",
"okta-mcp-server"
]
}
}
}
}
VS Code with Docker (Device Authorization Grant):
Note: Device Authorization requires manual browser interaction. When the server starts, check the MCP output panel for the authentication URL, then copy and paste it into your browser.
{
"mcp": {
"inputs": [
{
"type": "promptString",
"description": "Okta Organization URL (e.g., https://dev-123456.okta.com)",
"id": "OKTA_ORG_URL"
},
{
"type": "promptString",
"description": "Okta Client ID",
"id": "OKTA_CLIENT_ID",
"password": true
},
{
"type": "promptString",
"description": "Okta Scopes (separated by whitespace)",
"id": "OKTA_SCOPES"
}
],
"servers": {
"okta-mcp-server": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-v", "okta-keyring:/home/appuser/.local/share/python_keyring",
"-e", "OKTA_ORG_URL=${input:OKTA_ORG_URL}",
"-e", "OKTA_CLIENT_ID=${input:OKTA_CLIENT_ID}",
"-e", "OKTA_SCOPES=${input:OKTA_SCOPES}",
"-e", "PYTHON_KEYRING_BACKEND=keyrings.alt.file.PlaintextKeyring",
"okta-mcp-server"
]
}
}
}
}
Alternatively, use docker-compose (requires .env file):
{
"mcp": {
"servers": {
"okta-mcp-server": {
"command": "docker-compose",
"args": [
"-f",
"/path/to/okta-mcp-server/docker-compose.yml",
"run",
"--rm",
"okta-mcp-server"
]
}
}
}
}
Alternatively, build and run directly:
# Build the image
docker build -t okta-mcp-server .
# Run the container
docker run -i --rm \
-e OKTA_ORG_URL="<OKTA_ORG_URL>" \
-e OKTA_CLIENT_ID="<OKTA_CLIENT_ID>" \
-e OKTA_SCOPES="<OKTA_SCOPES>" \
okta-mcp-server
📦 Option 2: uv (Python Package Manager)
-
Clone and install the server:
git clone https://github.com/okta/okta-mcp-server.git cd okta-mcp-server uv sync -
Configure Claude Desktop by adding the following to your
claude_desktop_config.json:{ "mcpServers": { "okta-mcp-server": { "command": "uv", "args": [ "run", "--directory", "/path/to/okta-mcp-server", "okta-mcp-server" ], "env": { "OKTA_ORG_URL": "<OKTA_ORG_URL>", "OKTA_CLIENT_ID": "<OKTA_CLIENT_ID>", "OKTA_SCOPES": "<OKTA_SCOPES>", "OKTA_PRIVATE_KEY": "<PRIVATE_KEY_IF_NEEDED>", "OKTA_KEY_ID": "<KEY_ID_IF_NEEDED>" } } } }
Configure with Different MCP Clients
VS Code
Add the following to your VS Code settings.json:
{
"mcp": {
"inputs": [
{
"type": "promptString",
---
*README truncated. [View full README on GitHub](https://github.com/okta/okta-mcp-server).*
Alternatives
Related Skills
Browse all skillsExpert Kubernetes architect specializing in cloud-native infrastructure, advanced GitOps workflows (ArgoCD/Flux), and enterprise container orchestration. Masters EKS/AKS/GKE, service mesh (Istio/Linkerd), progressive delivery, multi-tenancy, and platform engineering. Handles security, observability, cost optimization, and developer experience. Use PROACTIVELY for K8s architecture, GitOps implementation, or cloud-native platform design.
Firebase gives you a complete backend in minutes - auth, database, storage, functions, hosting. But the ease of setup hides real complexity. Security rules are your last line of defense, and they're often wrong. Firestore queries are limited, and you learn this after you've designed your data model. This skill covers Firebase Authentication, Firestore, Realtime Database, Cloud Functions, Cloud Storage, and Firebase Hosting. Key insight: Firebase is optimized for read-heavy, denormalized data. I
This skill allows Claude to conduct comprehensive security audits of code, infrastructure, and configurations. It leverages various tools within the security-pro-pack plugin, including vulnerability scanning, compliance checking, cryptography review, and infrastructure security analysis. Use this skill when a user requests a "security audit," "vulnerability assessment," "compliance review," or any task involving identifying and mitigating security risks. It helps to ensure code and systems adhere to security best practices and compliance standards.
Builds remote MCP (Model Context Protocol) servers on Cloudflare Workers with tools, OAuth authentication, and production deployment. Generates server code, configures auth providers, and deploys to Workers. Use when: user wants to "build MCP server", "create MCP tools", "remote MCP", "deploy MCP", add "OAuth to MCP", or mentions Model Context Protocol on Cloudflare. Also triggers on "MCP authentication" or "MCP deployment".
Expert security auditor specializing in DevSecOps, comprehensive cybersecurity, and compliance frameworks. Masters vulnerability assessment, threat modeling, secure authentication (OAuth2/OIDC), OWASP standards, cloud security, and security automation. Handles DevSecOps integration, compliance (GDPR/HIPAA/SOC2), and incident response. Use PROACTIVELY for security audits, DevSecOps, or compliance implementation.
Use when working with the OpenAI API (Responses API) or OpenAI platform features (tools, streaming, Realtime API, auth, models, rate limits, MCP) and you need authoritative, up-to-date documentation (schemas, examples, limits, edge cases). Prefer the OpenAI Developer Documentation MCP server tools when available; otherwise guide the user to enable `openaiDeveloperDocs`.