Okta MCP Server for Claude

Content

Okta MCP Server is Okta's official self-hosted Model Context Protocol server for connecting Claude and other MCP-capable clients to Okta Admin Management APIs. It runs locally through the okta/okta-mcp-server Python project, uses Okta's Python SDK, and authenticates to an Okta org with either Device Authorization Grant for interactive use or Private Key JWT for browserless automation.

Use it when an identity, IT, security, or platform team wants Claude to inspect or administer Okta resources with explicit API scopes: users, groups, applications, policies, System Logs, brands, email templates, custom domains, email domains, and device assurance policies. Because the tool surface can be read-only or mutating depending on the granted scopes, start with read scopes and add manage scopes only for a reviewed workflow.

Features

• Official Okta Developer concept page and setup guides for the MCP server.
• Public okta/okta-mcp-server source repository under Apache-2.0.
• Self-hosted stdio MCP server that can run with uv, Docker, or Docker Compose.
• Device Authorization Grant for interactive browser-based authentication.
• Private Key JWT for headless or automation use cases.
• Scope-based tool loading through OKTA_SCOPES.
• Runtime scope guard checks before API calls.
• Integration with Okta System Log for auditing and security investigation.
• MCP elicitation prompts for destructive operations when supported by the client, with fallback confirmation payloads for other clients.
• Tools for users, groups, applications, policies, logs, brands, templates, custom domains, email domains, and device assurance policy workflows.
• Troubleshooting support through debug logging and Okta System Log review.

Tool Surface

Okta's docs summarize the core capabilities as user management, group administration, application management, policy and security management, System Log monitoring, and brand customization. The source repository documents more specific scope-to-tool mappings.

Examples include read tools for users, groups, applications, policies, device assurance policies, logs, brands, email templates, custom domains, and email domains. Manage scopes unlock mutating tools such as creating users, updating groups, activating or deactivating applications, changing policies, replacing brand themes, deleting custom pages, sending test emails, and verifying domains.

The visible tools depend on the scopes granted in the Okta Admin Console and listed in OKTA_SCOPES. If a scope is missing, the corresponding tools should not appear to the model.

Installation

Clone and Install

Clone the official repository and install dependencies:

git clone https://github.com/okta/okta-mcp-server.git
cd okta-mcp-server
uv sync

Create the Okta app integration first, grant only the required Okta API scopes, and copy the resulting values into your MCP client configuration.

Read-Only Starter Config

Use a narrow configuration for first-time inspection. This example exposes user, group, and log read tools only:

{
  "mcpServers": {
    "okta-mcp-server": {
      "command": "uv",
      "args": [
        "run",
        "--directory",
        "/path/to/okta-mcp-server",
        "okta-mcp-server"
      ],
      "env": {
        "OKTA_ORG_URL": "https://your-org.okta.com",
        "OKTA_CLIENT_ID": "your-client-id",
        "OKTA_SCOPES": "okta.users.read okta.groups.read okta.logs.read"
      }
    }
  }
}

When the server starts with Device Authorization Grant, complete the browser authorization prompt with an Okta admin account that has the intended admin role.

Browserless Automation

For headless or CI/CD environments, configure an API Services app integration with Private Key JWT as described in Okta's authentication guide. Add OKTA_PRIVATE_KEY and OKTA_KEY_ID to the client environment only after the private key is stored securely and the app role and scopes have been reviewed.

Use Cases

• Ask Claude to list users matching a department or status filter before drafting an access cleanup plan.
• Review failed sign-in attempts or recent System Log events during incident triage.
• Inspect group membership and application assignments before a role or access change.
• Compare application configuration and inactive app usage before preparing an admin-console change.
• Generate a security audit summary from scoped System Log data.
• Draft user or group provisioning steps for manual approval.
• Manage brands, email templates, custom domains, or email domains in a non-production org after the relevant manage scopes are intentionally granted.
• Run a browserless automation workflow with Private Key JWT when interactive device authorization is not possible.

Safety Checklist

• Use a dedicated Okta app integration for MCP rather than reusing a broad admin app.
• Assign the smallest admin role and API scope set required for the task.
• Start with read scopes and add manage scopes only after approval.
• Keep OKTA_SCOPES in sync with the scopes granted on the app integration.
• Confirm the active Okta org before approving any tool call.
• Keep client approval prompts enabled for creates, updates, deletes, activations, deactivations, assignments, policy changes, domain changes, and email-template changes.
• Store Private Key JWT material in an approved secret manager or protected local secret store, never in the repository.
• Remove temporary Docker token volumes, debug logs, and local .env files when the workflow is complete.

Source Links

• Okta MCP concept docs: https://developer.okta.com/docs/concepts/mcp-server/
• Install guide: https://developer.okta.com/docs/guides/mcp-server/main/
• Authentication guide: https://developer.okta.com/docs/guides/configure-mcp-authentication/main/
• Start and test guide: https://developer.okta.com/docs/guides/start-mcp-server/main/
• Source repository: https://github.com/okta/okta-mcp-server
• MCP specification: https://modelcontextprotocol.io/specification/2025-06-18/