Skip to main content
mcpFirst-partyLow risk Safety Privacy
Stytch logo

Stytch MCP Server for Claude

Configure and manage Stytch authentication services and workspace settings

by Stytch·added 2025-09-18·
HarnessClaude CodeClaude Desktop

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://stytch.com/docs/resources/workspace-management/stytch-mcp-server, https://github.com/JSONbored/awesome-claude/blob/main/content/mcp/stytch-mcp-server.mdx
Brand
Stytch
Brand domain
stytch.com
Brand asset source
brandfetch
Package URL
/downloads/mcp/stytch-mcp-server.mcpb
Package SHA256
2669e215154068770a95ecb53f4b64a50fe86a076d8d0a6244e2f762153f949c
Safety notes
Restrict Stytch workspace and admin permissions because auth configuration changes can affect sign-in and account security.
Privacy notes
User identities, authentication logs, session details, workspace settings, and security configuration may be sent through tool calls.
Author
Stytch
Claim status
unclaimed
Last verified
2025-09-18

Decision playbook

Ready to evaluate for your workflow

Signals are comparatively strong, but you should still validate source, privacy posture, and package provenance for your environment.

Compare context
Selected

0

Current score

96

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as first-party.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Complete

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    Package marked verified.

    Done
  • Checksum metadata

    SHA-256 hash is present.

    Done

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Package install

Copy-ready — paste the snippet to get started.

1 minute

Install command

Provided

Config snippet

Provided

Copy snippet

Provided

Prerequisites

10 to clear

Platforms

2 listed

Difficulty

11/100

Adoption plan

Balanced adoption plan

Current risk score 0/100. Use staged verification before broader rollout.

Risk 0

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    Package verification/checksum metadata is available.

    Done

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (6/6 signals complete).

Risk 0

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Present

Package integrity metadata is present.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

6/6 steps complete with no blocking gaps for this preset.

Risk 0

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is available.

Done

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

10 prerequisites to line up before setup. Have accounts and credentials ready first.

0/10 ready
Account & credentials5Configuration1Network & hosting2General21 minute

Safety & privacy surface

Safety & privacy surface

1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens, permissions & scopes.

2 areas
  • SafetyPermissions & scopesRestrict Stytch workspace and admin permissions because auth configuration changes can affect sign-in and account security.
  • PrivacyCredentials & tokensUser identities, authentication logs, session details, workspace settings, and security configuration may be sent through tool calls.

Safety notes

  • Restrict Stytch workspace and admin permissions because auth configuration changes can affect sign-in and account security.

Privacy notes

  • User identities, authentication logs, session details, workspace settings, and security configuration may be sent through tool calls.

Prerequisites

  • Stytch account (free or paid plan)
  • Stytch API key authentication (for mcp.stytch.dev MCP connection)
  • Stytch project_id and secret from Dashboard (test or live environment)
  • Network access to mcp.stytch.dev (HTTP transport, not HTTPS)
  • Understanding of Stytch authentication concepts (magic links, OAuth, MFA, sessions)
  • Stytch Dashboard access (for API key management and redirect URL configuration)
  • Claude Desktop 0.7.0+ or Claude Code with MCP support
  • Understanding of test vs live environments (multiple test, single live per project)
  • Understanding of Stytch rate limits (per endpoint, per user/email/phone, 60 SMS OTP/hour in test)
  • Optional: Redirect URL configuration (for OAuth and magic link flows)

Schema details

Install type
package
Reading time
1 min
Difficulty score
11
Troubleshooting
Yes
Breaking changes
No
Package metadata
Package verified
Yes
SHA-256
2669e215154068770a95ecb53f4b64a50fe86a076d8d0a6244e2f762153f949c
Collection metadata
Estimated setup
1 minute
Difficulty
beginner
Full copyable content
{
  "stytch": {
    "url": "http://mcp.stytch.dev/mcp",
    "transport": "http"
  }
}

About this resource

Content

Manage Stytch authentication configurations and workspace settings for identity management. Configure authentication methods (magic links, OAuth, passwords, biometrics), manage redirect URLs and callbacks, customize email templates and branding, update security settings (MFA, sessions, policies), monitor authentication events and metrics, manage user sessions, configure B2B authentication (SSO, organizations), and set up fraud detection—all through natural language commands. Supports Basic authentication, test and live environments, and comprehensive identity management.

Features

  • Configure authentication methods and flows (magic links, OAuth, passwords, biometrics)
  • Manage redirect URLs and callbacks (OAuth and magic link redirects)
  • Customize email templates and branding (user-facing communications)
  • Update workspace security settings (MFA, session management, policies)
  • Monitor authentication events and metrics (analytics and security monitoring)
  • Manage user sessions and tokens (session lifecycle management)
  • Configure B2B authentication (SSO, organization management, RBAC)
  • Set up fraud detection and risk policies (security and compliance)
  • Advanced Stytch authentication and user management with passwordless authentication, session management, and multi-factor authentication
  • Batch operations support for efficient bulk user operations, authentication management, and session processing with automatic rate limit handling and retry logic
  • Real-time authentication synchronization capabilities with webhook integration support for monitoring Stytch events and triggering automated workflows

Use Cases

  • Configure authentication flows (magic links, OAuth, passwordless)
  • Update email templates for notifications (branding and user experience)
  • Manage redirect URLs for OAuth (callback URL configuration)
  • Set security policies and rules (MFA, session duration, access controls)
  • Test authentication methods (development and QA workflows)
  • Monitor authentication metrics and events (analytics and security)
  • Configure B2B SSO and organization management (enterprise authentication)
  • Manage user sessions and access tokens (session administration)
  • Build automated authentication workflows that sync external systems with Stytch for real-time user management and security operations

Installation

Claude Code

  1. Run: claude mcp add --transport http stytch http://mcp.stytch.dev/mcp
  2. Verify installation: claude mcp list
  3. Test connection: claude mcp status stytch
  4. Configure your Stytch project_id and secret (from Dashboard API Keys section)
  5. Authenticate with your Stytch account

Claude Desktop

  1. Open Claude Desktop configuration file (see configPath below)
  2. Add the Stytch server configuration with HTTP transport and URL
  3. Restart Claude Desktop
  4. Configure your Stytch project_id and secret (from Dashboard API Keys section)
  5. Authenticate with your Stytch account
  6. Verify connection in Claude Desktop

Requirements

  • Stytch account (free or paid plan)
  • Stytch API key authentication (for mcp.stytch.dev MCP connection)
  • Stytch project_id and secret from Dashboard (test or live environment)
  • Network access to mcp.stytch.dev (HTTP transport, not HTTPS)
  • Understanding of Stytch authentication concepts (magic links, OAuth, MFA, sessions)
  • Stytch Dashboard access (for API key management and redirect URL configuration)
  • Claude Desktop 0.7.0+ or Claude Code with MCP support
  • Understanding of test vs live environments (multiple test, single live per project)
  • Understanding of Stytch rate limits (per endpoint, per user/email/phone, 60 SMS OTP/hour in test)
  • Optional: Redirect URL configuration (for OAuth and magic link flows)

Configuration

{
  "stytch": {
    "url": "http://mcp.stytch.dev/mcp",
    "transport": "http"
  }
}

Examples

Add new redirect URL for production

Common usage pattern for this MCP server

Ask Claude: "Add new redirect URL for production"

Update password reset email template

Common usage pattern for this MCP server

Ask Claude: "Update password reset email template"

Configure MFA settings

Common usage pattern for this MCP server

Ask Claude: "Configure MFA settings"

Show authentication metrics for this week

Common usage pattern for this MCP server

Ask Claude: "Show authentication metrics for this week"

Authenticate User

Authenticate a user using Stytch magic link with session duration

// Authenticate user with Stytch
const session = await stytch.magicLinks.authenticate({
  token: "magic-link-token",
  session_duration_minutes: 60,
});

Security

  • Basic authentication for secure access (project_id and secret from Dashboard)
  • Test in Stytch test environment before production (safe testing environment)
  • Regular security audits (monitor authentication patterns and access)
  • Monitor failed authentication attempts (fraud detection and security)
  • API key security (never expose secrets in client-side code or public repositories)
  • Stytch API keys and secret keys must be securely stored and never exposed in client-side code or public repositories - use environment variables and secure credential management
  • Stytch secret keys should be scoped with minimal required permissions following the principle of least privilege - regularly audit API key permissions and remove unused keys
  • Stytch user, session, and organization IDs may expose user data and authentication information - ensure Stytch resource identifiers are kept private and not shared in public configurations
  • Rate limiting and API quota management are critical for Stytch MCP servers - implement proper rate limit handling, retry logic, and quota monitoring to prevent service disruption
  • Stytch webhook configurations and payloads may contain sensitive user data and authentication information - ensure webhook endpoints are properly secured with authentication and HTTPS encryption

Troubleshooting

Rate limit exceeded - 429 error returned

Stytch enforces rate limits per endpoint and per user/email/phone number separately. Test environment example: 60 SMS OTP codes per hour per project. Check error response for Retry-After header to know when to retry. Implement exponential backoff for retries (wait time increases with each retry). Review Stytch rate limits documentation for specific endpoint limits. Check Event logs in Stytch Dashboard to investigate context around 429 errors. Contact Stytch support (support@stytch.com) for rate limit increases or if receiving unexpected 429 errors during legitimate user flows. Monitor for suspicious user activity that may trigger per-user rate limits.

Invalid redirect URL or scheme error

Redirect URLs must be configured in Stytch Dashboard under redirect_urls section. Production requires https:// scheme (never http:// except for localhost loopback). Development can use http://localhost for local testing. Verify URL exact match (case-sensitive, must match exactly). Check no duplicate redirect URLs configured. Ensure URL is added to correct project environment (test vs live). For OAuth flows, URL must match one of the configured redirect URLs exactly. Common error: no_match_for_provided_oauth_url indicates URL not in Dashboard configuration.

Misconfigured client or redirect URL not allowed

Ensure client has valid redirect_urls configured in Stytch Dashboard. Public clients require proper scheme: https:// for production, http://localhost only for localhost loopback. Localhost restrictions apply to certain client types. Verify client ID matches project (check project_id in client configuration). Check redirect URL types match intended use (LOGIN, SIGNUP, INVITE, DISCOVERY for B2B). Ensure default redirect URLs are set if not providing URL in request. Review client configuration in Dashboard for any restrictions.

Authentication failed or project access denied

Verify API keys match environment: test environment credentials for test API calls, live credentials for production. Check project_id and secret from Stytch Dashboard (API Keys section). Ensure user has project access permissions in Dashboard. Re-generate API keys if compromised. Review project security settings in Dashboard. Verify Basic authentication format: Basic <base64-encoded-project_id:secret>. Check that credentials are for correct environment (multiple test environments available, single live environment). Ensure API keys are not revoked or expired.

Stytch MCP server authentication errors with API keys

Verify API keys (Project ID and Secret) are valid and not expired. Check API keys match the correct environment (test vs live). Ensure API key format is correct. For webhook verification, verify webhook signing secret matches.

Stytch rate limit errors when processing multiple authentication requests

Implement exponential backoff retry logic with jitter. Use Stytch API rate limit headers to monitor usage. Reduce concurrent requests. Cache frequently accessed user data. Stytch allows 100 requests per second per project.

Stytch user or session access denied errors

Verify API keys have access to the user or session. Check project permissions and organization membership. Ensure API keys have required permissions for target operations.

Stytch MCP server connection timeouts or network errors

Check network connectivity and firewall settings. Verify Stytch API endpoints are accessible. Increase request timeout values. Implement connection pooling and retry mechanisms with exponential backoff.

Source citations

Add this badge to your README

Show that Stytch MCP Server for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/mcp/stytch-mcp-server.svg)](https://heyclau.de/entry/mcp/stytch-mcp-server)

How it compares

Stytch MCP Server for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

2 trust signals differ across this comparison (Package trust, Submitter).

Field

Configure and manage Stytch authentication services and workspace settings

Open dossier

Connect Claude to Auth0's official local MCP server for tenant administration, application setup, Actions, logs, forms, and scoped Management API workflows.

Open dossier

Official AWS Labs MCP server for AWS Identity and Access Management that lets AI assistants inspect and manage IAM users, roles, groups, policies, and access keys, with policy simulation and an opt-in read-only mode.

Open dossier

Manage your Descope identity project from Claude — search users, configure auth flows, inspect audit logs, manage tenants, and search Descope documentation — with the official Descope remote MCP server hosted at mcp.descope.com.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustDiffersPackage verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDiffersMkDev11jaso0n0818
Install riskLow riskReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
BrandStytch logoStytchAWS Labs logoAWS Labs
Categorymcpmcpmcpmcp
Sourcefirst-partysource-backedsource-backedsource-backed
AuthorStytchAuth0AWS LabsDescope
Added2025-09-182026-06-052026-06-212026-06-18
Platforms
Claude CodeClaude Desktop
Claude CodeClaude Desktop
Claude CodeClaude Desktop
Claude CodeClaude Desktop
Source repo
Safety notesRestrict Stytch workspace and admin permissions because auth configuration changes can affect sign-in and account security.Auth0 documents the server as beta software. Treat command behavior, available tools, requested scopes, and client setup flows as subject to change until Auth0 publishes a stable release. Start with `--read-only` or a narrow `--tools` pattern such as `auth0_list_*,auth0_get_*`. Enable create, update, deploy, or publish tools only for a scoped task and an approved tenant. The server can expose tools for applications, APIs, client grants, Actions, logs, and forms. Some of those tools can change callback URLs, token settings, Actions code, branding, and other live authentication behavior. Review every mutating tool call before approving it. A mistaken tenant change can break sign-in, weaken security settings, deploy incorrect Actions, expose callback URLs, or affect production users. Keep token lifetime and Management API scopes as small as possible when using the client-credentials setup path. Revoke or rotate credentials that were created for temporary MCP work. Use `npx @auth0/auth0-mcp-server logout` when finished or when switching tenants so local authentication state is removed from the system keychain.Run with the `--readonly` flag (shown above) to block all mutating operations. Without it the server can create and delete IAM users, roles, groups, policies, and access keys — high-impact identity changes — so enable write access only deliberately and with scoped permissions. IAM controls account-wide access; a misused write operation can grant or revoke permissions broadly. Prefer non-production accounts while evaluating, and use policy simulation to test changes before applying them. This server acts on real IAM with your AWS credentials; scope the profile tightly and run it only on a trusted host.Sessions start in read-only mode. Write operations require explicit elevation and out-of-band one-time passcode confirmation — preventing accidental changes to production auth infrastructure. The server has access to your Descope project including user PII, tenant config, and auth secrets; scope usage to least-privilege workflows.
Privacy notesUser identities, authentication logs, session details, workspace settings, and security configuration may be sent through tool calls.The local MCP server can send selected tenant operations to the Auth0 Management API and return application metadata, API identifiers, Actions code, form configuration, log events, user identifiers, IP addresses, and authentication error details into the model conversation. Prompts, MCP client logs, Claude transcripts, terminal history, screenshots, and issue comments can retain Auth0 resource names, tenant domains, client IDs, redirect URLs, organization names, and troubleshooting details outside Auth0's normal audit and retention controls. Do not paste client secrets, access tokens, refresh tokens, private keys, production user records, password-reset links, session cookies, or full log payloads into the conversation. Auth0 says the server stores credentials in the system keychain and redacts sensitive response fields such as client secrets and tokens. Still review assistant output before copying it into tickets, commits, runbooks, or shared chats. The server collects anonymized analytics by default according to Auth0's README. Set `AUTH0_MCP_ANALYTICS=false` when analytics collection is not approved for the environment.IAM user/role/group names, ARNs, policy documents, and account metadata can be returned through tool calls and exposed to the model. Access key IDs and other identity material may appear in responses; never expose secret access keys, and keep account identifiers and policy contents out of public prompts, issues, and screenshots.User profiles, tenant configurations, auth flow definitions, audit log entries, and API key metadata from your Descope project are surfaced in Claude's context. Authenticated via your Descope account — no API keys stored in the MCP configuration.
Prerequisites
  • Stytch account (free or paid plan)
  • Stytch API key authentication (for mcp.stytch.dev MCP connection)
  • Stytch project_id and secret from Dashboard (test or live environment)
  • Network access to mcp.stytch.dev (HTTP transport, not HTTPS)
  • Auth0 account and approval to connect an MCP client to the selected tenant.
  • Node.js 18 or newer with `npx` available to the MCP client.
  • MCP-capable client such as Claude Desktop, Claude Code, Cursor, VS Code, Windsurf, Gemini CLI, or another stdio-compatible client.
  • Interactive browser access for the OAuth 2.0 device authorization setup flow, unless using the documented client-credentials path for private cloud tenants.
  • An AWS account with IAM access and permissions for the IAM read (and, if write is enabled, manage) operations you intend to use.
  • Python 3.10 or newer and `uv` / `uvx` installed (Astral) to run the package.
  • AWS credentials configured locally (for example via `aws configure` or `AWS_PROFILE`) scoped least-privilege; read-only IAM permissions are enough for the recommended `--readonly` mode.
  • An MCP client that supports stdio servers; the server runs locally on the same host as the client.
  • A Descope account — authenticate via your Descope account when prompted on first tool use.
  • An MCP client such as Claude Code or Claude Desktop.
Install
claude mcp add --transport http stytch http://mcp.stytch.dev/mcp && claude mcp list
npx @auth0/auth0-mcp-server init --read-only
uvx awslabs.iam-mcp-server@latest --readonly
claude mcp add --transport http descope https://mcp.descope.com
Config
{
  "mcpServers": {
    "stytch": {
      "url": "http://mcp.stytch.dev/mcp",
      "type": "http"
    }
  }
}
{
  "mcpServers": {
    "auth0": {
      "command": "npx",
      "args": ["-y", "@auth0/auth0-mcp-server", "run", "--read-only"],
      "capabilities": ["tools"],
      "env": {
        "AUTH0_MCP_ANALYTICS": "false"
      }
    }
  }
}
{
  "mcpServers": {
    "awslabs.iam-mcp-server": {
      "command": "uvx",
      "args": ["awslabs.iam-mcp-server@latest", "--readonly"],
      "env": {
        "AWS_PROFILE": "${AWS_PROFILE}",
        "AWS_REGION": "us-east-1",
        "FASTMCP_LOG_LEVEL": "ERROR"
      },
      "type": "stdio"
    }
  }
}
{
  "mcpServers": {
    "descope": {
      "type": "http",
      "url": "https://mcp.descope.com"
    }
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.