Auth0 MCP Server
Officialby
Provides a local MCP server that exposes Auth0 management operations as tools for AI assistants, enabling natural‑language control of Auth0 tenants.
Auth0 MCP Server Overview
What is Auth0 MCP Server about?
Enables AI models and agents (e.g., Claude Desktop, Cursor, Windsurf) to interact with the Auth0 Management API through a standardized set of tools, allowing natural‑language commands to create, read, update, or delete Auth0 resources.
How to Use Auth0 MCP Server?
- Install the server with npm via npx:
This launches the OAuth 2.0 device‑authorization flow; log in to your Auth0 tenant and grant the required scopes.npx @auth0/auth0-mcp-server init - Run the server (default: all tools):
Usenpx @auth0/auth0-mcp-server run--read‑onlyor--tools '<pattern>'to limit tool exposure, e.g.npx @auth0/auth0-mcp-server run --read‑only npx @auth0/auth0-mcp-server run --tools 'auth0_list_*,auth0_get_*' - Configure your MCP client (Claude Desktop, Cursor, etc.) to point to the local server as shown in the README. The client will automatically discover the available tools.
- Interact using natural language, e.g., “Create a new single‑page application called ‘Analytics Dashboard’” or “Show me recent login logs for IP 192.108.92.3”.
Key Features
- Tool‑based API surface: 30+ Auth0 operations (applications, resource servers, actions, logs, forms) exposed as individual tools.
- Granular access control via
--toolspatterns and--read‑onlyflag. - Secure credential storage in the system keychain; no plaintext tokens.
- Debug mode (
DEBUG=auth0-mcp) for detailed logging. - Cross‑client compatibility (Claude Desktop, Cursor, Windsurf, custom MCP clients).
- Beta notice: feature set may change; not recommended for production workloads.
Use Cases
- AI‑assisted tenant management: developers ask an LLM to provision new apps, update callbacks, or delete unused resources.
- Log analysis: ask the model to surface recent failed logins, filter by IP or user.
- Action deployment: create and deploy custom Auth0 actions directly from natural language.
- Resource‑server configuration: define new APIs, adjust scopes, or rotate signing algorithms.
- Form customization: generate or update login/signup forms without manual API calls.
FAQ
Q: Is this production‑ready? A: The server is currently in beta. It is suitable for development, testing, and proof‑of‑concepts but not recommended for critical production workloads.
Q: How can I restrict the server to read‑only operations?
A: Use the --read‑only flag when starting the server, e.g., npx @auth0/auth0-mcp-server run --read‑only. This overrides any --tools pattern.
Q: Do I need to provide an API key? A: No. Authentication is performed via the OAuth 2.0 device flow, and tokens are stored securely in your OS keychain.
Q: How do I change the scopes granted to the server?
A: Re‑run npx @auth0/auth0-mcp-server init --scopes '<pattern>' and select the desired scopes interactively or via glob patterns.
Q: Where are debug logs written?
A: Enable DEBUG=auth0-mcp and view logs in the console or via tail -f ~/Library/Logs/Claude/mcp*.log on macOS.
Q: How do I stop the server and clear credentials?
A: Press Ctrl+C to stop the process and run npx @auth0/auth0-mcp-server logout to remove the stored token.
Auth0 MCP Server's README
📚 Documentation • 🚀 Getting Started • 💻 Supported Tools • 💬 Feedback
MCP (Model Context Protocol) is an open protocol introduced by Anthropic that standardizes how large language models communicate with external tools, resources or remote services.
[!CAUTION] Beta Software Notice: This software is currently in beta and is provided AS IS without any warranties.
- Features, APIs, and functionality may change at any time without notice
- Not recommended for production use or critical workloads
- Support during the beta period is limited
- Issues and feedback can be reported through the GitHub issue tracker
By using this beta software, you acknowledge and accept these conditions.
The Auth0 MCP Server integrates with LLMs and AI agents, allowing you to perform various Auth0 management operations using natural language. For instance, you could simply ask Claude Desktop to perform Auth0 management operations:
-
Create a new Auth0 app and get the domain and client ID
-
Create and deploy a new Auth0 action to generate a JWT token
-
Could you check Auth0 logs for logins from 192.108.92.3 IP address?
🚀 Getting Started
Prerequisites:
- Node.js v18 or higher
- Claude Desktop or any other MCP Client
- Auth0 account with appropriate permissions
Install the Auth0 MCP Server
Install Auth0 MCP Server and configure it to work with your preferred MCP Client. The --tools parameter specifies which tools should be available (defaults to * if not provided).
Claude Desktop with all tools
npx @auth0/auth0-mcp-server init
Claude Desktop with read-only tools
npx @auth0/auth0-mcp-server init --read-only
You can also explicitly select read-only tools:
npx @auth0/auth0-mcp-server init --tools 'auth0_list_*,auth0_get_*'
Windsurf
npx @auth0/auth0-mcp-server init --client windsurf
Cursor
Step 1:
Step 2:
npx @auth0/auth0-mcp-server init --client cursor
With limited tools access
npx @auth0/auth0-mcp-server init --client cursor --tools 'auth0_list_applications,auth0_get_application'
Other MCP Clients
To use Auth0 MCP Server with any other MCP Client, you can manually add this configuration to the client and restart for changes to take effect:
{
"mcpServers": {
"auth0": {
"command": "npx",
"args": ["-y", "@auth0/auth0-mcp-server", "run"],
"capabilities": ["tools"],
"env": {
"DEBUG": "auth0-mcp"
}
}
}
}
You can add --tools '<pattern>' to the args array to control which tools are available. See Security Best Practices for recommended patterns.
Authorize with Auth0
Your browser will automatically open to initiate the OAuth 2.0 device authorization flow. Log into your Auth0 account and grant the requested permissions.
[!NOTE] Credentials are securely stored in your system's keychain. You can optionally verify storage through your keychain management tool. Check out Authentication for more info.
Verify your integration
Restart your MCP Client (Claude Desktop, Windsurf, Cursor, etc.) and ask it to help you manage your Auth0 tenant
🛠️ Supported Tools
The Auth0 MCP Server provides the following tools for Claude to interact with your Auth0 tenant:
Applications
| Tool | Description | Usage Examples |
|---|---|---|
auth0_list_applications |
List all applications in the Auth0 tenant or search by name | - Show me all my Auth0 applications - Find applications with 'api' in their name - What applications do I have in my Auth0 tenant? |
auth0_get_application |
Get details about a specific Auth0 application | - Show me details for the application called 'Customer Portal' - Get information about my application with client ID abc123 - What are the callback URLs for my 'Mobile App'? |
auth0_create_application |
Create a new Auth0 application | - Create a new single-page application called 'Analytics Dashboard' - Set up a new native mobile app called 'iOS Client' - Create a machine-to-machine application for our background service |
auth0_update_application |
Update an existing Auth0 application | - Update the callback URLs for my 'Web App' to include https://staging.example.com/callback - Change the logout URL for the 'Customer Portal' - Add development environment metadata to my 'Admin Dashboard' application |
Resource Servers
| Tool | Description | Usage Examples |
|---|---|---|
auth0_list_resource_servers |
List all resource servers (APIs) in the Auth0 tenant | - Show me all the APIs in my Auth0 tenant - List my resource servers - What APIs have I configured in Auth0? |
auth0_get_resource_server |
Get details about a specific Auth0 resource server | - Show me details for the 'User API' - What scopes are defined for my 'Payment API'? - Get information about the resource server with identifier https://api.example.com" |
auth0_create_resource_server |
Create a new Auth0 resource server (API) | - Create a new API called 'Inventory API' with read and write scopes - Set up a resource server for our customer data API - Create an API with the identifier https://orders.example.com" |
auth0_update_resource_server |
Update an existing Auth0 resource server | - Add an 'admin' scope to the 'User API' - Update the token lifetime for my 'Payment API' to 1 hour - Change the signing algorithm for my API to RS256 |
Actions
| Tool | Description | Usage Examples |
|---|---|---|
auth0_list_actions |
List all actions in the Auth0 tenant | - Show me all my Auth0 actions - What actions do I have configured? - List the actions in my tenant |
auth0_get_action |
Get details about a specific Auth0 action | - Show me the code for my 'Enrich User Profile' action - Get details about my login flow action - What does my 'Add Custom Claims' action do? |
auth0_create_action |
Create a new Auth0 action | - Create an action that adds user roles to tokens - Set up an action to log failed login attempts - Create a post-login action that checks user location |
auth0_update_action |
Update an existing Auth0 action | - Update my 'Add Custom Claims' action to include department information - Modify the IP filtering logic in my security action - Fix the bug in my user enrichment action |
auth0_deploy_action |
Deploy an Auth0 action | - Deploy my 'Add Custom Claims' action to production - Make my new security action live - Deploy the updated user enrichment action |
Logs
| Tool | Description | Usage Examples |
|---|---|---|
auth0_list_logs |
List logs from the Auth0 tenant | - Show me recent login attempts - Find failed logins from the past 24 hours - Get authentication logs from yesterday - Show me successful logins for user john@example.com |
auth0_get_log |
Get a specific log entry by ID | - Show me details for log entry abc123 - Get more information about this failed login attempt - What caused this authentication error? |
Forms
| Tool | Description | Usage Examples |
|---|---|---|
auth0_list_forms |
List all forms in the Auth0 tenant | - Show me all my Auth0 forms - What login forms do I have configured? - List the custom forms in my tenant |
auth0_get_form |
Get details about a specific Auth0 form | - Show me the details of my 'Corporate Login' form - What does my password reset form look like? - Get the configuration for my signup form |
auth0_create_form |
Create a new Auth0 form | - Create a new login form with our company branding - Set up a custom signup form that collects department information - Create a password reset form with our logo |
auth0_update_form |
Update an existing Auth0 form | - Update the colors on our login form to match our new brand guidelines - Add a privacy policy link to our signup form - Change the logo on our password reset form |
auth0_publish_form |
Publish an Auth0 form | - Publish my updated login form - Make the new signup form live - Deploy the password reset form to production |
🔒 Security Best Practices for Tool Access
When configuring the Auth0 MCP Server, it's important to follow security best practices by limiting tool access based on your specific needs. The server provides flexible configuration options that let you control which tools AI assistants can access.
You can easily restrict tool access using the --tools and --read-only flags when starting the server:
# Enable only read-only operations
npx @auth0/auth0-mcp-server run --read-only
# Alternative way to enable only read-only operations
npx @auth0/auth0-mcp-server run --tools 'auth0_list_*,auth0_get_*'
# Limit to just application-related tools
npx @auth0/auth0-mcp-server run --tools 'auth0_*_application*'
# Limit to read-only application-related tools
# Note: --read-only takes priority when used with --tools
npx @auth0/auth0-mcp-server run --tools 'auth0_*_application*' --read-only
# Restrict to only log viewing capabilities
npx @auth0/auth0-mcp-server run --tools 'auth0_list_logs,auth0_get_log'
# Run the server with all tools enabled
npx @auth0/auth0-mcp-server run --tools '*'
[!IMPORTANT] When both
--read-onlyand--toolsflags are used together, the--read-onlyflag takes priority for security. This means even if your--toolspattern matches non-read-only tools, only read-only operations will be available. This ensures you can rely on the--read-onlyflag as a security guardrail.
This approach offers several important benefits:
-
Enhanced Security: By limiting available tools to only what's needed, you reduce the potential attack surface and prevent unintended modifications to your Auth0 tenant.
-
Better Performance: Providing fewer tools to AI assistants actually improves performance. When models have access to many tools, they use more of their context window to reason about which tools to use. With a focused set of tools, you'll get faster and more relevant responses.
-
Resource-Based Access Control: You can configure different instances of the MCP server with different tool sets based on specific needs - development environments might need full access, while production environments could be limited to read operations only.
-
Simplified Auditing: With limited tools, it's easier to track which operations were performed through the AI assistant.
For most use cases, start with the minimum set of tools needed and add more only when required. This follows the principle of least privilege - a fundamental security best practice.
🧪 Security Scanning
We recommend regularly scanning this server, and any other MCP-compatible servers you deploy, with community tools built to surface protocol-level risks and misconfigurations.
These scanners help identify issues across key vulnerability classes including: server implementation bugs, tool definition and lifecycle risks, interaction and data flow weaknesses, and configuration or environment gaps.
Useful tools include:
-
mcpscan.ai
Web-based scanner that inspects live MCP endpoints for exposed tools, schema enforcement gaps, and other issues. -
mcp-scan
CLI tool that simulates attack paths and evaluates server behavior from a client perspective.
These tools are not a substitute for a full audit, but they offer meaningful guardrails and early warnings. We suggest including them in your regular security review process.
If you discover a vulnerability, please follow our responsible disclosure process.
🕸️ Architecture
The Auth0 MCP Server implements the Model Context Protocol, allowing Claude to:
- Request a list of available Auth0 tools
- Call specific tools with parameters
- Receive structured responses from the Auth0 Management API
The server handles authentication, request validation, and secure communication with the Auth0 Management API.
[!NOTE] The server operates as a local process that connects to Claude Desktop, enabling secure communication without exposing your Auth0 credentials.
🔐 Authentication
The Auth0 MCP Server uses the Auth0 Management API and requires authentication to access your Auth0 tenant.
Initial Setup
To authenticate the MCP Server:
npx @auth0/auth0-mcp-server init
This will start the device authorization flow, allowing you to log in to your Auth0 account and select the tenant you want to use.
[!IMPORTANT] The
initcommand needs to be run whenever:
- You're setting up the MCP Server for the first time
- You've logged out from a previous session
- You want to switch to a different tenant
- Your token has expired
The
runcommand will automatically check for token validity before starting the server and will provide helpful error messages if authentication is needed.
Session Management
To see information about your current authentication session:
npx @auth0/auth0-mcp-server session
Logging Out
For security best practices, always use the logout command when you're done with a session:
npx @auth0/auth0-mcp-server logout
This ensures your authentication tokens are properly removed from the system keychain.
Authentication Flow
The server uses OAuth 2.0 device authorization flow for secure authentication with Auth0. Your credentials are stored securely in your system's keychain and are never exposed in plain text.
🩺 Troubleshooting
When encountering issues with the Auth0 MCP Server, several troubleshooting options are available to help diagnose and resolve problems.
Start troubleshooting by exploring all available commands and options:
npx @auth0/auth0-mcp-server help
🚥 Operation Modes
🐞 Debug Mode
- More detailed logging
- Enable by setting environment variable:
export DEBUG=auth0-mcp
[!TIP] Debug mode is particularly useful when troubleshooting connection or authentication issues.
🔑 Scope Selection
The server provides an interactive scope selection interface during initialization:
-
Interactive Selection: Navigate with arrow keys and toggle selections with spacebar
-
No Default Scopes: By default, no scopes are selected for maximum security
-
Glob Pattern Support: Quickly select multiple related scopes with patterns:
# Select all read scopes npx @auth0/auth0-mcp-server init --scopes 'read:*' # Select multiple scope patterns (comma-separated) npx @auth0/auth0-mcp-server init --scopes 'read:*,create:clients,update:actions'
[!NOTE] Selected scopes determine what operations the MCP server can perform on your Auth0 tenant.
⚙️ Configuration
Other MCP Clients:
To use Auth0 MCP Server with any other MCP Client, you can add this configuration to the client and restart for changes to take effect:
{
"mcpServers": {
"auth0": {
"command": "npx",
"args": ["-y", "@auth0/auth0-mcp-server", "run"],
"capabilities": ["tools"],
"env": {
"DEBUG": "auth0-mcp"
}
}
}
}
[!NOTE]
You can manually update if needed or if any unexpected errors occur during the npx init command.
🚨 Common Issues
-
Authentication Failures
- Ensure you have the correct permissions in your Auth0 tenant
- Try re-initializing with
npx @auth0/auth0-mcp-server init
-
Claude Desktop Can't Connect to the Server
- Restart Claude Desktop after installation
- Check that the server is running with
ps aux | grep auth0-mcp
-
API Errors or Permission Issues
- Enable debug mode with
export DEBUG=auth0-mcp - Check your Auth0 token status:
npx @auth0/auth0-mcp-server session - Reinitialize with specific scopes:
npx @auth0/auth0-mcp-server init --scopes 'read:*,update:*,create:*' - If a specific operation fails, you may be missing the required scope
- Enable debug mode with
-
Invalid Auth0 Configuration Error
- This typically happens when your authorization token is missing or expired
- Run
npx @auth0/auth0-mcp-server sessionto check your token status - If expired or missing, run
npx @auth0/auth0-mcp-server initto authenticate
[!TIP] Most connection issues can be resolved by restarting both the server and Claude Desktop.
📋 Debug logs
Enable debug mode to view detailed logs:
export DEBUG=auth0-mcp
Get detailed MCP Client logs from Claude Desktop:
# Follow logs in real-time
tail -n 20 -F ~/Library/Logs/Claude/mcp*.log
For advanced troubleshooting, use the MCP Inspector:
npx @modelcontextprotocol/inspector -e DEBUG='auth0-mcp' @auth0/auth0-mcp-server run
For detailed MCP Server logs, run the server in debug mode:
DEBUG=auth0-mcp npx @auth0/auth0-mcp-server run
👨💻 Development
Building from Source
# Clone the repository
git clone https://github.com/auth0/auth0-mcp-server.git
cd auth0-mcp-server
# Install dependencies
npm install
# Build the project
npm run build
# Initiate device auth flow
npx . init
# Configure your MCP Client (e.g. Claude Desktop) with MCP server path
npm run setup
Development Scripts
# Run directly with TypeScript (no build needed)
npm run dev
# Run with debug logs enabled
npm run dev:debug
# Run with MCP inspector for debugging
npm run dev:inspect
# Run the compiled JavaScript version
npm run start
[!NOTE] This server requires Node.js v18 or higher.
🔒 Security
The Auth0 MCP Server prioritizes security:
- Credentials are stored in the system's secure keychain
- No sensitive information is stored in plain text
- Authentication uses OAuth 2.0 device authorization flow
- No permissions (scopes) are requested by default
- Interactive scope selection allows you to choose exactly which permissions to grant
- Support for glob patterns to quickly select related scopes (e.g.,
read:*) - Easy token removal via
logoutcommand when no longer needed
[!IMPORTANT] For security best practices, always use
npx @auth0/auth0-mcp-server logoutwhen you're done with a session or switching between tenants. This ensures your authentication tokens are properly removed from the system keychain.
[!CAUTION] Always review the permissions requested during the authentication process to ensure they align with your security requirements.
Anonymized Analytics Disclosure
Anonymized data points are collected during the use of this MCP server. This data includes the MCP version, operating system, timestamp, and other technical details that do not personally identify you.
Auth0 uses this data to better understand the usage of this tool to prioritize the features, enhancements and fixes that matter most to our users.
To opt-out of this collection, set the AUTH0_MCP_ANALYTICS environment variable to false.
💬 Feedback and Contributing
We appreciate feedback and contributions to this project! Before you get started, please see:
Reporting Issues
To provide feedback or report a bug, please raise an issue on our issue tracker.
Vulnerability Reporting
Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
📄 License
This project is licensed under the MIT license. See the LICENSE file for more info.
What is Auth0?
Auth0 MCP Server Reviews
Login Required
Please log in to share your review and rating for this MCP.
Actions
Auth0 MCP Server's Information
- Author
- auth0
- Category
- Development Tools
- Language
- TypeScript
- License
- MIT License
- Version
- v0.1.0-beta.2
- Stars
- 72
- Updated
- 21 days ago
Configuration
{
"mcpServers": {
"auth0": {
"command": "npx",
"args": [
"-y",
"@auth0/auth0-mcp-server",
"run"
],
"env": {}
}
}
}Configure Clients
Similar MCP Servers like Auth0 MCP Server
Explore related MCPs that share similar capabilities and solve comparable challenges
Zed
OfficialClientby zed-industries
A high‑performance, multiplayer code editor designed for speed and collaboration.
Everything
Officialby modelcontextprotocol
Model Context Protocol Servers
Git
Officialby modelcontextprotocol
A Model Context Protocol server for Git repository interaction and automation.
Time
Officialby modelcontextprotocol
A Model Context Protocol server that provides time and timezone conversion capabilities.
Cline
OfficialClientby cline
An autonomous coding assistant that can create and edit files, execute terminal commands, and interact with a browser directly from your IDE, operating step‑by‑step with explicit user permission.
Continue
OfficialClientby continuedev
Enables faster shipping of code by integrating continuous AI agents across IDEs, terminals, and CI pipelines, offering chat, edit, autocomplete, and customizable agent workflows.
Context7 MCP
Officialby upstash
Provides up-to-date, version‑specific library documentation and code examples directly inside LLM prompts, eliminating outdated information and hallucinated APIs.
GitHub MCP Server
by github
Connects AI tools directly to GitHub, enabling natural‑language interactions for repository browsing, issue and pull‑request management, CI/CD monitoring, code‑security analysis, and team collaboration.
Daytona
by daytonaio
Provides a secure, elastic infrastructure that creates isolated sandboxes for running AI‑generated code with sub‑90 ms startup, unlimited persistence, and OCI/Docker compatibility.