authentik-mcp
MCP server for Authentik identity provider.
Install
{
"mcpServers": {
"authentik": {
"command": "uvx",
"args": ["--refresh", "--extra-index-url", "https://nikitatsym.github.io/authentik-mcp/simple", "authentik-mcp"],
"env": {
"AUTHENTIK_URL": "https://auth.example.com",
"AUTHENTIK_TOKEN": "your-api-token"
}
}
}
}Where to paste:
- Claude Desktop —
~/Library/Application Support/Claude/claude_desktop_config.json - Cursor —
.cursor/mcp.jsonin your project - Claude Code —
~/.claude.jsontop-levelmcpServers
Or use the setup wizard to generate the config.
Getting an API token
Authentik admin panel → Directory → Tokens and App passwords → Create with API scope.
Groups
| Tool | Description | |------|-------------| | authentik_read | Users, groups, apps, tokens, providers, outposts, crypto, RBAC (read-only) | | authentik_write | Create/update core resources (non-destructive) | | authentik_delete | Delete operations across all domains (destructive) | | authentik_flows_read | Flows, stages, policies, sources, events (read-only) | | authentik_flows_write | Create/update auth pipeline config (non-destructive) | | authentik_admin | Admin settings, system info, lifecycle |
Call any group with operation="help" to list available operations.
Application access control
Apps are open to all authenticated users until gated. Restrict an app to a group/user by binding it: CreatePolicyBinding(target=<app pk>, group=<group pk>) (or user=) in authentik_flows_write; inspect gates with ListPolicyBindings / ShowPolicyBinding in authentik_flows_read. Policy bindings live under the authentik_flows_* groups, not the core ones.
