How to Use the Keycloak MCP in Claude Code

Q: What is the command to add the Keycloak MCP Server to Claude Code?

Run claude mcp add --transport http keycloak-server -- . Make sure you place all flags before the server name. The configuration saves directly to your /.claude.json file.

Q: Can I use this to manage authentication flows via CLI?

You can. Tools like listauthflows and createauthflow are fully supported. Your agent can script complex browser-based OIDC redirects entirely from a headless shell.

Q: Are my Keycloak admin credentials secure in the terminal?

Operations like getclientsecret return raw authentication material that could compromise your entire infrastructure. The Vinkius platform processes these requests inside an ephemeral, zero-trust sandbox, guaranteeing that your admin payloads are destroyed the millisecond the terminal session receives them.

Automate Keycloak tenant provisioning and IAM rollouts directly from your terminal using Claude Code.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Keycloak MCP to Claude Code

Create your Vinkius account to connect Keycloak to Claude Code and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Keycloak with Claude Code

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Headless Identity Provisioning

The Keycloak MCP Server hooks 34 administrative IAM tools directly into your terminal environment. When you run a deployment script, your agent can fire `create_realm` to stand up a new tenant, configure the identity broker, and exit without ever opening a browser. This transforms how you handle infrastructure as code. Instead of wrestling with Terraform providers for minor changes, you just tell Claude Code to add a new microservice. It runs `create_client`, pulls the credentials via `get_client_secret`, and injects them straight into your Kubernetes secrets.

Automated Audit and Remediation

Responding to security alerts usually means frantic clicking through the Keycloak admin UI. Now your agent can tail `list_admin_events` from the command line to detect brute force attempts in real time. If it spots an active attack on a specific tenant, Claude Code can immediately execute `logout_all_users` to kill existing sessions. It then runs `update_realm` to temporarily increase password policies or enforce MFA requirements before the attacker can pivot.

Keycloak MCP Server CI/CD Pipelines

Pipeline integration is where this terminal-first approach shines. You can embed a headless agent in your GitHub Actions to run `list_client_roles` and verify that your staging environment matches your production security matrix. During a teardown phase of an ephemeral environment, the agent handles the cleanup automatically. It executes `delete_client` for the temporary app registrations and runs `delete_group` to remove test data, leaving your persistent identity store untouched.

Setup guide

Set up Keycloak MCP in Claude Code

Prerequisites

Claude Code CLI installed (npm install -g @anthropic-ai/claude-code)
Active Vinkius subscription with a valid endpoint token

1

Run the add command

Open your terminal and run the command shown on the right. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com. Use --scope user to make it available across all projects.
2

Verify the connection

Start a Claude Code session and type /mcp to list connected servers. You should see keycloak-mcp with a green status indicator.
3

Start using tools

Ask Claude Code something like "Check my latest Keycloak transactions." It will automatically discover and invoke the available Keycloak tools.

Terminal

claude mcp add --transport http keycloak-mcp https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Get your connection token →

Prerequisites

Claude Code CLI installed
Active Vinkius subscription with a valid endpoint token

1

Open the config file

Create or edit .mcp.json in your project root for project-level scope, or ~/.claude.json for user-level scope.
2

Add the Keycloak MCP

Paste the JSON snippet shown on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Code

Start a new Claude Code session. Type /mcp to confirm the server is connected. The tools will be automatically available in your conversation.

.mcp.json

{
  "mcpServers": {
    "keycloak-mcp": {
      "type": "url",
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Keycloak. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Keycloak now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Keycloak MCP in Claude Code

Run `claude mcp add --transport http keycloak-server -- `. Make sure you place all flags before the server name. The configuration saves directly to your `~/.claude.json` file.

Yes. You can trigger a cron job that wakes up the agent, tells it to run `partial_export_realm`, and pipes the resulting JSON into an S3 bucket for backup purposes.

The MCP server manages the underlying admin client session and handles token refreshes automatically. Your terminal agent just calls tools like `list_users` or `get_role`, and the server ensures the request is authenticated.

You can. Tools like `list_auth_flows` and `create_auth_flow` are fully supported. Your agent can script complex browser-based OIDC redirects entirely from a headless shell.

Operations like `get_client_secret` return raw authentication material that could compromise your entire infrastructure. The Vinkius platform processes these requests inside an ephemeral, zero-trust sandbox, guaranteeing that your admin payloads are destroyed the millisecond the terminal session receives them.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript