WorkOS MCP. Manage Identity Sync and Compliance via Chat.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
WorkOS MCP Server connects your AI agent directly to your enterprise identity infrastructure. It lets you manage organizations, audit compliance logs, and monitor SSO/directory sync status through natural conversation.
Forget clicking through dashboards—your agent handles complex IAM tasks like listing all tenants or checking if an Okta connection is healthy.
What your AI agents can do
Create workos organization
Creates a new organization record by providing the name and authorized domains.
Get audit log events
Retrieves all tracked audit log events for a specified organization ID.
Get directory details
Pulls metadata and details for a specific directory instance (e.g., Okta, Azure AD).
Retrieves a stream of historical events (log entries) tied to a specific organization.
Gets detailed metadata and current status for any configured Single Sign-On link.
Retrieves a complete list of all organizations (tenants) managed within your WorkOS account.
Lists every single user synced from an external directory, giving you the current employee roster.
Allows you to create new organization records and verify authorized domains for expansion planning.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
WorkOS MCP Server: 10 Tools for IAM Management
Use these ten tools to control organization creation, audit logs, directory details retrieval, and managing all aspects of your enterprise identity structure via chat.
019d7624create workos organization
Creates a new organization record by providing the name and authorized domains.
019d7624get audit log events
Retrieves all tracked audit log events for a specified organization ID.
019d7624get directory details
Pulls metadata and details for a specific directory instance (e.g., Okta, Azure AD).
019d7624get organization details
Gets the full current details for one specific organization record.
019d7624get sso connection details
Retrieves detailed information about a single Single Sign-On connection.
019d7624list directories
Lists all active directory synchronization instances configured in WorkOS.
019d7624list directory groups
Retrieves a list of all user groups synced from a specified external directory source.
019d7624list directory users
Lists every active user account synced into WorkOS from an external directory.
019d7624list sso connections
Displays a summary list of all currently configured SSO connections across the tenant.
019d7624list workos organizations
Provides a complete directory listing of every organization within the WorkOS account.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with WorkOS, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
WorkOS lets your AI agent talk directly to your enterprise identity stack. You'll use this server to manage organizations, audit compliance logs, and check SSO status—all through natural conversation. Forget clicking around dashboards; your agent handles complex Identity and Access Management (IAM) tasks, giving you a full view of what’s going on.
Organization Structure Management
You can get the complete list of every organization in your WorkOS account using list_workos_organizations. If you need deep details on one specific tenant, get_organization_details pulls all the current data. Want to set up a new client? You run create_workos_organization, providing both the name and authorized domains for that new record.
For more information about directory connections—like Okta or Azure AD—the tool get_directory_details provides metadata and specific details on those instances.
Directory Synchronization (User Rosters)
Your agent manages your entire user base without you touching a UI. You run list_directory_users to get every single active user account synced into WorkOS, giving you the current employee roster. The system also lets you see which groups are syncing by calling list_directory_groups, listing all user groups pulled from an external source.
If you need to know what sync directories are connected at all, list_directories gives you a list of every active synchronization instance.
SSO and Security Auditing
The security tools let you audit the system thoroughly. To see a summary of every configured Single Sign-On link across your entire tenant, use list_sso_connections. If you need to drill down into one specific connection—say, checking if that SAML or OIDC link is healthy—get_sso_connection_details retrieves all the detailed metadata for it.
For historical review, running get_audit_log_events pulls every tracked audit log event tied to a specific organization ID.
How It Works in Practice
Your agent doesn't just read data; it acts as your identity administrator. You ask it to list all tenants and create an org for the new subsidiary, then check that subsidiary's last 24 hours of audit logs. Need to know if the Okta connection is still good? It checks get_sso_connection_details instantly.
This capability means you bypass manual dashboard navigation entirely. You don't need to switch between ten different consoles; your AI client handles all these complex, interconnected IAM tasks through simple chat commands.
How WorkOS MCP Works
- 1 First, subscribe the AI client to the WorkOS MCP Server and plug in your API Key.
- 2 Next, prompt your agent with a natural language command, like 'List all active SSO connections.'
- 3 The agent runs the appropriate tool (e.g.,
list_sso_connections) and returns structured data that you can then read or process.
The bottom line is: your AI client executes complex API calls using specific tools, presenting you with clean, actionable results without needing to know the underlying WorkOS UI structure.
Who Is WorkOS MCP For?
This is for Ops Engineers and Security Analysts who get tired of clicking through ten different dashboards just to check if user sync worked. If you spend time manually cross-referencing SAML status with SCIM directory details, this is for you.
Runs get_audit_log_events and list_sso_connections to verify compliance logs and confirm all authentication pathways are correctly configured.
Uses get_organization_details or list_workos_organizations to quickly look up a customer's specific tenant ID or domain details during an incident call.
Runs list_directories and audits organization lists (list_workos_organizations) to plan out new enterprise features or check for needed data fields.
What Changes When You Connect
- Audit compliance logs instantly. Instead of digging through log files, run
get_audit_log_eventsto see every security action taken against an organization. - Verify SSO health in seconds. Use
list_sso_connectionsto get a comprehensive list of all connections and then drill down withget_sso_connection_detailsfor specific status checks. - Maintain user accuracy. Never manually check the roster again; run
list_directory_usersto pull the full, current list of users synced from any directory. - Track organizational growth. Quickly map out your client base by running
list_workos_organizations, getting a clear ID and name for every tenant. - Diagnose sync problems easily. Run
list_directoriesfirst to identify all active HRIS sources, then useget_directory_detailsto check the specific connection health.
Real-World Use Cases
The Compliance Audit
A security team needs proof that user access changes are logged. They ask their agent: 'Show me all audit logs for Acme Corp.' The agent runs get_audit_log_events and returns a structured, time-stamped list of every login or permission change, satisfying the auditor instantly.
Onboarding a New Client
A Product Manager needs to know if they can support a new client domain. They ask their agent: 'List all organizations and check which domains are registered.' The agent runs list_workos_organizations and uses the available data to validate necessary parameters for expansion.
Troubleshooting Broken Sync
An Ops Engineer notices a group is missing. They run list_directories to confirm the source, then use list_directory_groups and get_directory_details to pinpoint exactly which connection broke or what metadata is wrong.
Full Roster Check
A support agent needs a user's full history. They ask the agent: 'Give me all users synced from the main HRIS.' The agent executes list_directory_users and returns the complete, up-to-date roster of accounts.
The Tradeoffs
Checking one org at a time
Logging into the WorkOS dashboard and manually clicking through 20 different organization tenants to check their status.
→
Don't do it manually. Just ask your agent: 'List all organizations in my WorkOS account.' It runs list_workos_organizations and gives you the full list instantly.
Assuming sync is working
Getting a user's name from one directory but assuming that means their SSO connection works.
→
You need to check both ends. First, run list_directory_users for the roster, then use get_sso_connection_details to verify the active link status.
Ignoring compliance scope
Asking 'What happened?' and getting a vague answer that requires hours of dashboard digging.
→
Be specific. Tell your agent: 'Show me all audit log events for the last week.' This triggers get_audit_log_events and pulls the exact security data you need.
When It Fits, When It Doesn't
Use this server if managing identity requires a single pane of glass view across multiple systems (directory, SSO, tenant structure). The key is consolidation: when you need to know who has access, where that user came from, and what they did last, this toolset works. Don't use it if your only goal is basic reporting on a single domain; in those cases, the built-in WorkOS UI might suffice. However, if you need to cross-reference an audit log event with the actual directory metadata (e.g., checking if a user listed via list_directory_users caused an entry in get_audit_log_events), this MCP Server is non-negotiable.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by WorkOS. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Checking enterprise identity status shouldn't require 20 clicks.
Right now, checking if a user sync failed means jumping from the directory dashboard to the SSO connection panel, then maybe logging into the audit section just to cross-reference IDs. You're copy-pasting tenant names and looking for status codes across four different views.
With this MCP server, you simply ask your agent: 'What is the sync status for Global Tech?' It runs multiple backend checks—like `list_directories` and `get_sso_connection_details`—and gives one clean answer. Period.
WorkOS MCP Server: Get a full user roster with list_directory_users.
Manually exporting and merging user lists from the directory sync UI, then checking those against the current organizational membership records is slow. It's error-prone work that takes minutes of tedious clicking.
Now, you ask your agent to run `list_directory_users`. The resulting roster is clean, structured data—ready for immediate analysis or database ingestion. That’s how fast it should be.
Common Questions About WorkOS MCP
How do I list all organizations in my WorkOS account using list_workos_organizations? +
Run the list_workos_organizations tool. It returns a comprehensive JSON array containing every organization ID and name registered with your tenant.
What is the difference between listing directories and getting directory details using list_directories vs get_directory_details? +
list_directories just shows you which sync sources are active. get_directory_details takes a specific ID (like Okta) and gives you deep metadata about that connection's capabilities and status.
Can I see all login attempts with get_audit_log_events? +
Yes, get_audit_log_events retrieves a stream of events. You just need to specify the organization ID you want to audit.
How do I check if an SSO connection is active with get_sso_connection_details? +
You run get_sso_connection_details and provide the connection ID. The output will explicitly state its current status (ACTIVE/INACTIVE) and metadata.
What should I use to get all users synced from a directory? Is it list_directory_users? +
Yes, list_directory_users is the correct tool. It pulls the full roster of users that WorkOS currently recognizes from your connected SCIM source.
When should I use `create_workos_organization` to set up a new tenant? +
You run this tool when you need to initialize an organization record. You must provide the desired name and a list of authorized domains for the account to function correctly. This establishes your foundational tenancy within WorkOS.
If I need group membership details, how do I use `list_directory_groups`? +
Use list_directory_groups when you want a full catalog of synced groups from a directory. It returns the group names and IDs, letting your agent check role definitions before checking individual users.
What is the workflow for connections? Should I use `list_sso_connections` first? +
Always run list_sso_connections first. This gives you a complete list of all active SSO IDs available in your account. Then, pass a specific ID from that list to get_sso_connection_details to check its current metadata.
Can I check the sync status of a specific company directory through the agent? +
Yes. The get_directory_details tool allows your AI agent to retrieve the current sync status and metadata for any specific directory ID, helping you monitor whether employees are being correctly provisioned.
How do I see which users belong to a specific synced group? +
You can use the list_directory_users tool and filter by the directory ID to see the full roster. For group-level information, use the list_directory_groups tool to see organizational units imported from the identity provider.
Is it possible to retrieve security audit logs via chat? +
Absolutely. The get_audit_log_events tool retrieves a stream of events for any specific organization ID, giving you instant access to compliance-related activities directly through your conversation.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Drata
Automate compliance and security via Drata — monitor controls, track personnel onboarding, audit policies, and verify cloud asset security directly from any AI agent.
Google Cloud Storage Bucket
This MCP does exactly one thing: it manages files in a single Google Cloud Storage Bucket. That's its only function, and nothing else. Incredible for giving your AI secure file storage.
Socket.dev (Dependency Security)
Protect your software supply chain by scanning dependencies, checking package security scores, and monitoring threat feeds directly from your AI agent.
You might also like
Tower
Lightweight project management and team collaboration platform — manage tasks, projects, and discussions via AI.
Last.fm Alternative
Manage your music profile via Last.fm — get track metadata, scrobble songs, update your now playing status, and query user profiles.
ZenRows
Scrape HTML, bypass anti-bots, and extract structured data using ZenRows' advanced proxy and browser network.