# Auth0 MCP

> Auth0 MCP connects your AI agent directly to your Identity and Access Management system. You manage users, clients, connections, and critical security logs—all through natural conversation. Stop clicking through complex dashboards; just talk to your infrastructure.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** iam, authentication, user-management, sso, identity-provider, security-logs

## Description

If managing user identities feels like navigating a maze of nested menus, this MCP changes that. It turns your AI agent into an expert IAM operator for your Auth0 tenant. Need to check if a specific client application has the right security boundaries? Just ask. Curious why logins are failing across the board? Your agent retrieves the full system log chronology and points you at the exact failure point.

This MCP lets developers verify complex OAuth app configurations or compliance officers guarantee swift, verifiable user data deletion without ever needing to touch the console dashboard. It's about asking detailed security questions—like querying global authorization roles or inspecting external social identity links—and getting an immediate, accurate answer. This functionality is managed through Vinkius, giving your agent deep access into every corner of your Auth0 setup.

## Tools

### delete_user
Permanently deletes a user profile and all associated external identity links to meet data privacy requirements.

### get_client
Retrieves detailed OIDC properties for a single application, including allowed web origins and token lifetimes.

### get_connection
Views the specific parameters, validation rules, or enterprise-domain triggers set for an authentication connection strategy.

### get_user
Retrieves a user's unified profile JSON, including linked external identities and editable app metadata.

### list_actions
Lists serverless JavaScript logic that executes dynamically in your authorization pipelines, which can block logins or push data to CRMs.

### list_clients
Shows a list of all logical applications and clients configured across the entire Auth0 tenant.

### list_connections
Lists all attached Identity Provider connections, such as external social wrappers or corporate LDAP/AD setups.

### list_logs
Retrieves a complete chronological stream of every action taken within the Auth0 tenant, including failed validations and rate limit trips.

### list_roles
Lists all defined Role-Based Access Control (RBAC) roles that restrict what APIs can do with verified permission tokens.

### list_users
Provides a simple list of every user registered in your tenant, along with basic attributes and creation timestamps.

## Prompt Examples

**Prompt:** 
```
List all configured Connections registered in our Auth0 tenant.
```

**Response:** 
```
Found 4 active connections logically bound to your tenant: A core Username-Password-Authentication DB, a broad Google-Oauth2 pipeline, an Enterprise AD/LDAP proxy shielding internal employees, and strangely, a test `apple-id` portal connector.
```

**Prompt:** 
```
Get the detailed JSON block surrounding user ID 'auth0|5ecc9f1...'
```

**Response:** 
```
Extracting payload... Here is the raw unified mapping for user `auth0|5ecc9f1...`. Notice the `app_metadata` defines a premium subscriber tier, and their last verified login was 26 hours ago tracking from an unresolved IP in Toronto.
```

**Prompt:** 
```
Fetch the tenant logs and tell me why IPs are getting blocked.
```

**Response:** 
```
Reviewing system logs from the past 4 hours. A surge of event `Type: fapi` (failed API calls) triggered the Anomaly Detection Shields. Approximately 300 identical sequential requests lacked a valid audience header originating uniformly from an AWS region subnet, tripping the brute-force threshold dynamically.
```

## Capabilities

### Audit User Identities
View a user's complete profile, including linked social accounts and internal metadata, all in one unified JSON block.

### Check Application Boundaries
Review the specific security settings for any configured application, like allowed web origins or token lifetimes.

### Trace Authentication Flows
See which Identity Providers (like Google or corporate LDAP) are connected and what strategies they use to authenticate users.

### Review System Security Logs
Retrieve a chronological stream of all security events, including failed logins, rate limit trips, and admin changes.

### Manage User Deletion
Permanently delete a user profile, ensuring all linked external credentials and metadata are cleared for compliance.

## Use Cases

### The Compliance Audit
A compliance officer needs to confirm that a high-risk user profile has been fully erased. They ask their agent, and the system runs `delete_user`, confirming that all associated external identity links and metadata are vaporized, providing an auditable record immediately.

### Troubleshooting Login Failures
A developer is getting tickets about intermittent login failures. They ask their agent to run `list_logs`, which shows a sudden spike in failed JWT validations originating from a specific subnet, allowing them to fix the root cause without guessing.

### Onboarding New Features
An app developer needs to ensure a new internal API client is secure. They use `get_client` to verify that the allowed web origins are restricted only to approved development environments and not exposed globally.

### Network Security Review
A security engineer suspects an unauthorized identity source. They run `list_connections`, which immediately shows all linked Identity Providers, flagging any unexpected or forgotten enterprise-domain connections that need review.

## Benefits

- Compliance is faster. Instead of manually digging through tables to fulfill a 'right-to-be-forgotten' request, you use the `delete_user` tool to confirm deletion instantly.
- Debugging identity flows gets simpler. If a user can't log in, your agent reads the full system history using `list_logs`, immediately pointing out if it was a failed JWT validation or an IP block.
- Auditing is no sweat. You don't need to know where to click to see what applications exist; just ask for all clients and get the list via `list_clients`.
- Understand user depth instantly. Instead of browsing multiple tabs, you use `get_user` to pull a single JSON block that maps every external identity bound to one account.
- Security posture review is instant. You can query global roles using `list_roles` or inspect the security parameters for an app using `get_client`, all without leaving your chat window.

## How It Works

The bottom line is you get immediate, structured access to highly complex identity data without manual searching or dashboard navigation.

1. Subscribe to this MCP and provide your Auth0 Domain and Management API Token.
2. Connect the service key to your preferred AI client (Claude, Cursor, etc.).
3. Ask your agent a security question or request data by speaking naturally to it.

## Frequently Asked Questions

**How does the Auth0 MCP handle data deletion?**
It handles it by calling the `delete_user` tool. This action permanently vaporizes all bound external identity links and local credentials, ensuring compliance with privacy requests.

**Can I see which other services are connected to Auth0 using this MCP?**
Yes. You use the `list_connections` tool to view details on every attached Identity Provider (IdP), whether it's Google, Facebook, or an internal corporate LDAP.

**What if I need to check a user profile and see their external accounts?**
You run the `get_user` tool. This retrieves the unified JSON profile that lists all linked external identities alongside core attributes for that single account.

**Is the Auth0 MCP only useful for finding errors in logs?**
No, it's much broader. You can also use `list_roles` to audit authorization permissions and `get_client` to verify application security boundaries, not just look at failures.

**Does the MCP help me understand what custom logic is running in my app?**
Yes. You can use the `list_actions` tool to list all serverless JavaScript logic that executes dynamically, helping you see if a rogue login or data push is happening without you knowing.