# Descope MCP for AI Agents MCP

> Descope MCP lets your AI agent manage complex user authentication flows directly from natural conversation. Test sign-ups, logins, and session management using OTPs (SMS, Email, Voice), Magic Links, OAuth providers like Google, or traditional passwords. It's built for developers who need to verify auth logic without leaving their terminal.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** authentication, otp, oauth, magic-link, user-management

## Description

Testing a new login flow used to mean spinning up test accounts in a dashboard, clicking through multiple redirect URLs, and manually checking logs. Now, you just talk to your AI agent. This MCP connects Descope’s full suite of authentication tools directly into your workflow. Your agent handles the complexity: initiating an SMS code, waiting for confirmation, then using that success token to verify the session. It covers everything from simple password signups (`auth_password_signup`) to advanced OAuth exchanges (`auth_oauth_exchange`). If you're building any application with user accounts, this makes testing those security boundaries trivial. When your team needs a comprehensive catalog of ways to test auth logic, Vinkius brings all these capabilities together in one place.

## Tools

### mgmt_create_access_key
Creates a new, unique access key for machine-to-machine operations.

### mgmt_create_permission
Defines and creates a specific permission within the platform's role structure.

### mgmt_create_role
Builds a new user role, grouping necessary permissions together.

### mgmt_create_tenant
Initializes and sets up an entirely new isolated tenant environment for testing.

### mgmt_create_user
Programmatically creates a new user account within the system.

### mgmt_delete_user
Removes an existing user account from your environment.

### auth_enchantedlink_poll
Checks if a session created by an Enchanted Link has been completed successfully.

### auth_enchantedlink_signup
Signs up a user using the secure, one-time use Enchanted Link method.

### auth_enchantedlink_verify
Validates an existing Enchanted Link token to confirm a session's legitimacy.

### auth_exchange_access_key
Trades an access key for a temporary, active JSON Web Token (JWT) session.

### auth_get_keys
Retrieves the public keys necessary to validate session tokens across your system.

### mgmt_get_user
Loads and retrieves a user's details using their unique login ID.

### mgmt_list_tenants
Lists all the tenant environments currently set up in your project.

### auth_magiclink_signup_email
Signs a user into or signs them up using a unique Magic Link sent to their email.

### auth_magiclink_verify
Validates the token received from a Magic Link, confirming successful access.

### auth_oauth_authorize
Starts the entire OAuth flow process with an external provider like Google.

### auth_oauth_exchange
Swaps a code obtained from an OAuth redirect for a permanent session JWT.

### auth_otp_signin_email
Signs in a user who provides an email-based One-Time Password (OTP).

### auth_otp_signup_email
Registers a new user account using a dedicated Email OTP code.

### auth_otp_signup_sms
Creates a brand-new user account using a One-Time Password sent via SMS text message.

### auth_otp_signup_voice
Registers a new user by verifying identity through a voice-based OTP system.

### auth_otp_verify_email
Validates an existing Email OTP code to authenticate the current user session.

### auth_otp_verify_sms
Confirms a user's identity by verifying an SMS-delivered One-Time Password.

### auth_otp_verify_voice
Verifies the authenticity of a Voice OTP code submitted during a session.

### auth_password_reset
Initiates and completes the process for resetting a user's forgotten password.

### auth_password_signin
Authenticates a user who signs in using their traditional username and password combination.

### auth_password_signup
Registers a new account by having the user set up a unique, strong password.

### mgmt_search_users
Search for users

### mgmt_update_user
Update an existing user

### auth_webauthn_signin_finish
Finish WebAuthn sign in

### auth_webauthn_signin_start
Start WebAuthn sign in

### auth_webauthn_signup_finish
Finish WebAuthn sign up

### auth_webauthn_signup_start
Start WebAuthn sign up

## Prompt Examples

**Prompt:** 
```
I need to simulate a full user onboarding process. Start with an SMS sign-up and then use that account to list their current details.
```

**Response:** 
```
**User Onboarding Simulation:**

1. **Signup initiated.** A unique OTP has been sent to the provided phone number.
2. **Verification pending.** Please provide the 6-digit code when prompted.
3. **Success!** User `test_user@example.com` is now active.

*System Output:* The user profile was successfully created with a default 'Basic' role and an active session JWT has been generated. You can now query their details using the system management tools.
```

**Prompt:** 
```
Start a login flow for my client, John Smith, using his Google account credentials.
```

**Response:** 
```
**OAuth Flow Initiated (Google):**

Please complete the authentication at this URL. Once redirected back, I will exchange the code.

*System Output:* Authentication successful. The user session JWT has been generated and is valid for 2 hours. We confirmed access rights via `auth_oauth_exchange`.
```

**Prompt:** 
```
I need to test what happens if a user tries to reset their password but only remembers the old username.
```

**Response:** 
```
**Password Reset Procedure:**

The system has initiated the password reset flow for 'john.smith@test.com'. A temporary verification link was sent via email.

Please click the link and set your new password. I've verified that this action successfully triggers a session renewal.
```

## Capabilities

### Test One-Time Password (OTP) Flows
Initiate and verify user accounts using email, SMS, or voice codes for sign-up and sign-in.

### Manage Secure Link Authentication
Send out secure Magic Links or Enchanted Links to onboard users remotely, then poll until the session is complete.

### Run OAuth Provider Workflows
Start third-party logins (like Google) and exchange authorization codes for active user sessions.

### Perform Basic User Credentials Signups
Handle standard sign-up or password resets using traditional username/password methods.

### Manage Platform Users and Roles
Create, read, update, and delete platform users, roles, permissions, and tenants for internal system testing.

## Use Cases

### Verifying Google OAuth Integration
A developer needs to confirm that connecting Google works correctly. They ask their agent, 'Run the Google OAuth flow.' The agent triggers `auth_oauth_authorize` and then uses `auth_oauth_exchange` to prove a valid session was created.

### Testing New OTP Methods
QA needs to validate voice authentication. They instruct the agent to 'Test new Voice OTP sign-up.' The MCP initiates the process (`auth_otp_signup_voice`) and then verifies a sample code using `auth_otp_verify_voice`.

### Onboarding a Test User Via Magic Link
A PM needs to simulate remote sign-up. They prompt the agent to 'Sign up user X with a Magic Link.' The MCP executes `auth_magiclink_signup_email` and then confirms the account is active using `auth_enchantedlink_poll`.

### Debugging Role Permissions
A developer changes a system role. They first run `mgmt_create_role` to set up the new role, create a test user with that role (`mgmt_create_user`), and then use a simple login flow to verify access.

## Benefits

- Test the full range of authentication methods, from traditional passwords to advanced OAuth redirects. You can initiate a flow using `auth_oauth_authorize` and immediately validate it with your agent.
- Streamline QA testing by automating multi-step verification. Instead of simulating clicks, your agent executes tool calls like `auth_magiclink_signup_email`, handles the code, and confirms the session status via `auth_enchantedlink_poll`.
- Handle user identity management in bulk. You can use tools like `mgmt_create_user` or `mgmt_list_tenants` to provision and de-provision test accounts quickly before running a full auth cycle.
- Cover all OTP scenarios: The agent handles both the initial signup (`auth_otp_signup_sms`) and subsequent verification steps (`auth_otp_verify_email`), giving you comprehensive coverage.
- Manage system permissions alongside user flow testing. Tools like `mgmt_create_role` let you ensure that a newly authenticated user has the correct access levels for their role.

## How It Works

The bottom line is that your AI agent acts as a fully functional QA engineer for your authentication stack, completing multi-step user journeys in real time.

1. First, subscribe to this MCP on Vinkius and provide your Descope Project ID and any necessary management keys.
2. Next, you prompt your AI client with a natural language request describing the user action—for example, 'Sign up a new test user using Google OAuth.'
3. Your agent executes the required tool sequence (like `auth_oauth_authorize`) and reports the result back to you: success confirmation, required inputs, or specific error codes.

## Frequently Asked Questions

**How do I test the entire user sign-up and login cycle with Descope MCP?**
You can initiate a full flow using your agent. For example, ask it to run an OAuth process; the system handles the redirects, code exchange, and session creation so you get confirmation that every step worked.

**Can Descope MCP handle testing multiple account types (e.g., Google vs SMS) in one project?**
Yes. Because it exposes tools for all methods—from `auth_otp_signup_sms` to `auth_oauth_authorize`—you can switch between different authentication mechanisms easily within your agent commands.

**Does Descope MCP help me manage user roles and permissions?**
It does. Beyond just logging in, you can use management tools to create new system roles (`mgmt_create_role`) and assign them to test users before running a login check.

**What if my app uses custom OAuth providers not listed?**
While the MCP handles major providers, you must use it for flow testing. For highly unique flows, you'll need to combine multiple tools like `auth_oauth_authorize` and `auth_oauth_exchange` to simulate the required steps.