FusionAuth MCP for AI. Manage every identity detail, from user roles to MFA status.

Q: Can I change a user's role using the addgroupmember tool?

Yes, that's what addgroupmember does. You just need to tell the agent which specific user ID you want to add and which group they belong in.

Q: What is the difference between createuser and registeruser?

createuser manages the core identity profile, while registeruser specifically signs a new user up for an application. They handle different stages of the account lifecycle.

Q: How do I make sure my API keys are secure with createapikey?

When you use createapikey, your agent handles the generation and retrieval process securely. You can also follow up by using updateapikey to refresh credentials without downtime.

Q: If I delete a tenant, what happens to my data? (deletetenant)

Calling deletetenant removes the entire isolated container and all associated resources within it. This action is irreversible, so confirm your scope first.

Q: How do I initiate a Multi-Factor Authentication flow using the startmfa tool?

Running startmfa begins the MFA process for a user. This function doesn't complete the login itself; instead, it sends the initial challenge or setup details needed to proceed through the full authentication sequence.

Q: How can I verify if the identity service is operational using getsystemhealth?

Calling getsystemhealth returns a comprehensive status object. You get real-time metrics covering service uptime, database connection integrity, and overall performance indicators for immediate auditing.

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

How this MCP server connects to your AI agent

FusionAuth (Enterprise Identity & Auth) MCP connects your AI client directly to enterprise identity services. Manage users, applications, groups, and authentication flows through natural conversation, letting you audit access, provision accounts, or test MFA sequences without leaving your IDE.

What AI agents can do with FusionAuth (Enterprise Identity & Auth) Automation

Add group member

Assigns a specific user account to an existing group.

Create api key

Generates and provides details for a new API key credential.

Create application role

Defines and sets up a new role specific to an application's permissions.

+ 47 more capabilities included

Manage User Accounts

Create, read, update, or delete user profiles using specific IDs or emails.

Control Application Access

List available applications and define granular roles for different users within those apps.

Handle Authentication Workflows

Simulate login attempts, test MFA sequences, or issue new JSON web tokens (JWTs).

Audit System State

Retrieve the current health, version number, and configuration settings of your entire identity platform.

Manage Credentials

Create, retrieve, update, or delete API keys and user secrets.

Ask an AI about this

Included with Plan

Waiting for input…

AI Agent

What AI agents can do with FusionAuth (Enterprise Identity & Auth) 50 Tools

Use these tools to perform every identity action imaginable: managing user accounts, controlling application access, generating credentials, or checking system health.

Make your AI actually useful.

Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.

Start using FusionAuth (Enterprise Identity & Auth) on Vinkius

Add Group Member

Assigns a specific user account to an existing group.

Create Api Key

Generates and provides details for a new API key credential.

Create Application Role

Defines and sets up a new role specific to an application's permissions.

Create Application

Registers a brand-new application into the identity system.

Create Group

Establishes a new container for managing user access rights.

Create Lambda

Creates a new custom serverless function within the environment.

Create Tenant

Sets up an entirely isolated, top-level container for organizational data.

Create User

Creates a new user account and profile in the system.

Create Webhook

Sets up an automated URL endpoint to receive data notifications.

Delete Api Key

Permanently removes a credential used by external services.

Delete Group

Removes an existing user group and all its associated members.

Delete Lambda

Decommissions a custom serverless function.

Delete Tenant

Completely removes an isolated organizational container and all its data.

Delete User

Permanently deletes a user profile from the system.

Delete Webhook

Deletes an existing notification endpoint URL.

Disable Mfa

Turns off multi-factor authentication for a specific user account.

Enable Mfa

Activates multi-factor authentication requirements for a user.

Generate Mfa Secret

Creates the unique secret key needed to set up MFA on a user's device.

Get Api Key

Retrieves a specific, existing API key credential for reference.

List Application Roles

Returns a list of every defined role available within an application.

Get Application

Fetches the full details and configuration of a single application.

List Applications

Gathers a directory listing of all active applications in the system.

Get Group

Retrieves all members and details for an existing user group.

Get Identity Provider

Fetches the configuration of external identity services (like Google or Azure).

List Identity Providers

Lists every configured external identity source used for authentication.

Get Lambda

Retrieves the code and settings for a custom serverless function.

Get System Configuration

Pulls all current system-level configuration variables and settings.

Get System Health

Checks the overall operational status of the identity platform.

Get System Status

Retrieves the current, high-level operating state of the system.

Get System Version

Displays the exact version number of the installed identity platform software.

Get Tenant

Retrieves the configuration details for a specific organizational tenant container.

Get User

Fetches all profile data and metadata for one specified user account.

Get Webhook

Retrieves the configuration details of a specific notification endpoint.

Idp Login

Completes the login process using an external identity provider service.

Issue Jwt

Generates a new, signed JSON web token for authenticated access.

Login

Authenticates a user by username and password.

Mfa Login

Completes the login process after successfully passing multi-factor authentication.

Patch User

Makes partial edits to an existing user's profile without overwriting all data.

Refresh Jwt

Generates a new JWT token when the current one is nearing expiration.

Register User

Signs up and registers a brand-new user profile for an application.

Remove Group Member

Removes a specific user from a group, revoking their access rights.

Revoke Refresh Tokens

Invalidates and removes long-lived refresh tokens for security reasons.

Start Mfa

Initiates the multi-factor authentication flow process for a user.

Update Api Key

Changes or refreshes the credentials of an existing API key.

Update Group

Modifies the name, description, or membership list of a group.

Update Lambda

Replaces the code and settings for an existing serverless function.

Update System Configuration

Modifies core, system-wide operational parameters.

Update Tenant

Makes structural changes to a specific organizational tenant container.

Update User

Updates all general information fields for an existing user profile.

Update Webhook

Modifies the URL or payload settings of an active webhook endpoint.

Security and governance baked right in.

Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.

Claude AI

Open Claude Settings

Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.

Add Custom Connector

Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:

https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. For OAuth-protected servers, expand Advanced settings to add credentials.

Start a conversation

Open a new chat. The FusionAuth integration is available immediately — no restart needed.

Antigravity

Configure Agent Environment

Open your Antigravity agent's workspace configuration or mcp-servers.json file.

Bind the Endpoint

Add the Vinkius endpoint URL to your agent's MCP connections list:

"mcp_servers": {
  "fusionauth-enterprise-identity-auth": {
    "serverUrl": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
  }
}

Provide your secure token in place of [YOUR_TOKEN_HERE] to ensure your agent requests are authenticated.

Execute

Start your Antigravity session. The agent will autonomously discover and utilize the FusionAuth tools with full Vinkius guardrails applied.

VS Code Copilot

⚡

One-Click Install (Recommended)

In your Vinkius Dashboard, simply click the Add to VS Code button for this server. We'll automatically configure your local workspace.

Or configure manually

Open MCP Settings

Open VS Code, press Ctrl/Cmd + Shift + P, and search for GitHub Copilot: MCP Servers.

Add Server Config

Add the Vinkius endpoint configuration to your mcp-servers.json file:

"fusionauth-enterprise-identity-auth": {
  "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
}

Ensure you replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com.

LangChain

Install Dependencies

Install the LangChain MCP adapters for your environment:

pip install langchain-mcp-adapters

Connect the Server

Use the SSEClient in LangChain to connect to the Vinkius managed endpoint:

from langchain_mcp_adapters.client import SSEClient

# Connect to Vinkius
client = SSEClient(url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp")
tools = client.get_tools()

CrewAI

Define the Tool

Load the Vinkius MCP tools into your CrewAI agents:

from crewai import Agent
from mcp_crewai import MCPTool

# Connect securely to Vinkius
vinkius_tools = MCPTool(url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp")

# Assign to Agent
researcher = Agent(
    role='Data Researcher',
    tools=vinkius_tools.get_all()
)

Execute Task

Run your CrewAI process. The agent will autonomously route tasks to the Vinkius managed server.

Choose How to Get Started

Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.

Build Your Own

Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.

Import from OpenAPI, Swagger, or YAML specs
Create Agent Skills with progressive disclosure
Deploy to edge with MCPFusion framework
Built in DLP, auth, and compliance on every call
Real time usage dashboard and cost metering
Publish to catalog or keep private

Start building

Make Your AI Do More

Start with FusionAuth (Enterprise Identity & Auth), then connect any of our 5,100+ other servers whenever your AI needs more. One click, no limits.

Use this MCP plus 5,100+ others, all in one place
Add new capabilities to your AI anytime you want
Every connection is secured and compliant automatically
Track usage and costs across all your servers
Works with Claude, ChatGPT, Cursor, and more
New servers added to the catalog every week

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by FusionAuth. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

VINKIUS INFRASTRUCTURE

Cloud Hosted

Managed infra

V8 Isolated

Sandboxed per request

Zero-Trust Proxy

No stored credentials

DLP Enforced

Policy on every call

GDPR Compliant

EU data residency

Token Compression

~60% cost reduction

Your data is protected. See how we built it.

Built on the Model Context Protocol (MCP) for Claude, ChatGPT, Cursor, and more

The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.

This connection provides 50 powerful capabilities that interface natively with Claude, ChatGPT, Cursor, and other compatible AI platforms. No middleware. No custom integration required.

The Identity Admin Headache

Right now, managing a user's access means logging into three different portals: the user directory to check their status, the application dashboard to see what roles they have, and finally, maybe running an API script locally just to test if their credentials still work. You end up clicking tabs, copying IDs, pasting keys, and manually cross-referencing data across a dozen screens.

With this MCP connected via Vinkius, you ask your agent one question: 'What is the current access level for Jane Doe?' The response isn't a list of links; it’s a single block of structured facts. You get instant answers about her user profile, group memberships, and application roles without ever leaving your IDE.

Full Identity Control with FusionAuth MCP

You eliminate the need for manual credential audits by using tools like `get_api_key` to retrieve current keys and running `delete_api_key` immediately after an employee leaves. You also stop forgetting which services are connected by automatically listing all webhook endpoints with `get_webhook`.

The difference is control. Instead of managing identities piecemeal across scripts and dashboards, you manage the entire system's state through a single conversational interface that knows every tool available—from creating tenants to updating core system configuration.

Support 24/7 support@vinkius.com ↗

Security Vinkius Trust Center ↗

SLA Service Level Agreement ↗

Report Listing Send Report ↗

auth

iam

user-management

single-sign-on

mfa

What your AI can actually do with this

Managing user identities used to mean jumping between dashboards—checking a user's roles here, running a script in the terminal there, and manually updating an application key somewhere else. This MCP lets your AI agent handle that whole mess through conversation.

It gives you control over every part of your identity stack. Need to onboard a new developer? You can ask it to create their account, assign them to the 'backend-team' group, and give them specific application roles—all in one go. Want to audit compliance? Ask it to list all applications and retrieve details on who has access.

The whole process feels like talking to an expert teammate who already knows where everything is stored. When you connect this MCP via Vinkius, your agent gains immediate visibility into complex structures like tenants, API keys, and multi-factor authentication settings. It's not just reading data; it’s performing full lifecycle management for all your digital assets.

Built · Hosted · Managed by Vinkius FusionAuth MCP - Manage User Identities & Access

Server ID 019e5d1d-3231-7275-b952-26da8a2182ff

Vinkius Inspector

Compliance Grade F

Score 3.6/100

Report View Report ↗

What Changes When You Connect

You stop jumping between dashboards. Instead of manually checking credentials or running local scripts, you simply ask your agent to retrieve details—whether it's getting a full list of applications or fetching the latest system health report using get_system_health.

Compliance auditing gets faster. Instead of exporting and reviewing CSV files, your agent can pull specific data points, like retrieving all application roles via list_application_roles or checking if MFA is enabled using enable_mfa, giving you immediate answers.

Onboarding new users becomes a single command sequence. You don't have to manually run multiple scripts; you just ask the agent to create the user, then assign them to groups, and finally update their profile with necessary metadata.

Secure credential handling is centralized. Need to rotate an API key? Instead of finding it in old documentation, your agent handles get_api_key, allows you to update_api_key, and even cleans up the old credentials using delete_api_key.

You can test complex flows without breaking anything. Developers use this MCP to simulate real-world access by running functions like login or mfa_login directly, verifying that user roles are applied correctly before deployment.

See it in action

01 01

Investigating a compromised account.

A security analyst gets an alert. They ask their agent to get the user's profile using get_user, check if MFA is enabled, and then immediately call revoke_refresh_tokens to lock down access while they investigate.

02 02

Adding a new service integration.

A developer needs to connect a billing microservice. They ask their agent to create the necessary application via create_application, generate a dedicated key using create_api_key, and then set up an automated notification URL with create_webhook.

03 03

Restructuring user access levels.

The team is splitting departments. Instead of manually updating hundreds of records, the agent lists all applications using list_applications, identifies necessary roles via list_application_roles, and then uses tools like add_group_member to enforce the new permissions.

04 04

Auditing system changes.

An SRE needs to know if a recent configuration change broke anything. They ask their agent to retrieve the current system status using get_system_status and then check the overall operational health with get_system_health.

The honest tradeoffs

Calling tools sequentially for state changes

Anti-pattern

Trying to manually update user data by running separate calls: first calling update_user, then forgetting to call a related cleanup tool like remove_group_member when the user leaves.

The Fix

When making major user lifecycle changes, always confirm the full sequence with your agent. For example, if you use delete_user, make sure you also run checks on all associated groups and applications using their respective delete tools.

Assuming read access equals write permission

Anti-pattern

Reading a user's profile using get_user and thinking that because the data exists, you can simply change it. This ignores necessary validation steps.

The Fix

If you want to modify any account detail after retrieving it, always use the dedicated update tools like update_user or patch_user. Don't try to build modification logic from a read-only call.

Using general authentication methods for specific tasks

Anti-pattern

Trying to manage application roles by just calling the generic login tool. That only handles auth, not resource access control.

The Fix

For granular permissions and role management, use dedicated tools like list_application_roles, which is designed specifically to map users to what they can actually do within a given app.

When It Fits, When It Doesn't

Use this MCP if your workflow requires managing the full identity lifecycle: creating accounts, assigning permissions, testing access flows, and auditing system credentials. It's ideal for security-focused tasks like revoking tokens (revoke_refresh_tokens) or ensuring MFA compliance. Don't use it if you only need to check a single piece of public information—for example, just listing all tenants using list_identity_providers is often enough, and the full MCP might be overkill. If your problem is simply 'What is my username?' then no complex toolset is required; but if the question is 'Does this user have permission to do X?', you need the granular control provided by tools like get_application and list_application_roles.

Questions you might have

How do I check a user's details using the get_user tool? +

You must provide exactly one unique identifier (like an ID or email) when calling get_user. The agent will return their full profile data, including group memberships and status.

Can I change a user's role using the add_group_member tool? +

Yes, that's what add_group_member does. You just need to tell the agent which specific user ID you want to add and which group they belong in.

What is the difference between create_user and register_user? +

create_user manages the core identity profile, while register_user specifically signs a new user up for an application. They handle different stages of the account lifecycle.

How do I make sure my API keys are secure with create_api_key? +

When you use create_api_key, your agent handles the generation and retrieval process securely. You can also follow up by using update_api_key to refresh credentials without downtime.

If I delete a tenant, what happens to my data? (delete_tenant) +

Calling delete_tenant removes the entire isolated container and all associated resources within it. This action is irreversible, so confirm your scope first.

How do I initiate a Multi-Factor Authentication flow using the `start_mfa` tool? +

Running start_mfa begins the MFA process for a user. This function doesn't complete the login itself; instead, it sends the initial challenge or setup details needed to proceed through the full authentication sequence.

What happens when I use the `remove_group_member` tool? +

The user immediately loses all permissions tied to that specific group. This is a critical step for access revocation, ensuring they can no longer utilize resources granted only through that membership.

How can I verify if the identity service is operational using `get_system_health`? +

Calling get_system_health returns a comprehensive status object. You get real-time metrics covering service uptime, database connection integrity, and overall performance indicators for immediate auditing.

Can I search for a user using their username instead of an ID? +

Yes! The get_user tool allows you to search by username, email, or loginId in addition to the userId UUID.

How do I list all the roles defined for a specific application? +

Use the list_application_roles tool and provide the applicationId. It will return all roles like 'admin', 'user', or custom roles configured for that environment.

Is it possible to update only a few fields of a user without sending the whole object? +

Yes, use the patch_user tool. It allows you to send a partial JSON body containing only the specific fields you wish to modify.