# FusionAuth MCP

> FusionAuth (Enterprise Identity & Auth) MCP connects your AI client directly to enterprise identity services. Manage users, applications, groups, and authentication flows through natural conversation, letting you audit access, provision accounts, or test MFA sequences without leaving your IDE.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** auth, iam, user-management, single-sign-on, mfa

## Description

Managing user identities used to mean jumping between dashboards—checking a user's roles here, running a script in the terminal there, and manually updating an application key somewhere else. This MCP lets your AI agent handle that whole mess through conversation.

It gives you control over every part of your identity stack. Need to onboard a new developer? You can ask it to create their account, assign them to the 'backend-team' group, and give them specific application roles—all in one go. Want to audit compliance? Ask it to list all applications and retrieve details on who has access. The whole process feels like talking to an expert teammate who already knows where everything is stored. When you connect this MCP via Vinkius, your agent gains immediate visibility into complex structures like tenants, API keys, and multi-factor authentication settings. It's not just reading data; it’s performing full lifecycle management for all your digital assets.

## Tools

### add_group_member
Assigns a specific user account to an existing group.

### create_api_key
Generates and provides details for a new API key credential.

### create_application_role
Defines and sets up a new role specific to an application's permissions.

### create_application
Registers a brand-new application into the identity system.

### create_group
Establishes a new container for managing user access rights.

### create_lambda
Creates a new custom serverless function within the environment.

### create_tenant
Sets up an entirely isolated, top-level container for organizational data.

### create_user
Creates a new user account and profile in the system.

### create_webhook
Sets up an automated URL endpoint to receive data notifications.

### delete_api_key
Permanently removes a credential used by external services.

### delete_group
Removes an existing user group and all its associated members.

### delete_lambda
Decommissions a custom serverless function.

### delete_tenant
Completely removes an isolated organizational container and all its data.

### delete_user
Permanently deletes a user profile from the system.

### delete_webhook
Deletes an existing notification endpoint URL.

### disable_mfa
Turns off multi-factor authentication for a specific user account.

### enable_mfa
Activates multi-factor authentication requirements for a user.

### generate_mfa_secret
Creates the unique secret key needed to set up MFA on a user's device.

### get_api_key
Retrieves a specific, existing API key credential for reference.

### list_application_roles
Returns a list of every defined role available within an application.

### get_application
Fetches the full details and configuration of a single application.

### list_applications
Gathers a directory listing of all active applications in the system.

### get_group
Retrieves all members and details for an existing user group.

### get_identity_provider
Fetches the configuration of external identity services (like Google or Azure).

### list_identity_providers
Lists every configured external identity source used for authentication.

### get_lambda
Retrieves the code and settings for a custom serverless function.

### get_system_configuration
Pulls all current system-level configuration variables and settings.

### get_system_health
Checks the overall operational status of the identity platform.

### get_system_status
Retrieves the current, high-level operating state of the system.

### get_system_version
Displays the exact version number of the installed identity platform software.

### get_tenant
Retrieves the configuration details for a specific organizational tenant container.

### get_user
Fetches all profile data and metadata for one specified user account.

### get_webhook
Retrieves the configuration details of a specific notification endpoint.

### idp_login
Completes the login process using an external identity provider service.

### issue_jwt
Generates a new, signed JSON web token for authenticated access.

### login
Authenticates a user by username and password.

### mfa_login
Completes the login process after successfully passing multi-factor authentication.

### patch_user
Makes partial edits to an existing user's profile without overwriting all data.

### refresh_jwt
Generates a new JWT token when the current one is nearing expiration.

### register_user
Signs up and registers a brand-new user profile for an application.

### remove_group_member
Removes a specific user from a group, revoking their access rights.

### revoke_refresh_tokens
Invalidates and removes long-lived refresh tokens for security reasons.

### start_mfa
Initiates the multi-factor authentication flow process for a user.

### update_api_key
Changes or refreshes the credentials of an existing API key.

### update_group
Modifies the name, description, or membership list of a group.

### update_lambda
Replaces the code and settings for an existing serverless function.

### update_system_configuration
Modifies core, system-wide operational parameters.

### update_tenant
Makes structural changes to a specific organizational tenant container.

### update_user
Updates all general information fields for an existing user profile.

### update_webhook
Modifies the URL or payload settings of an active webhook endpoint.

## Prompt Examples

**Prompt:** 
```
List all our applications in FusionAuth.
```

**Response:** 
```
I've retrieved your applications. You have 3 active apps: 'Main Web Portal' (ID: 8a7...), 'Mobile API' (ID: 2f1...), and 'Internal Dashboard'. Which one would you like to inspect?
```

**Prompt:** 
```
Find the user with email 'admin@company.com'.
```

**Response:** 
```
I found the user: Admin User (ID: 550e...). Their account is currently 'Active' and they belong to the default tenant. Would you like to see their full profile data?
```

**Prompt:** 
```
Create a user with the email 'test@example.com' and username 'test_user'.
```

**Response:** 
```
User 'test_user' has been created successfully with ID 9b1... and email 'test@example.com'. I can now assign roles to this user if you provide an application ID.
```

## Capabilities

### Manage User Accounts
Create, read, update, or delete user profiles using specific IDs or emails.

### Control Application Access
List available applications and define granular roles for different users within those apps.

### Handle Authentication Workflows
Simulate login attempts, test MFA sequences, or issue new JSON web tokens (JWTs).

### Audit System State
Retrieve the current health, version number, and configuration settings of your entire identity platform.

### Manage Credentials
Create, retrieve, update, or delete API keys and user secrets.

## Use Cases

### Investigating a compromised account.
A security analyst gets an alert. They ask their agent to get the user's profile using `get_user`, check if MFA is enabled, and then immediately call `revoke_refresh_tokens` to lock down access while they investigate.

### Adding a new service integration.
A developer needs to connect a billing microservice. They ask their agent to create the necessary application via `create_application`, generate a dedicated key using `create_api_key`, and then set up an automated notification URL with `create_webhook`.

### Restructuring user access levels.
The team is splitting departments. Instead of manually updating hundreds of records, the agent lists all applications using `list_applications`, identifies necessary roles via `list_application_roles`, and then uses tools like `add_group_member` to enforce the new permissions.

### Auditing system changes.
An SRE needs to know if a recent configuration change broke anything. They ask their agent to retrieve the current system status using `get_system_status` and then check the overall operational health with `get_system_health`.

## Benefits

- You stop jumping between dashboards. Instead of manually checking credentials or running local scripts, you simply ask your agent to retrieve details—whether it's getting a full list of applications or fetching the latest system health report using `get_system_health`.
- Compliance auditing gets faster. Instead of exporting and reviewing CSV files, your agent can pull specific data points, like retrieving all application roles via `list_application_roles` or checking if MFA is enabled using `enable_mfa`, giving you immediate answers.
- Onboarding new users becomes a single command sequence. You don't have to manually run multiple scripts; you just ask the agent to create the user, then assign them to groups, and finally update their profile with necessary metadata.
- Secure credential handling is centralized. Need to rotate an API key? Instead of finding it in old documentation, your agent handles `get_api_key`, allows you to `update_api_key`, and even cleans up the old credentials using `delete_api_key`.
- You can test complex flows without breaking anything. Developers use this MCP to simulate real-world access by running functions like `login` or `mfa_login` directly, verifying that user roles are applied correctly before deployment.

## How It Works

The bottom line is, you get to manage complex identity infrastructure using simple, natural language commands.

1. First, connect this MCP to your AI client by providing the FusionAuth URL and a valid API Key.
2. Next, give your agent a directive: 'List all applications that need user roles defined.'
3. The agent executes the necessary calls, returning structured data on users, groups, or application details directly into your chat window.

## Frequently Asked Questions

**How do I check a user's details using the get_user tool?**
You must provide exactly one unique identifier (like an ID or email) when calling `get_user`. The agent will return their full profile data, including group memberships and status.

**Can I change a user's role using the add_group_member tool?**
Yes, that's what `add_group_member` does. You just need to tell the agent which specific user ID you want to add and which group they belong in.

**What is the difference between create_user and register_user?**
`create_user` manages the core identity profile, while `register_user` specifically signs a new user up for an application. They handle different stages of the account lifecycle.

**How do I make sure my API keys are secure with create_api_key?**
When you use `create_api_key`, your agent handles the generation and retrieval process securely. You can also follow up by using `update_api_key` to refresh credentials without downtime.

**If I delete a tenant, what happens to my data? (delete_tenant)**
Calling `delete_tenant` removes the entire isolated container and all associated resources within it. This action is irreversible, so confirm your scope first.

**How do I initiate a Multi-Factor Authentication flow using the `start_mfa` tool?**
Running `start_mfa` begins the MFA process for a user. This function doesn't complete the login itself; instead, it sends the initial challenge or setup details needed to proceed through the full authentication sequence.

**What happens when I use the `remove_group_member` tool?**
The user immediately loses all permissions tied to that specific group. This is a critical step for access revocation, ensuring they can no longer utilize resources granted only through that membership.

**How can I verify if the identity service is operational using `get_system_health`?**
Calling `get_system_health` returns a comprehensive status object. You get real-time metrics covering service uptime, database connection integrity, and overall performance indicators for immediate auditing.

**Can I search for a user using their username instead of an ID?**
Yes! The `get_user` tool allows you to search by `username`, `email`, or `loginId` in addition to the `userId` UUID.

**How do I list all the roles defined for a specific application?**
Use the `list_application_roles` tool and provide the `applicationId`. It will return all roles like 'admin', 'user', or custom roles configured for that environment.

**Is it possible to update only a few fields of a user without sending the whole object?**
Yes, use the `patch_user` tool. It allows you to send a partial JSON body containing only the specific fields you wish to modify.