Keycloak MCP. Manage identity and access control without the console.
Keycloak MCP manages identity and access control directly through your AI agent. You'll use this to audit security realms, create or delete users, manage groups, and configure OIDC/SAML clients without clicking a single button in the console.
Claude 
ChatGPT 
Cursor 
Gemini 
Windsurf 
VS Code 
JetBrains 
Vercel Give Claude and any AI agent real-world access
Create new users, update existing details, reset passwords, or delete accounts across different realms.
List and import entire security environments (realms), or audit changes using the list_admin_events tool.
Create, read, update, or delete client applications, and instantly regenerate forgotten secrets like get_client_secret.
Organize your security structure by creating top-level groups, assigning roles at the realm level, or managing user group memberships.
Force a global logout across an entire realm (logout_all_users) to mitigate immediate security threats.
Ask an AI about this
Waiting for input…
What AI agents can do with Keycloak: 34 Tools for Identity Management
These tools give you granular control over every part of the Keycloak system, letting you manage users, clients, groups, and roles directly from your chat interface.
Make your AI actually useful.
Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.
Start using Keycloak MCPCreate Auth Flow
Builds a new authentication process flow within Keycloak.
Create Client
Registers and creates a brand new client application in the realm.
Create Group
Establishes a new, top-level user group for organization.
Create Role
Defines and creates a new security role available at the realm level.
Create User
Creates an account for a brand new user in the system.
Delete Client
Removes an existing client application from the realm entirely.
Delete Group
Deletes a defined group, removing all associated users and roles.
Delete Realm
Permanently deletes an entire security realm environment.
Delete User
Removes a user account from the system, making it permanently inactive.
Get Client Secret
Retrieves the confidential secret key associated with a client application.
Get Client
Fetches and displays all current details for a specified client.
Get Group
Retrieves the full details of a specific user group.
Get Realm
Fetches and displays all information for a specified security realm.
Get Role
Retrieves the definition of a specific role by its name.
Get User
Fetches and displays all current details for a specific user account.
Import Realm
Loads an entire realm environment into Keycloak from an external source.
List Admin Events
Retrieves a chronological list of all administrative changes made to a specific...
List Auth Flows
Lists all available authentication flows configured for the system.
List Client Roles
Displays all roles that can be assigned to a client application.
List Clients
Gets an overview of every client application registered in the realm.
List Groups
Displays the entire group hierarchy structure, showing parent-child relationships.
List Realms
Lists all accessible security realms managed by the instance.
List Required Actions
Identifies and lists actions that are required to proceed with certain changes.
List Roles
Displays all security roles available at the realm level for assignment.
List User Groups
Lists which groups a specific user currently belongs to.
List Users
Retrieves a list of all active and inactive users within the specified realm.
Logout All Users
Forces every logged-in user to log out instantly across the entire realm.
Partial Export Realm
Generates a partial data export of all settings and structures within a specific...
Regenerate Client Secret
Creates a brand new secret key for an existing client application.
Reset User Password
Resets the password for a user without needing to know their previous credentials.
Update Client
Modifies existing settings or metadata for a client application.
Update Group
Changes the properties or membership of an established group.
Update Realm
Modifies general settings and metadata for an entire realm environment.
Update User
Updates personal information or status details for a specific user account.
Security and governance baked right in.
Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.
Claude AI
Open Claude Settings
Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
Add Custom Connector
Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:
https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp
Replace [YOUR_TOKEN_HERE] with your token
from cloud.vinkius.com. For OAuth-protected servers, expand
Advanced settings to add credentials.
Start a conversation
Open a new chat. The Keycloak integration is available immediately — no restart needed.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on each call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Keycloak, then connect any of our 5,200+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 5,200+ others, all in one place
- Add new capabilities to your AI anytime you want
- Connections are secured and governed automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog weekly
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Keycloak. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS CLOUD
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on each call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Managing user access rights is a manual nightmare.
Today, managing identity means clicking through endless dashboards. You have to open the realm list, drill down into client settings, then check groups for membership, and finally update roles in a separate section. If you need to audit just one user's permissions change from three months ago, it’s a multi-step process involving several screens and copy-pasting IDs.
With this MCP, the whole thing becomes conversational. You tell your agent what needs fixing—like 'Who updated the database client secret last week?'—and it instantly pulls that information using `list_admin_events`. The result isn't a spreadsheet; it’s an answer.
Keycloak MCP: Total control over your security infrastructure.
Manual tasks like deleting old client applications or resetting credentials are high-friction, multi-step processes. You're wasting time jumping between the user panel to the group manager just to complete a simple cleanup task.
The MCP brings that complexity into one chat window. It treats your entire security setup—users, clients, groups, realms—as programmable data, letting you execute `delete_client` or `create_role` in a single prompt.
What Keycloak MCP does for your AI
This connector gives you full command over complex Identity and Access Management (IAM) processes. Instead of navigating through multiple Keycloak consoles or writing repetitive scripts, you talk to your agent about what needs fixing—whether it’s deleting an orphaned client record or auditing who changed a realm setting last week. You can manage the core security infrastructure by simply asking for it.
The system handles the complex API calls needed to update user credentials, assign roles, and force global logouts across entire realms. When you connect this MCP through Vinkius, your agent gets access to thousands of other specialized tools, so you stay in one place to handle everything from user lifecycle management to advanced security auditing.
019e38b4-e5ba-73cb-84be-54df298d68f3 
How to set up Keycloak MCP
The bottom line is that you get to run complex identity management tasks through conversation instead of console clicks or code deployments.
First, subscribe to this MCP on Vinkius and provide your Keycloak Base URL along with a valid Admin Access Token.
Second, point your AI client (Claude, Cursor, or any compatible agent) to the newly connected Keycloak data stream.
Third, prompt your agent using natural language—for example, 'List all users in the staging realm and reset John Doe's password.' — and watch it execute the necessary commands.
Who uses Keycloak MCP
This MCP is built for engineers and security staff who are tired of context switching between a ticketing system, the main application dashboard, and multiple API consoles. It's perfect for the DevOps engineer who needs to quickly audit permissions during a deployment or the Security Admin who has to perform emergency password resets at 2 AM.
Using this MCP, they run list_admin_events and check client configurations right from their terminal flow to ensure deployment readiness.
When a breach is suspected, they immediately use the agent to call tools like logout_all_users or perform targeted password resets via reset_user_password.
They set up test environments by calling create_client and generating necessary credentials using get_client_secret without leaving their IDE.
Benefits of connecting Keycloak MCP
You eliminate context switching. Instead of jumping between Keycloak's user list, group manager, and client config pages, you ask your agent to handle it all in one chat window.
Instant security response. If you suspect a breach, calling logout_all_users through the MCP instantly terminates every active session across the entire realm—no manual work required.
Never lose credentials again. With tools like get_client_secret and regenerate_client_secret, your agent retrieves or updates sensitive keys immediately upon request.
Full audit trail visibility. Use list_admin_events to get a clean, natural language summary of who changed what and when across the entire security infrastructure.
Efficient user lifecycle management. You can quickly call create_user or delete_user, ensuring accounts are provisioned or decommissioned exactly when needed.
Keycloak MCP use cases
The developer needs to onboard a new service.
A backend developer runs into an issue because the staging microservice is missing necessary permissions. They prompt their agent: 'I need to create a client for the payments service and assign it read-only access.' The agent calls create_client and then uses tools like list_roles and update_client to secure the connection, all in one go.
Security audit detects stale accounts.
A security admin finds a list of users who haven't logged in for months. They ask their agent to 'List all inactive user accounts older than 90 days and delete them.' The agent calls list_users and then executes multiple delete_user commands, completing the cleanup cycle.
A key application is compromised.
The ops team realizes an entire segment of users' access might be at risk. They immediately instruct their agent to 'Force a global logout across all production realms.' The agent calls logout_all_users, mitigating the threat instantly without any manual intervention.
Restructuring user teams.
The HR team requires that all members of the Marketing department be moved into a new group. An admin prompts: 'Create a group called 'Mktg-V3' and add every user currently in the old Mktg group.' The agent handles create_group and updates membership via tools like update_user.
Keycloak MCP tradeoffs
What to watch out for, and the recommended way to handle each one.
Manual credential retrieval
A developer manually navigates the Keycloak UI, finds the client ID, clicks 'Secrets', copies the secret key, and pastes it into a config file. This is slow and prone to copy/paste errors.
Instead, use the agent to call get_client_secret directly with the client name. The agent handles the secure retrieval of the secret in one step.
Ad-hoc user updates
An administrator logs into the UI, finds a specific user by ID, clicks 'Edit,' and changes their status manually. If there are fifty users to update, this is agonizing.
Use list_users first to get all target accounts, then instruct your agent to run bulk updates using multiple calls to update_user for the entire list.
Complex role assignment
You need to assign three different roles (Admin, Viewer, Editor) to a user while also ensuring they are part of two specific groups. This requires navigating separate tabs and menus.
Prompt the agent: 'Assign Admin and Viewer roles to John Doe and add him to both the Sales and Engineering groups.' The agent coordinates list_roles, get_role, and update_user in sequence.
When to use Keycloak MCP
Use this MCP if your primary pain points involve Identity, Authentication, or Authorization (IAM). If you need to audit who can do what, manage user lifecycles (create/delete), or modify client settings, this is the right tool. However, don't use it if you only need simple logging—if you just want a feed of system events without needing to change anything, general logging tools are better suited. Also, if your goal is merely reporting on user activity after the fact (e.g., 'How many logins happened yesterday?'), you might need dedicated analytics tools that read logs; this MCP focuses on making changes and managing the core structure using tools like list_admin_events or get_user. The key difference: we manage the system's state, not just reading about it.
Frequently asked questions about Keycloak MCP
How do I list all the environments available using Keycloak MCP? +
You use the list_realms tool. This command retrieves every active realm, letting you see exactly how many isolated security environments your instance manages.
Can I reset a user's password with Keycloak MCP? +
Yes, you can use the reset_user_password tool. This lets you instantly reset any user's password without needing to know their current credentials or access the console.
What is the difference between listing users and getting a user by ID using Keycloak MCP? +
The list_users tool provides an overview of all users in the realm. If you need specific, deep details about one person, you use the get_user tool with their unique identifier.
How do I know who changed a setting last week using Keycloak MCP? +
You run list_admin_events. This tool gives you a comprehensive audit log, detailing administrative changes across the realm, including who made them and when.
Does Keycloak MCP help me add new roles to users? +
Yes. After defining the role using create_role, you can update user memberships or group settings, which effectively applies that new role to the target user.