Okta MCP for AI. Control Identity and Access from Chat.

Q: How do I check who is in a specific group using listgroupusers?

You run listgroupusers and pass the exact Group ID or name. It returns a precise, up-to-date roster of every user assigned to that group right now.

Q: Can I find out if a user's session was terminated using listsystemlogs?

Yes. listsystemlogs captures all sign-in events, including when sessions were manually cleared or revoked. You can filter the logs by time and action type.

Q: What is the difference between getuser and listusers?

getuser requires a specific user ID to pull that profile's details. listusers pulls a directory listing of every configured account in the entire Okta domain.

Q: Should I use deactivateuser or clearusersessions?

Use clearusersessions when you suspect an active compromise and need to force a re-login. Use deactivateuser for permanent offboarding, as it revokes future access entirely.

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

Connect to your AI in seconds.

Okta MCP Server connects your AI agent directly to Okta Identity Cloud's core services. It manages user lifecycles, handles access control, and provides real-time security visibility for IT operations.

Instead of clicking through admin dashboards, you talk to the server to create users, reset credentials, or terminate sessions instantly.

What your AI can do

Clear user sessions

Terminates every current login session for a specific user ID. Use this when you suspect an account has been compromised.

Deactivate user

Suspends and permanently revokes access for an Okta user account, blocking all future sign-ins immediately. Ideal for emergency offboarding.

Get group

Pulls all specific membership details and attributes for a designated Okta Group.

+ 7 more capabilities included

Manage User Accounts

Retrieve user profiles, create new identities, or mark existing accounts as deactivated.

Audit Security Logs

Pull recent sign-in attempts and audit events from the Okta system logs for security review.

Control Sessions

Forcefully terminate all active login sessions for a user, critical when a device is compromised.

Manage Group Membership

List all groups and check which specific users belong to them or what applications are tied to them.

Check Application Access

View detailed Single Sign-On (SSO) configurations, including client secrets and cert chains, for any connected application.

Ask an AI about this

Included with Plan

Waiting for input…

AI Agent

Okta MCP Server: 10 Tools for Identity & Access Control

Manage everything from user profiles and group memberships to system-wide sign-in logs. Your AI agent handles the admin work.

Make your AI actually useful.

Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.

Start using Okta on Vinkius

Clear User Sessions

Terminates every current login session for a specific user ID. Use this when you suspect an account has been compromised.

Deactivate User

Suspends and permanently revokes access for an Okta user account, blocking all...

Get Group

Pulls all specific membership details and attributes for a designated Okta Group.

Get User

Fetches the full profile, status, and attribute data for an explicit Okta User ID...

Get App

Retrieves detailed SSO configuration data—like client secrets or cert chains—for a...

List Groups

Provides a comprehensive directory listing of every security, application, and dynamic group in your organization's Okta setup.

List Users

Lists every single user configured in the Okta Universal Directory for organization-wide reporting purposes.

List System Logs

Retrieves the 100 most recent audit logs from Okta, including sign-in attempts, MFA...

List Apps

Lists every application integrated into your Okta dashboard, covering SAML, OIDC...

List Group Users

Returns a list of all users currently assigned to any specified Okta Group.

Security and governance baked right in.

Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.

Claude AI

Open Claude Settings

Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.

Add Custom Connector

Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:

https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. For OAuth-protected servers, expand Advanced settings to add credentials.

Start a conversation

Open a new chat. The Okta integration is available immediately — no restart needed.

Antigravity

Configure Agent Environment

Open your Antigravity agent's workspace configuration or mcp-servers.json file.

Bind the Endpoint

Add the Vinkius endpoint URL to your agent's MCP connections list:

"mcp_servers": {
  "okta": {
    "serverUrl": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
  }
}

Provide your secure token in place of [YOUR_TOKEN_HERE] to ensure your agent requests are authenticated.

Execute

Start your Antigravity session. The agent will autonomously discover and utilize the Okta tools with full Vinkius guardrails applied.

VS Code Copilot

⚡

One-Click Install (Recommended)

In your Vinkius Dashboard, simply click the Add to VS Code button for this server. We'll automatically configure your local workspace.

Or configure manually

Open MCP Settings

Open VS Code, press Ctrl/Cmd + Shift + P, and search for GitHub Copilot: MCP Servers.

Add Server Config

Add the Vinkius endpoint configuration to your mcp-servers.json file:

"okta": {
  "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
}

Ensure you replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com.

LangChain

Install Dependencies

Install the LangChain MCP adapters for your environment:

pip install langchain-mcp-adapters

Connect the Server

Use the SSEClient in LangChain to connect to the Vinkius managed endpoint:

from langchain_mcp_adapters.client import SSEClient

# Connect to Vinkius
client = SSEClient(url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp")
tools = client.get_tools()

CrewAI

Define the Tool

Load the Vinkius MCP tools into your CrewAI agents:

from crewai import Agent
from mcp_crewai import MCPTool

# Connect securely to Vinkius
vinkius_tools = MCPTool(url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp")

# Assign to Agent
researcher = Agent(
    role='Data Researcher',
    tools=vinkius_tools.get_all()
)

Execute Task

Run your CrewAI process. The agent will autonomously route tasks to the Vinkius managed server.

Choose How to Get Started

Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.

Build Your Own

Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.

Import from OpenAPI, Swagger, or YAML specs
Create Agent Skills with progressive disclosure
Deploy to edge with MCPFusion framework
Built in DLP, auth, and compliance on every call
Real time usage dashboard and cost metering
Publish to catalog or keep private

Start building

Make Your AI Do More

Start with Okta, then connect any of our 5,100+ other servers whenever your AI needs more. One click, no limits.

Use this MCP plus 5,100+ others, all in one place
Add new capabilities to your AI anytime you want
Every connection is secured and compliant automatically
Track usage and costs across all your servers
Works with Claude, ChatGPT, Cursor, and more
New servers added to the catalog every week

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Okta. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

VINKIUS INFRASTRUCTURE

Cloud Hosted

Managed infra

V8 Isolated

Sandboxed per request

Zero-Trust Proxy

No stored credentials

DLP Enforced

Policy on every call

GDPR Compliant

EU data residency

Token Compression

~60% cost reduction

Your data is protected. See how we built it.

Works with Claude, ChatGPT, Cursor, and more

The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.

This connection provides 10 powerful capabilities that interface natively with Claude, ChatGPT, Cursor, and other compatible AI platforms. No middleware. No custom integration required.

Checking a User's Status Shouldn't Be a Multi-Step Dashboard Choreography.

Today, checking if 'Mark Johnson' is active and what groups he belongs to requires logging into Okta, finding his profile, clicking the Groups tab, then maybe cross-referencing an application audit log. It takes five clicks and a lot of context switching.

With this MCP server, you ask your agent: 'What is Mark Johnson’s status and group membership?' The system runs `get_user` and checks his associated groups using the backend tools. You get one clean answer that summarizes everything—no dashboard hopping required.

The Okta MCP Server makes account termination simple with `deactivate_user`.

Manually terminating an employee's access means updating Active Directory, revoking SAML apps, and clearing sessions across half a dozen systems. It's time-consuming and prone to human error—you might forget one key group assignment.

Now, you simply run `deactivate_user`. The server handles the full lifecycle: it marks the account as permanently revoked, killing all active assertions and blocking future access across every integrated service.

Support 24/7 support@vinkius.com ↗

Security Vinkius Trust Center ↗

SLA Service Level Agreement ↗

Report Listing Send Report ↗

What your AI can actually do with this

Your AI client connects directly to Okta Identity Cloud's core services. You won't need to click through admin dashboards anymore; you just tell your agent what you gotta do and it handles the rest of the heavy lifting.

Managing User Accounts:
You can list every user in the Okta Universal Directory using list_users for an organization-wide headcount. To check a specific person's details, run get_user with their explicit ID to pull their full profile and attribute data. If you need to shut down an account permanently, use deactivate_user; this immediately suspends and revokes all future sign-ins.

For quick security measures, you can forcefully kill every active login session for a specific user by calling clear_user_sessions.

Group Membership & Access Control:
To understand your organizational structure, use list_groups to get a directory listing of every single group—whether it's a security group, an application group, or a dynamic one. You can then check the specific membership and attributes for any given group using get_group. If you need to know who belongs in a certain group, run list_group_users against that specified Okta Group.

When dealing with applications, first use list_apps to see every service integrated into your dashboard, covering SAML, OIDC, and SCIM connections. For deep dives on an app's setup, you can retrieve detailed SSO configuration data—including client secrets or cert chains—for a single connected application using get_app.

Security Auditing & Logs:
When security is the issue, you need visibility. You pull the 100 most recent audit logs from Okta by calling list_system_logs. These logs cover everything: sign-in attempts, Multi-Factor Authentication (MFA) results, and any configuration changes that happen in the system. This gives your agent a central record for reviewing security events.

If you're checking on who accessed what, you can combine this by listing all users with list_users, then cross-referencing their activity against the data pulled from get_user or the logs provided by list_system_logs.

Built · Hosted · Managed by Vinkius Okta MCP Server - Manage Users & SSO Access

Server ID 019d75e4-0470-7139-8db4-8eb4403df914

Vinkius Inspector

Compliance Grade A+

Score 100/100

Report View Report ↗

Who is this actually for?

This is for the IT Ops engineer who spends too much time clicking through ten different dashboards just to check one user's access. It’s also for Security Analysts needing immediate, auditable data on compromised accounts or unauthorized access patterns.

System Administrator

Uses deactivate_user and create_user to manage the full user lifecycle without touching complex administrative UIs.

Helpdesk Technician

Runs simple commands like checking a user's status (get_user) or resetting credentials, getting back fast answers for end-users.

Security Operations Analyst (SecOps)

Uses list_system_logs and clear_user_sessions to trace sign-in scopes, hunt down malicious activity, or terminate active threats immediately.

What Changes When You Connect

Stop Manual Log Checks: Instead of manually navigating logs, use list_system_logs to pull the 100 most recent sign-in attempts instantly. You see who logged in, when, and if MFA worked—all without clicking a single button.

Instant Offboarding: When an employee leaves, don't wait for HR to manually update ten systems. Use deactivate_user to revoke all access across the entire Okta domain immediately.

Deep User Profiling: Need to know what department 'Jane Doe' belongs to? Running get_user gives you her full profile and status in one go, eliminating cross-referencing multiple internal systems.

Group Access Auditing: Don’t trust group names. Use list_group_users combined with list_groups to map exactly which users are assigned to a specific department group, ensuring compliance.

Security Incident Response: If you suspect lateral movement, use clear_user_sessions right away. This command forces every connected service to drop the user's session, stopping active threats instantly.

See it in action

01 01

Investigating a Suspicious Login

A security analyst notices an unusual login time. They ask their agent: 'Check the logs for activity on User X.' The agent runs list_system_logs, immediately showing if the user used MFA, from what IP, and if any suspicious configuration changes were made recently. Problem solved in seconds.

02 02

Bulk Decommissioning

The HR team gives a list of 50 terminated employees. The admin uses deactivate_user for all IDs in a batch script, confirming that access is cut off across every linked corporate app, preventing orphaned accounts from causing security holes.

03 03

Auditing Departmental Access

The compliance officer needs to know who has 'Admin' rights. They ask the agent to run list_groups and then target the specific group using list_group_users. This confirms every person assigned to that high-privilege role.

04 04

Fixing a User Lockout

A helpdesk tech gets an urgent call from a user who can't log in. Instead of walking them through the password reset portal, they ask the agent to get_user (to check status) and then run a credential reset command via the server.

The honest tradeoffs

Assuming Full Access

Anti-pattern

Trying to 'just list everything' without specifying scope, which might accidentally expose sensitive configuration details or fail due to rate limiting.

The Fix

Always specify what you need. If you only want user names, use list_users. If you only care about group structure, run list_groups first. Never assume a single command covers everything.

Using the Wrong Scope

Anti-pattern

Thinking that checking get_user status is enough to prove access rights for an application; you still need to check the integration bindings.

The Fix

To verify app access, run list_apps. If you need deep technical details on how that app connects (secrets, etc.), use get_app.

Ignoring Deprovisioning

Anti-pattern

The user leaves the company and their account is just disabled in the main directory without revoking sessions. They'll still have active tokens until expiration.

The Fix

For termination, always use deactivate_user. This handles both disabling the account and killing all existing tokens/sessions.

When It Fits, When It Doesn't

Use this server if your primary job involves managing identities, tracking access, or responding to security incidents. You need conversational control over core IdP functions.

Don't use it if you are only trying to manage local file permissions (use a filesystem tool instead). Also, don't rely on get_user alone; that just gives profile data. If you need to know what groups the user belongs to, always follow up with list_group_users. You can check all available applications with list_apps, but if you suspect an issue with a specific app’s connection (like a broken SAML link), run get_app first. It's about knowing your data boundaries: profiles are user-specific; logs are time-based; groups are structural.

Questions you might have

How do I check who is in a specific group using list_group_users? +

You run list_group_users and pass the exact Group ID or name. It returns a precise, up-to-date roster of every user assigned to that group right now.

Can I find out if a user's session was terminated using list_system_logs? +

Yes. list_system_logs captures all sign-in events, including when sessions were manually cleared or revoked. You can filter the logs by time and action type.

What is the difference between get_user and list_users? +

get_user requires a specific user ID to pull that profile's details. list_users pulls a directory listing of every configured account in the entire Okta domain.

Should I use deactivate_user or clear_user_sessions? +

Use clear_user_sessions when you suspect an active compromise and need to force a re-login. Use deactivate_user for permanent offboarding, as it revokes future access entirely.

How do I check the structure and list all available groups using list_groups? +

It lists every configured Okta Group, providing an overview of your organization's directory policies. This is critical for understanding how permissions are structured across different security and application domains.

What does get_app provide regarding a specific integration? +

It pulls the detailed SSO configuration for any given app, including client secrets, X.509 certificates, and token-grant lifespans. This is essential when auditing security bindings or verifying connection health.

How can I list all integrated applications using list_apps? +

This tool inventories every sign-on integration—whether it uses raw OIDC, SAML 2.0, or SCIM provisioning. It gives you a full picture of what apps your Okta tenant supports.

What information can I get about a specific group using get_group? +

It returns the complete metadata and policy details for an individual group, not just who is in it. This helps you understand the explicit rules governing that department's access permissions.

Where do I retrieve my Okta Domain and API Token? +

Log in to your Okta Admin Console. The Okta domain is simply the URL you use (e.g., company.okta.com). To get the API Key, navigate to Security -> API, then select the Tokens tab. Click Create Token, assign it a name, and securely copy the generated string.

Can the agent clear active sessions for a compromised user? +

Yes! If you suspect an ongoing security incident, you can promptly ask the agent to clear user sessions (clear_user_sessions) by simply stating the user's ID or email. The integration talks back to Okta and terminates persistent connections instantaneously.

Is the administrator API key shared globally with anyone else? +

No, your setup is extremely private and BYOC (Bring Your Own Credentials). The token is entered locally inside your private environment or workspace instance and injected tightly and exclusively into your isolated runtime execution. It is never exposed publically.

View all recipes →

Run SOC 2 Compliance Audits Using MCP Servers

Your SOC 2 auditor asks for access review evidence and you spend 3 days exporting CSVs , your agent builds the report in 2 minutes

Drata Okta Airtable

View all recipes

Connect to your AI in seconds.

Clear user sessions

Deactivate user

Get group

Okta MCP Server: 10 Tools for Identity & Access Control

Make your AI actually useful.

Clear User Sessions

Deactivate User

Get Group

Get User

Get App

List Groups

List Users

List System Logs

List Apps

List Group Users

Security and governance baked right in.

Claude AI

Open Claude Settings

Add Custom Connector

Start a conversation

Claude Code

Open your terminal

Add the MCP Server

Start coding

Cursor

One-Click Install (Recommended)

Open Cursor Settings

Add New Server

Use in Composer

Antigravity

Configure Agent Environment

Bind the Endpoint

Execute

VS Code Copilot

One-Click Install (Recommended)

Open MCP Settings

Add Server Config

Windsurf

One-Click Install (Recommended)

Open Windsurf Settings

Add Server Endpoint

LangChain

Install Dependencies

Connect the Server

CrewAI

Define the Tool

Execute Task

Choose How to Get Started

Build Your Own

Make Your AI Do More

Works with Claude, ChatGPT, Cursor, and more

Checking a User's Status Shouldn't Be a Multi-Step Dashboard Choreography.

The Okta MCP Server makes account termination simple with `deactivate_user`.

What your AI can actually do with this

Here's how it actually works

Who is this actually for?

What Changes When You Connect

See it in action

Investigating a Suspicious Login

Bulk Decommissioning

Auditing Departmental Access

Fixing a User Lockout

The honest tradeoffs

Assuming Full Access

Using the Wrong Scope

Ignoring Deprovisioning

When It Fits, When It Doesn't

Questions you might have

Powerful workflows you can unlock today

Run SOC 2 Compliance Audits Using MCP Servers