# PropelAuth MCP

> PropelAuth MCP Server manages B2B identity lifecycles for your AI agent. It handles user creation, organization governance, role assignment, and full API key management without needing manual dashboard interaction. Your agent can programmatically create users (`create_user`), manage memberships (`add_user_to_org`), or audit access via `get_api_key_usage` directly in conversation.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** b2b-auth, user-management, saas-infrastructure, multi-tenancy, api-security

## Description

PropelAuth handles your entire B2B identity lifecycle so you don't have to touch a dashboard. Your agent treats user and organization management like simple natural language commands. You can build out complex, multi-tenant systems—creating new client organizations with `create_org`, querying multiple tenants using `query_orgs`, or updating general organizational details via `update_org`. You'll also get full details on a specific tenant using `get_org` and you can permanently wipe an organization and all its data with `delete_org`.

When it comes to users, your agent manages the entire identity lifecycle. You can create new accounts for clients with `create_user`, or find existing people quickly by their email address with `get_user_by_email`, or just by username using `get_user_by_username`. If a user needs an update—say, changing their name via `update_user` or switching their primary email with `update_user_email`—you'll handle it. For security, you can manually change passwords with `update_user_password`, reset the password and clear credentials using `clear_user_password`, and block an account entirely by calling `disable_user`; don't forget that you can restore access anytime with `enable_user`. You also have tools to manage membership: you can send out invites and add a user roster directly with `invite_user_to_org`, or remove them from a tenant using `remove_user_from_org`. If someone needs to leave, your agent handles it by calling `delete_user` or `delete_api_key`.

For enterprise setups, you've got full control over federation. You can configure OpenID Connect (OIDC) and SAML identity providers by setting the required metadata using `set_oidc_idp_metadata` or `set_saml_idp_metadata`. To get a client connected via SAML SSO, your agent generates the exact setup link with `create_saml_connection_link`, and you can activate the connection globally using `allow_saml` or flip an existing config to 'live' status with `go_live_saml`. You can also migrate existing users from other systems into PropelAuth's management scope via `migrate_user`, and if a user needs immediate lockout, your agent invalidates all their active sessions using `logout_all_user_sessions`.

API key governance is handled programmatically. Your agent generates brand new keys for end-users with `create_api_key`, or provisions temporary tokens for testing machine calls using `create_access_token`. When a key needs adjusting, you can modify its scope or details with `update_api_key`, and if it's stale, you delete it instantly with `delete_api_key`. To keep tabs on usage, your agent pulls consumption data via `get_api_key_usage` and retrieves a list of all active keys using `get_active_api_keys`. You can also check key status in real-time by running the `validate_api_key` tool.

When you need to audit access or find specific records, your agent has multiple lookup options. You can pull every detail about a user with `get_user`, or list everyone belonging to a tenant using `get_users_in_org`. For deeper reads, you can check current OAuth tokens associated with an account via `get_oauth_tokens` and get the complete details for any organization with `get_org`. You'll also find tools that let you query users and organizations in bulk, supporting filtering and pagination through `query_users` and `query_orgs`, respectively. For roles, you can fetch definitions of custom roles used across the platform by calling `get_custom_role_mappings` or linking a tenant to these structures with `subscribe_org_to_mapping`. Finally, if a user needs to log in without a password, your agent generates a unique, time-sensitive magic link using `create_magic_link`, and you can refresh an expired provider token for any account using `refresh_provider_token`.

## Tools

### add_user_to_org
Assigns a specified user to an existing organization.

### allow_saml
Activates or deactivates SAML authentication for an entire organization.

### change_user_role_in_org
Updates a user's specific role within one of their organizations.

### clear_user_password
Resets and clears the password for any specified user account.

### create_access_token
Generates a temporary access token, useful for testing or machine-to-machine calls.

### create_api_key
Generates and provisions a brand new API key for an end-user.

### create_magic_link
Creates a unique, time-sensitive magic link for a user's passwordless login.

### create_org
Establishes and provisions a new client organization within the platform.

### create_saml_connection_link
Generates the specific setup link needed to connect an organization via SAML SSO.

### create_user
Creates a new user account and profile in PropelAuth.

### delete_api_key
Removes an end-user API key from the system.

### delete_org
Permanently deletes an entire organization and all associated data.

### delete_user
Deletes a user account entirely from the system.

### disable_user
Blocks or disables a specific user, preventing them from logging in.

### enable_user
Restores account access by enabling a previously disabled user.

### get_active_api_keys
Retrieves a list of all currently active API keys across the system.

### get_api_key_usage
Pulls usage statistics and consumption data for specific API keys.

### get_custom_role_mappings
Fetches definitions of custom roles used within the platform.

### get_oauth_tokens
Retrieves current OAuth tokens associated with a user's account.

### get_org
Fetches all details for a specific organization using its unique ID.

### get_saml_sp_metadata
Retrieves the Service Provider (SP) metadata needed to configure SAML SSO.

### get_user_by_email
Finds and returns a user's profile based on their registered email address.

### get_user_by_username
Locates a specific user account using only their unique username.

### get_user
Fetches all data for a user using their unique ID.

### get_users_in_org
Lists all users who belong to a specific organization.

### go_live_saml
Sets an existing SAML connection configuration to 'live' status, making it active for login.

### invite_user_to_org
Sends an invitation email and adds a user to an organization roster.

### logout_all_user_sessions
Invalidates all active sessions for a given user, forcing them to re-login.

### migrate_user
Moves an existing user account from another system into PropelAuth's management scope.

### query_orgs
Searches and lists multiple organizations based on provided criteria.

### query_users
Lists all users, supporting filtering and pagination for large directories.

### refresh_provider_token
Updates an expired OAuth provider token for a specific user's account.

### remove_user_from_org
Removes a user membership from one or more organizations.

### set_oidc_idp_metadata
Configures the necessary metadata for an OpenID Connect (OIDC) Identity Provider.

### set_saml_idp_metadata
Sets the required metadata for a SAML Identity Provider.

### subscribe_org_to_mapping
Links an organization to a custom role mapping structure.

### update_api_key
Modifies the details or scope of an existing end-user API key.

### update_org
Updates general metadata (like name or billing info) for an organization.

### update_user_email
Changes the primary email address associated with a user account.

### update_user_password
Allows an administrator to manually change a user's password.

### update_user
Modifies a user's profile details, such as their name or phone number.

### validate_api_key
Checks if an API key is valid, active, and still within its usage limits.

## Prompt Examples

**Prompt:** 
```
Find the user with email 'alex@company.com' and tell me which organizations they belong to.
```

**Response:** 
```
I've located the user (ID: user_98765). They are currently a member of 'Acme Corp' (ID: org_123) with the role of 'Admin' and 'Beta Testers' (ID: org_456) as a 'Member'.
```

**Prompt:** 
```
Create a new organization called 'Stark Industries' and add 'user_555' as an Admin.
```

**Response:** 
```
Organization 'Stark Industries' has been created with ID `org_stark_001`. I have also successfully added user `user_555` to this organization with the 'Admin' role.
```

**Prompt:** 
```
List all active API keys for organization 'org_123' and check if any have high usage.
```

**Response:** 
```
I found 3 active API keys for 'org_123'. Key `pk_live_abc` has the highest usage with 1,250 calls in the last 24 hours. The other two keys show minimal activity.
```

## Capabilities

### User Lifecycle Management
Create, update, disable, or delete individual user accounts and manage their passwords.

### Organization Structure Control
Build out multi-tenant environments by creating organizations and assigning users to specific tenants with defined roles.

### API Key Governance
Programmatically generate, validate, update, or delete end-user API keys while tracking usage metrics.

### Federation and Authentication Setup
Configure enterprise identity standards like SAML and OIDC by setting metadata and generating setup links.

### User Lookup and Retrieval
Find specific users or organizations using unique identifiers like email, username, or organization ID.

## Use Cases

### Auditing User Access Post-Incident
A security analyst finds suspicious activity. They ask the agent to 'List all users in Org 123.' The agent runs `get_users_in_org`, identifies two accounts, and then uses `get_user` on both IDs to check their last login and current roles, allowing them to immediately decide if they need to run `disable_user`.

### Client Expansion and Onboarding
A CSM signs a new client. They prompt the agent: 'Create a new organization called BetaTest.' The agent runs `create_org`. Next, they invite the core team via email using `invite_user_to_org`, setting their initial roles with `change_user_role_in_org`.

### Debugging API Key Issues
A developer reports a service failing due to an expired key. They ask the agent to 'Check API usage for client X.' The agent runs `get_api_key_usage`, finds the key is stale, and automatically executes `refresh_provider_token`.

### Deactivating a Former Employee
An HR manager needs to terminate an account. They ask the agent to 'Remove Jane Doe's access.' The agent runs `logout_all_user_sessions`, then finds all API keys using `get_active_api_keys` and runs `delete_api_key` on every single one, completing the cleanup.

## Benefits

- You control user access without context switching. Instead of navigating deep into a dashboard to change roles, you simply ask your agent to 'Change the role of John Doe in Acme Corp to Read-Only.'
- API key governance becomes immediate. You can run `get_api_key_usage` to see which keys are hitting limits or generating unnecessary traffic, stopping potential overspending before it happens.
- Onboarding is faster and safer. Use the agent to `create_org`, then immediately use `invite_user_to_org` for the first three users, completing a multi-step workflow in one chat session.
- Revoking access is comprehensive. If an employee leaves, your agent can run `logout_all_user_sessions` followed by `delete_api_key` and then finally `disable_user`, ensuring all digital footprints are erased.
- Federation setup is streamlined. You generate the necessary SAML or OIDC metadata (`set_saml_idp_metadata`) using a simple prompt, eliminating complex XML file downloads and manual API calls.

## How It Works

The bottom line is that you control complex B2B identity operations entirely through conversational prompts.

1. Subscribe to the PropelAuth server on Vinkius Marketplace.
2. Enter your API Key and Authentication URL from your PropelAuth dashboard into the connection settings.
3. Direct your AI client (Claude, Cursor, etc.) to execute actions like 'List all users in Organization X' or 'Reset user password for Y'.

## Frequently Asked Questions

**How do I check if a user exists by email using PropelAuth MCP Server?**
You use `get_user_by_email`. This tool searches the system and returns all available data for that user ID, confirming existence and providing their current role and organization memberships.

**What is the best way to audit API key usage with PropelAuth MCP Server?**
Run `get_api_key_usage`. This tool collects consumption data for specific keys, showing exactly how many calls were made and when. It's better than just listing active keys because it adds metrics.

**Can I force a password reset using PropelAuth MCP Server?**
Yes, use `clear_user_password`. This tool resets the user's password and can be paired with `create_magic_link` to ensure they can log in immediately after the forced reset.

**How do I manage organization membership using PropelAuth MCP Server?**
Membership is managed by two tools: first, use `add_user_to_org` to grant access. Second, if they leave, run `remove_user_from_org` to ensure clean separation.

**Is there a way to list all current users in an organization?**
Use the `get_users_in_org` tool. It efficiently pulls every user ID and basic metadata for that specific tenant, saving you from running multiple general queries.

**How do I set up Single Sign-On (SSO) by configuring identity provider metadata using `set_saml_idp_metadata`?**
You provide the necessary SAML Identity Provider (IdP) XML data. This action tells PropelAuth how to trust external login sources, enabling SSO for your B2B tenants. Your AI agent executes this setup by passing the metadata payload directly.

**If a user's credentials are compromised, what is the best way to immediately terminate all sessions using `logout_all_user_sessions`?**
The tool forces an immediate log out across all devices and connected clients. This instantly revokes active access tokens without needing to change passwords first. It’s critical for rapid offboarding security.

**If I only have a user's system ID, how do I pull their entire profile using the `get_user` tool?**
You pass the specific User ID to the agent. The server returns all associated metadata for that account, including roles, organization memberships, and status. This lets your AI client build comprehensive audit reports.

**Can I find a user's details using only their email address?**
Yes. You can use the `get_user_by_email` tool. Simply provide the email address, and the agent will return the user's ID, metadata, and organization memberships.

**How do I add an existing user to a specific organization?**
Use the `add_user_to_org` tool. You will need the `user_id`, the `org_id`, and the `role` you wish to assign to them (e.g., 'Admin' or 'Member').

**Is it possible to monitor how many times an API key has been used?**
Yes. The `get_api_key_usage` tool allows you to retrieve usage statistics for a specific API key, helping you track activity and enforce limits.