Userfront MCP for AI. Control identity, roles, and tenants programmatically.

Q: How do I find all users in a specific tenant using findusers?

You send the findusers tool with the specific tenant ID and any required filters. This returns a list of user records that match your criteria, so you can audit them quickly.

Q: What's the difference between createuser and createorupdateuser?

createuser makes an entirely new record. Use createorupdateuser if you’re unsure if the user exists, as it handles both creating a new profile or simply modifying existing data.

Q: How do I force-log out all users with logoutuser?

logoutuser invalidates every active session for that user. It's the clean way to revoke access without having to delete their account record entirely.

Q: Can I check if an API key is still valid before deleting it? (verifyapikey)

Yes, you use verifyapikey. It checks the status of a key without revoking anything. This helps prevent accidental service disruptions when auditing.

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

How this MCP server connects to your AI agent

Userfront MCP Server lets your AI agent manage entire identity infrastructures. You can create, update, and delete users; structure multi-tenant accounts with `create_child_tenant`; audit active security contexts using `get_user_sessions`, or programmatically issue JWT tokens.

It's a full Identity Access Management (IAM) suite for complex systems.

What AI agents can do with Userfront Automation

Create api key

Generates a new API key for use with the platform.

Create child tenant

Establishes a nested child tenant under an existing parent account.

Create custom jwt

Generates a custom JWT access token for specific user flows.

+ 37 more capabilities included

Manage User Accounts

Create, modify, delete, and import records for individual users using tools like create_or_update_user and delete_user.

Structure Multi-Tenancy

Define and manage organizational boundaries by creating root tenants or nested sub-tenants with create_tenant and create_child_tenant.

Control Access Roles

Assign, list, and update user permissions at both the application scope (set_user_roles) and specific tenant levels (set_tenant_user_roles).

Audit Sessions & Credentials

Retrieve active user sessions via get_user_sessions or manage API keys by generating, listing, or invalidating them.

Ask an AI about this

Included with Plan

Waiting for input…

AI Agent

What AI agents can do with Userfront: 40 Tools for IAM and Multi-Tenancy

These tools let you manage every aspect of user identity—from creating individual profiles to structuring entire multi-tenant organizations.

Make your AI actually useful.

Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.

Start using Userfront on Vinkius

Create Api Key

Generates a new API key for use with the platform.

Create Child Tenant

Establishes a nested child tenant under an existing parent account.

Create Custom Jwt

Generates a custom JWT access token for specific user flows.

Create Or Update User

Adds a new user record or modifies an existing one with this function.

Create Role

Creates a new, global role definition for the application.

Create Tenant Role

Defines and sets up a role that is specific to a single tenant.

Create Tenant

Initializes and creates an entirely new primary tenant account.

Create User Import

Initiates a process for bulk creating users from an uploaded file.

Create User

Creates a brand-new user record in the system.

Delete Api Key

Deletes an existing API key, revoking its access immediately.

Delete Role

Removes a defined role from the system.

Delete Tenant

Deletes an entire tenant and all of its connected child tenants/data.

Delete User Import

Cleans up and deletes an existing user import job record.

Delete User

Permanently removes a user record from the system.

Find Tenants

Searches and lists available tenant accounts based on criteria you provide.

Find Users

Uses a POST request to search for specific users within a defined tenant.

Generate Link Credentials

Creates link credentials necessary for setting up custom authentication flows.

Get Jwks

Retrieves the JSON Web Key Set used by the platform's tokens.

Get Jwt Available Claims

Lists all possible claims that can be included in a JWT token.

Get Jwt Format

Reads and displays the required format for creating custom JWT tokens.

Get Tenant

Retrieves all metadata associated with a specific tenant account.

Get User Import

Checks the current status of a previously submitted bulk user import job.

Get User Sessions

Reads all currently active security sessions tied to a specific user account.

Get User

Reads and returns the full profile record for a specified user.

Invalidate Api Key

Immediately deactivates and revokes an existing API key, making it unusable.

Invite Role

Grants a specific role to a user by inviting them through the system.

Invite User

Sends an invitation email and account creation link to a user's provided email...

List Api Keys

Lists all API keys of a specific type or owner for auditing purposes.

List Jwt Keys

Displays the public keys used in JWT tokens, useful for external verification.

List Roles

Retrieves a list of every available role definition across the entire application.

List Tenant Roles

Lists all roles that are confined to and applicable only within a single tenant.

Logout User

Forces the immediate invalidation of all active user sessions, effectively logging...

Mark User Active

Changes a user's status to 'Active', granting them full access privileges again.

Process User Import

Starts the background process for handling a bulk user import job file.

Set Tenant User Roles

Assigns and updates roles for users, strictly within the boundaries of one tenant.

Set User Roles

Applies global roles to a user that apply across all tenants in the application.

Update Jwt Format

Allows you to create or modify the custom rules for how JWT tokens are formatted.

Update Tenant

Modifies metadata or settings of an existing tenant account.

Update User

Changes specific details (like email or name) for an existing user record.

Verify Api Key

Checks if a given API key is valid and still active without needing to delete it...

Security and governance baked right in.

Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.

Claude AI

Open Claude Settings

Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.

Add Custom Connector

Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:

https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. For OAuth-protected servers, expand Advanced settings to add credentials.

Start a conversation

Open a new chat. The Userfront integration is available immediately — no restart needed.

Antigravity

Configure Agent Environment

Open your Antigravity agent's workspace configuration or mcp-servers.json file.

Bind the Endpoint

Add the Vinkius endpoint URL to your agent's MCP connections list:

"mcp_servers": {
  "userfront": {
    "serverUrl": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
  }
}

Provide your secure token in place of [YOUR_TOKEN_HERE] to ensure your agent requests are authenticated.

Execute

Start your Antigravity session. The agent will autonomously discover and utilize the Userfront tools with full Vinkius guardrails applied.

VS Code Copilot

⚡

One-Click Install (Recommended)

In your Vinkius Dashboard, simply click the Add to VS Code button for this server. We'll automatically configure your local workspace.

Or configure manually

Open MCP Settings

Open VS Code, press Ctrl/Cmd + Shift + P, and search for GitHub Copilot: MCP Servers.

Add Server Config

Add the Vinkius endpoint configuration to your mcp-servers.json file:

"userfront": {
  "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
}

Ensure you replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com.

LangChain

Install Dependencies

Install the LangChain MCP adapters for your environment:

pip install langchain-mcp-adapters

Connect the Server

Use the SSEClient in LangChain to connect to the Vinkius managed endpoint:

from langchain_mcp_adapters.client import SSEClient

# Connect to Vinkius
client = SSEClient(url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp")
tools = client.get_tools()

CrewAI

Define the Tool

Load the Vinkius MCP tools into your CrewAI agents:

from crewai import Agent
from mcp_crewai import MCPTool

# Connect securely to Vinkius
vinkius_tools = MCPTool(url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp")

# Assign to Agent
researcher = Agent(
    role='Data Researcher',
    tools=vinkius_tools.get_all()
)

Execute Task

Run your CrewAI process. The agent will autonomously route tasks to the Vinkius managed server.

Choose How to Get Started

Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.

Build Your Own

Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.

Import from OpenAPI, Swagger, or YAML specs
Create Agent Skills with progressive disclosure
Deploy to edge with MCPFusion framework
Built in DLP, auth, and compliance on every call
Real time usage dashboard and cost metering
Publish to catalog or keep private

Start building

Make Your AI Do More

Start with Userfront, then connect any of our 5,100+ other servers whenever your AI needs more. One click, no limits.

Use this MCP plus 5,100+ others, all in one place
Add new capabilities to your AI anytime you want
Every connection is secured and compliant automatically
Track usage and costs across all your servers
Works with Claude, ChatGPT, Cursor, and more
New servers added to the catalog every week

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Userfront. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

VINKIUS INFRASTRUCTURE

Cloud Hosted

Managed infra

V8 Isolated

Sandboxed per request

Zero-Trust Proxy

No stored credentials

DLP Enforced

Policy on every call

GDPR Compliant

EU data residency

Token Compression

~60% cost reduction

Your data is protected. See how we built it.

Built on the Model Context Protocol (MCP) for Claude, ChatGPT, Cursor, and more

The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.

This connection provides 40 powerful capabilities that interface natively with Claude, ChatGPT, Cursor, and other compatible AI platforms. No middleware. No custom integration required.

Managing users across multiple clients shouldn't take half an hour of clicking., Solved with Vinkius AI Gateway

Right now, onboarding a client requires logging into the main portal, finding their specific tenant ID, navigating to user management, creating the account, setting the correct role, and then repeating that process for every single team member. It’s tedious copy-pasting and context switching.

With this server, your agent handles it all in one go. Tell it: 'Set up a new client tenant called Acme Corp, add three admins, and give them Editor roles.' You get confirmation that the entire structure is built and populated instantly.

Userfront MCP Server: Instant access to user identity.

Before this server, auditing who had what access meant checking dashboards across multiple tabs or running slow database queries that only gave partial information. It was hard to prove who could do what, and when they were logged in.

Now you run `get_user_sessions` and you see the full picture—active sessions, roles, API key status—all available for immediate action through your chat interface.

Support 24/7 support@vinkius.com ↗

Security Vinkius Trust Center ↗

SLA Service Level Agreement ↗

Report Listing Send Report ↗

authentication

user-management

multi-tenancy

iam

identity-platform

What your AI can actually do with this

Userfront MCP Server: Identity and Access Management

Listen up. This server lets your AI agent manage an entire identity infrastructure for your applications. You don't gotta click through some dashboard just to make changes; you tell your agent what to do, and it handles the complex calls—everything from setting up a new tenant root to revoking a single API key.

Managing Users:
You can create brand-new user accounts with create_user, or update existing records using create_or_update_user. Need to clean house? You delete users permanently via delete_user. For bulk operations, you initiate the process by running create_user_import and then check the job status using get_user_import; once done, you can run process_user_import to handle the file.

To find specific accounts, use find_users, or pull a user's full profile details with get_user. If a key user needs their account reactivated, you change their status using mark_user_active; otherwise, if they need an invite sent out, run invite_user or grant them specific permissions through invite_role. To keep tabs on who's logged in, get_user_sessions reads all active security sessions for a user, and you can force everyone off the grid using logout_user.

Building Out Your Organization (Multi-Tenancy):
To structure complex systems, you start by creating an entirely new primary tenant account with create_tenant. If that parent needs sub-accounts, you establish them using create_child_tenant. You can search for available organizational boundaries and list them all using find_tenants, or grab the full metadata for a specific tenant via get_tenant.

Need to tweak a tenant's settings? Use update_tenant to modify its metadata. Remember, you can delete an entire tenant—and everything connected to it—with delete_tenant.

Controlling Permissions and Roles:
Access control is where this thing shines. You define global roles for the whole application using create_role, then retrieve every available definition with list_roles. If a role only applies to one specific client, you define it locally using create_tenant_role and view all those local rules with list_tenant_roles.

To assign permissions, you apply global roles across the platform via set_user_roles, or restrict access within a single tenant boundary by setting user roles with set_tenant_user_roles. You can also list what roles are available for a specific tenant using list_tenant_roles.

Handling Security and Credentials:
Security is everything, so we got tools for that. For API keys, you generate new ones with create_api_key, review all existing keys by running list_api_keys, or check if a key is still good using verify_api_key. If a key gets compromised, you delete it immediately with delete_api_key or instantly deactivate it with invalidate_api_key.

When dealing with JWT tokens, your agent can read the required format for token creation via get_jwt_format, see all available claims using get_jwt_available_claims, and fetch the public keys used by the platform with get_jwks or list_jwt_keys. To issue a custom access token for unique flows, you use create_custom_jwt; if your token rules change, you can update them with update_jwt_format.

Cleanup and Maintenance:
When you're done with old definitions, you remove global roles using delete_role, or wipe out user records with delete_user. Similarly, you clean up API keys by running the deletion functions. For tenant data, if a parent account is gone, you delete it with delete_tenant.

This suite gives your agent everything needed to manage users, structure multi-tenancies, and control every aspect of access—no manual clicking required.

Built · Hosted · Managed by Vinkius Userfront MCP Server - Identity & Access Management

Server ID 019ea60d-f81e-7039-9ea3-d031be0aab83

Vinkius Inspector

Compliance Grade A+

Score 98.33/100

Report View Report ↗

Who is this actually for?

Security Engineers need this when they gotta audit access across dozens of tenants without logging into a single UI. DevOps teams use it to automate user provisioning during CI/CD pipelines. Product Managers rely on it to quickly onboard beta groups and check growth metrics programmatically.

Security Engineer

Runs audits by checking active sessions (get_user_sessions) or revoking access keys using invalidate_api_key across multiple tenants.

DevOps Engineer

Writes automation scripts that provision new users, set up multi-tenant structures, and manage roles when deploying a new application version.

Product Manager

Invites beta testers by email (invite_user) or runs reports on user counts across various tenants using find_users.

What Changes When You Connect

Audit who's logged in: Use get_user_sessions to check all active security contexts for a user instantly. You don't have to wait for manual reports; you get real-time status updates.

Manage users at scale: Forget updating profiles one by one. The create_or_update_user tool lets your agent handle upserts, making user provisioning fast and consistent.

Build complex organizations: Need a separate testing environment? Use create_child_tenant to spin up isolated sub-accounts without touching the main production tenant.

Instant access control: Instead of guessing permissions, use set_user_roles or set_tenant_user_roles to guarantee the exact level of access needed for a specific job.

Secure your keys: Don't leave credentials lying around. Generate new keys with create_api_key, and when done, immediately call invalidate_api_key to kill them.

See it in action

01 01

The Security Audit

A security engineer needs to know if a former employee's credentials are still active after they left. They tell their agent: 'Check all sessions for user X and revoke all keys.' The agent runs get_user_sessions and then executes logout_user, ensuring zero lingering access points.

02 02

Beta Group Onboarding

A PM needs to test a new feature with 15 select users. They ask their agent to 'Create 15 accounts under the Beta Tenant and give them Editor roles.' The agent runs create_child_tenant, loops through user creation using create_user and role assignment via set_tenant_user_roles. Done in seconds.

03 03

System Migration

A DevOps team is migrating data. They need to ensure the new tenant structure is correct. They instruct their agent to 'Find all tenants and list the roles available for each one.' The agent runs find_tenants followed by multiple calls to list_roles and list_tenant_roles.

04 04

User Profile Update

A customer support rep has a user who changed their email address. Instead of navigating menus, they tell the agent: 'Update the user profile for John Smith with this new email.' The agent runs update_user instantly.

The honest tradeoffs

Manual Role Assignment

Anti-pattern

Trying to manage roles by manually updating user records in a spreadsheet or UI, which is slow and error-prone.

The Fix

Use the API for role management. To set global permissions, run set_user_roles. For tenant-specific rules, always use create_tenant_role followed by set_tenant_user_roles.

Forgetting to Revoke Keys

Anti-pattern

Creating an API key for a temporary test and then forgetting to delete it, leaving a permanent security hole.

The Fix

Always treat keys as disposable. After testing, run delete_api_key or, if you just need to stop access temporarily, use invalidate_api_key.

Using the wrong scope

Anti-pattern

Trying to assign a global application role (set_user_roles) when that rule should only apply to one department (tenant).

The Fix

Be specific about the boundary. If it’s departmental, use create_child_tenant and then manage roles with set_tenant_user_roles. Keep scope local.

When It Fits, When It Doesn't

Use this Userfront MCP Server if your need involves programmatic, auditable control over identity boundaries. You must be dealing with complex multi-tenancy (i.e., having many distinct organizational units that require separate rules) or managing credential lifecycles at scale. For example: you're provisioning 100 users; checking for unauthorized sessions (get_user_sessions); or establishing a new department (create_child_tenant).

Don't use this if all you need is to change a user’s name once in the main dashboard, or if your entire application runs within a single, non-segmented instance. In those cases, a simple UI interaction might be faster than writing an API call. But if scale and separation are key requirements, this server handles it.

Questions you might have

How do I find all users in a specific tenant using find_users? +

You send the find_users tool with the specific tenant ID and any required filters. This returns a list of user records that match your criteria, so you can audit them quickly.

What's the difference between create_user and create_or_update_user? +

create_user makes an entirely new record. Use create_or_update_user if you’re unsure if the user exists, as it handles both creating a new profile or simply modifying existing data.

How do I force-log out all users with logout_user? +

logout_user invalidates every active session for that user. It's the clean way to revoke access without having to delete their account record entirely.

Can I check if an API key is still valid before deleting it? (verify_api_key) +

Yes, you use verify_api_key. It checks the status of a key without revoking anything. This helps prevent accidental service disruptions when auditing.

If I delete a tenant using delete_tenant, what happens to its users? +

This action deletes the entire tenant and all linked data within it. Be careful: this is irreversible. Always verify with get_tenant first.

What does the tool `list_roles` return, and how can I check existing system permissions? +

It returns a list of every role defined for your platform. You get all available roles, including their descriptions, so you know exactly what permissions exist before assigning one.

When using `find_tenants`, how do I search for specific branches within the overall tenant hierarchy? +

You pass a parent ID to narrow the scope of your query. This lets you filter results down to a single organizational branch, which is critical when managing large, multi-level accounts.

If my application requires an access token outside of the normal login flow, how do I use `create_custom_jwt`? +

You pass required claims and set the expiration time to generate a signed JWT. This gives your client app programmatic control over user access without having to rely on standard session creation.

Can I search for users based on specific criteria like email or custom data? +

Yes. Use the find_users tool. You can pass a filters object to match specific user attributes within your tenant.

How do I manage sub-organizations or child accounts? +

Userfront supports multi-tenancy. You can use create_child_tenant to create a new tenant under an existing parent, allowing for complex organizational hierarchies.

Is it possible to see if a user is currently logged in? +

You can use the get_user_sessions tool by providing a userId. This will return all active sessions associated with that specific user.