# Userfront MCP

> Userfront MCP Server lets your AI agent manage entire identity infrastructures. You can create, update, and delete users; structure multi-tenant accounts with `create_child_tenant`; audit active security contexts using `get_user_sessions`, or programmatically issue JWT tokens. It's a full Identity Access Management (IAM) suite for complex systems.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** authentication, user-management, multi-tenancy, iam, identity-platform

## Description

**Userfront MCP Server: Identity and Access Management**

Listen up. This server lets your AI agent manage an entire identity infrastructure for your applications. You don't gotta click through some dashboard just to make changes; you tell your agent what to do, and it handles the complex calls—everything from setting up a new tenant root to revoking a single API key.

**Managing Users:**
You can create brand-new user accounts with `create_user`, or update existing records using `create_or_update_user`. Need to clean house? You delete users permanently via `delete_user`. For bulk operations, you initiate the process by running `create_user_import` and then check the job status using `get_user_import`; once done, you can run `process_user_import` to handle the file. To find specific accounts, use `find_users`, or pull a user's full profile details with `get_user`. If a key user needs their account reactivated, you change their status using `mark_user_active`; otherwise, if they need an invite sent out, run `invite_user` or grant them specific permissions through `invite_role`. To keep tabs on who's logged in, `get_user_sessions` reads all active security sessions for a user, and you can force everyone off the grid using `logout_user`.

**Building Out Your Organization (Multi-Tenancy):**
To structure complex systems, you start by creating an entirely new primary tenant account with `create_tenant`. If that parent needs sub-accounts, you establish them using `create_child_tenant`. You can search for available organizational boundaries and list them all using `find_tenants`, or grab the full metadata for a specific tenant via `get_tenant`. Need to tweak a tenant's settings? Use `update_tenant` to modify its metadata. Remember, you can delete an entire tenant—and everything connected to it—with `delete_tenant`.

**Controlling Permissions and Roles:**
Access control is where this thing shines. You define global roles for the whole application using `create_role`, then retrieve every available definition with `list_roles`. If a role only applies to one specific client, you define it locally using `create_tenant_role` and view all those local rules with `list_tenant_roles`. To assign permissions, you apply global roles across the platform via `set_user_roles`, or restrict access within a single tenant boundary by setting user roles with `set_tenant_user_roles`. You can also list what roles are available for a specific tenant using `list_tenant_roles`.

**Handling Security and Credentials:**
Security is everything, so we got tools for that. For API keys, you generate new ones with `create_api_key`, review all existing keys by running `list_api_keys`, or check if a key is still good using `verify_api_key`. If a key gets compromised, you delete it immediately with `delete_api_key` or instantly deactivate it with `invalidate_api_key`. When dealing with JWT tokens, your agent can read the required format for token creation via `get_jwt_format`, see all available claims using `get_jwt_available_claims`, and fetch the public keys used by the platform with `get_jwks` or `list_jwt_keys`. To issue a custom access token for unique flows, you use `create_custom_jwt`; if your token rules change, you can update them with `update_jwt_format`.

**Cleanup and Maintenance:**
When you're done with old definitions, you remove global roles using `delete_role`, or wipe out user records with `delete_user`. Similarly, you clean up API keys by running the deletion functions. For tenant data, if a parent account is gone, you delete it with `delete_tenant`.

This suite gives your agent everything needed to manage users, structure multi-tenancies, and control every aspect of access—no manual clicking required.

## Tools

### create_api_key
Generates a new API key for use with the platform.

### create_child_tenant
Establishes a nested child tenant under an existing parent account.

### create_custom_jwt
Generates a custom JWT access token for specific user flows.

### create_or_update_user
Adds a new user record or modifies an existing one with this function.

### create_role
Creates a new, global role definition for the application.

### create_tenant_role
Defines and sets up a role that is specific to a single tenant.

### create_tenant
Initializes and creates an entirely new primary tenant account.

### create_user_import
Initiates a process for bulk creating users from an uploaded file.

### create_user
Creates a brand-new user record in the system.

### delete_api_key
Deletes an existing API key, revoking its access immediately.

### delete_role
Removes a defined role from the system.

### delete_tenant
Deletes an entire tenant and all of its connected child tenants/data.

### delete_user_import
Cleans up and deletes an existing user import job record.

### delete_user
Permanently removes a user record from the system.

### find_tenants
Searches and lists available tenant accounts based on criteria you provide.

### find_users
Uses a POST request to search for specific users within a defined tenant.

### generate_link_credentials
Creates link credentials necessary for setting up custom authentication flows.

### get_jwks
Retrieves the JSON Web Key Set used by the platform's tokens.

### get_jwt_available_claims
Lists all possible claims that can be included in a JWT token.

### get_jwt_format
Reads and displays the required format for creating custom JWT tokens.

### get_tenant
Retrieves all metadata associated with a specific tenant account.

### get_user_import
Checks the current status of a previously submitted bulk user import job.

### get_user_sessions
Reads all currently active security sessions tied to a specific user account.

### get_user
Reads and returns the full profile record for a specified user.

### invalidate_api_key
Immediately deactivates and revokes an existing API key, making it unusable.

### invite_role
Grants a specific role to a user by inviting them through the system.

### invite_user
Sends an invitation email and account creation link to a user's provided email address.

### list_api_keys
Lists all API keys of a specific type or owner for auditing purposes.

### list_jwt_keys
Displays the public keys used in JWT tokens, useful for external verification.

### list_roles
Retrieves a list of every available role definition across the entire application.

### list_tenant_roles
Lists all roles that are confined to and applicable only within a single tenant.

### logout_user
Forces the immediate invalidation of all active user sessions, effectively logging them out everywhere.

### mark_user_active
Changes a user's status to 'Active', granting them full access privileges again.

### process_user_import
Starts the background process for handling a bulk user import job file.

### set_tenant_user_roles
Assigns and updates roles for users, strictly within the boundaries of one tenant.

### set_user_roles
Applies global roles to a user that apply across all tenants in the application.

### update_jwt_format
Allows you to create or modify the custom rules for how JWT tokens are formatted.

### update_tenant
Modifies metadata or settings of an existing tenant account.

### update_user
Changes specific details (like email or name) for an existing user record.

### verify_api_key
Checks if a given API key is valid and still active without needing to delete it first.

## Prompt Examples

**Prompt:** 
```
Create a new user with email 'dev@example.com' and name 'John Doe'.
```

**Response:** 
```
I've created the user record for John Doe. The new User ID is `usr_abcd123`. Would you like to send them an invitation email now?
```

**Prompt:** 
```
Find all users in my tenant who have 'admin' in their custom data.
```

**Response:** 
```
Searching... I found 3 users matching that criteria. Here are their details: [List of users]. Do you need to update any of their permissions?
```

**Prompt:** 
```
Create a child tenant named 'Beta Testers' under parent tenant 'ten_xyz789'.
```

**Response:** 
```
The child tenant 'Beta Testers' has been successfully created with ID `ten_beta456`. You can now start migrating users to this sub-account.
```

## Capabilities

### Manage User Accounts
Create, modify, delete, and import records for individual users using tools like `create_or_update_user` and `delete_user`.

### Structure Multi-Tenancy
Define and manage organizational boundaries by creating root tenants or nested sub-tenants with `create_tenant` and `create_child_tenant`.

### Control Access Roles
Assign, list, and update user permissions at both the application scope (`set_user_roles`) and specific tenant levels (`set_tenant_user_roles`).

### Audit Sessions & Credentials
Retrieve active user sessions via `get_user_sessions` or manage API keys by generating, listing, or invalidating them.

## Use Cases

### The Security Audit
A security engineer needs to know if a former employee's credentials are still active after they left. They tell their agent: 'Check all sessions for user X and revoke all keys.' The agent runs `get_user_sessions` and then executes `logout_user`, ensuring zero lingering access points.

### Beta Group Onboarding
A PM needs to test a new feature with 15 select users. They ask their agent to 'Create 15 accounts under the Beta Tenant and give them Editor roles.' The agent runs `create_child_tenant`, loops through user creation using `create_user` and role assignment via `set_tenant_user_roles`. Done in seconds.

### System Migration
A DevOps team is migrating data. They need to ensure the new tenant structure is correct. They instruct their agent to 'Find all tenants and list the roles available for each one.' The agent runs `find_tenants` followed by multiple calls to `list_roles` and `list_tenant_roles`.

### User Profile Update
A customer support rep has a user who changed their email address. Instead of navigating menus, they tell the agent: 'Update the user profile for John Smith with this new email.' The agent runs `update_user` instantly.

## Benefits

- Audit who's logged in: Use `get_user_sessions` to check all active security contexts for a user instantly. You don't have to wait for manual reports; you get real-time status updates.
- Manage users at scale: Forget updating profiles one by one. The `create_or_update_user` tool lets your agent handle upserts, making user provisioning fast and consistent.
- Build complex organizations: Need a separate testing environment? Use `create_child_tenant` to spin up isolated sub-accounts without touching the main production tenant.
- Instant access control: Instead of guessing permissions, use `set_user_roles` or `set_tenant_user_roles` to guarantee the exact level of access needed for a specific job.
- Secure your keys: Don't leave credentials lying around. Generate new keys with `create_api_key`, and when done, immediately call `invalidate_api_key` to kill them.

## How It Works

The bottom line is: you talk to your agent conversationally, and it handles the complex API workflow needed for identity changes.

1. Subscribe to the Userfront server and provide your required API Key.
2. Your AI client sends a request (e.g., 'Find all users in Tenant X with admin access').
3. The MCP Server executes the necessary tool calls, retrieves the data, and passes the results back to your agent.

## Frequently Asked Questions

**How do I find all users in a specific tenant using find_users?**
You send the `find_users` tool with the specific tenant ID and any required filters. This returns a list of user records that match your criteria, so you can audit them quickly.

**What's the difference between create_user and create_or_update_user?**
`create_user` makes an entirely new record. Use `create_or_update_user` if you’re unsure if the user exists, as it handles both creating a new profile or simply modifying existing data.

**How do I force-log out all users with logout_user?**
`logout_user` invalidates every active session for that user. It's the clean way to revoke access without having to delete their account record entirely.

**Can I check if an API key is still valid before deleting it? (verify_api_key)**
Yes, you use `verify_api_key`. It checks the status of a key without revoking anything. This helps prevent accidental service disruptions when auditing.

**If I delete a tenant using delete_tenant, what happens to its users?**
This action deletes the entire tenant and all linked data within it. Be careful: this is irreversible. Always verify with `get_tenant` first.

**What does the tool `list_roles` return, and how can I check existing system permissions?**
It returns a list of every role defined for your platform. You get all available roles, including their descriptions, so you know exactly what permissions exist before assigning one.

**When using `find_tenants`, how do I search for specific branches within the overall tenant hierarchy?**
You pass a parent ID to narrow the scope of your query. This lets you filter results down to a single organizational branch, which is critical when managing large, multi-level accounts.

**If my application requires an access token outside of the normal login flow, how do I use `create_custom_jwt`?**
You pass required claims and set the expiration time to generate a signed JWT. This gives your client app programmatic control over user access without having to rely on standard session creation.

**Can I search for users based on specific criteria like email or custom data?**
Yes. Use the `find_users` tool. You can pass a filters object to match specific user attributes within your tenant.

**How do I manage sub-organizations or child accounts?**
Userfront supports multi-tenancy. You can use `create_child_tenant` to create a new tenant under an existing parent, allowing for complex organizational hierarchies.

**Is it possible to see if a user is currently logged in?**
You can use the `get_user_sessions` tool by providing a `userId`. This will return all active sessions associated with that specific user.