{"id":"okta-okta-mcp-server","name":"okta-mcp-server","homepage":null,"repo_url":"https://github.com/okta/okta-mcp-server","category":"security","subcategories":[],"tags":["mcp","okta","identity","iam","admin-automation","llm-tools","python","device-authorization","private-key-jwt"],"what_it_does":"Provides an MCP (Model Context Protocol) server that lets LLMs/agents perform Okta admin management operations (CRUD on users, groups, apps, policies, etc.) by calling Okta’s Admin Management APIs. Supports interactive Device Authorization Grant and automated Private Key JWT authentication, with confirmation/elicitation for destructive operations via the MCP Elicitation API.","use_cases":["Natural-language Okta user provisioning and deprovisioning","Group membership management (add/remove users, list memberships)","Application lifecycle management (list/create/update where supported)","Audit-style queries like failed login attempts within a time window","Policy inspection/management via LLM-assisted admin workflows"],"not_for":["Running untrusted prompts without safeguards in highly privileged production environments","Automating destructive operations without human confirmation if your MCP client does not support elicitation fallback correctly","Use as a general-purpose Okta API proxy for arbitrary system-to-system calls without MCP client controls"],"best_when":"You want an LLM-connected, tool-based interface to Okta Admin APIs with scoped permissions and (ideally) elicitation for destructive actions.","avoid_when":"You cannot control or validate prompts/tool invocations, or you cannot securely manage long-lived Okta credentials/keys for the server.","alternatives":["Use okta-sdk-python directly from your own backend with strict business logic and approvals","Build a thin custom MCP server around Okta endpoints you explicitly allow","Use Zapier/Make/Workflows-style automation with a dedicated integration account (when appropriate)"],"af_score":54.8,"security_score":71.5,"reliability_score":23.8,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:30:14.269846+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["Device Authorization Grant (interactive)","Private Key JWT (browserless server-to-server)"],"oauth":false,"scopes":true,"notes":"Authentication is configured via environment variables in the MCP client/server launch (OKTA_CLIENT_ID, OKTA_ORG_URL, OKTA_SCOPES, and either browser-based device flow with keyring persistence or Private Key JWT with OKTA_PRIVATE_KEY and OKTA_KEY_ID). Destructive operations prompt for confirmation via MCP elicitation."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Project is described as an open-source server; Okta usage costs depend on your Okta tenant/licensing."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":54.8,"security_score":71.5,"reliability_score":23.8,"mcp_server_quality":75.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":65.0,"rate_limit_clarity":30.0,"tls_enforcement":80.0,"auth_strength":85.0,"scope_granularity":75.0,"dependency_hygiene":55.0,"secret_handling":55.0,"security_notes":"Security posture is largely dependent on correct Okta app setup and scope minimization. Provides two auth modes (device flow and Private Key JWT) and uses Okta API scopes. Private key is passed via env vars (risk if logs/process dumps capture it). README mentions elicitation for destructive actions, improving safety when supported by the MCP client. No explicit TLS, rate-limit, secret redaction, or detailed error-handling guidance is visible from the provided content.","uptime_documented":0.0,"version_stability":40.0,"breaking_changes_history":20.0,"error_recovery":35.0,"idempotency_support":"false","idempotency_notes":"Not documented in the provided README; Okta write operations may not be idempotent depending on endpoint semantics.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Be careful with prompt-to-action behavior for destructive operations (deletes/deactivations). Even with elicitation, clients that don’t support the feature may fall back to a less safe flow.","Ensure scopes are minimally privileged; the tool can potentially perform broad Okta admin actions depending on granted permissions.","Device Authorization flow requires manual browser completion; for automation prefer Private Key JWT.","Token/key material is supplied via environment variables (private key); ensure logs and process inspection are controlled."]}}