Connect the MCP
The auth.is MCP server at https://mcp.auth.is is the management surface. Everything you can configure — teams, issuers, clients, members, invites, federation providers, theming, and signing keys — is an MCP tool your AI assistant calls on your behalf. There is no separate admin console; the conversation is the console.
Connecting
Add https://mcp.auth.is as a connector in your AI tool. In Claude (claude.ai), use Settings → Connectors → Add custom connector. In Claude Code:
claude mcp add --transport http auth-is https://mcp.auth.is
See the Quickstart for the full first-run walkthrough.
The auth model — auth.is dogfoods its own IdP
The MCP does not use API keys or personal access tokens. It authenticates you with the exact same OpenID Connect flow your own apps will use — auth.is is a customer of its own identity provider.
Concretely: an unauthenticated call is rejected with a 401 and an RFC 9728 WWW-Authenticate header pointing at the resource metadata. Your tool follows that to the root issuer, registers itself via dynamic client registration, and runs a normal authorization-code + PKCE flow. You sign in (or sign up) and approve the mgmt scope in the browser once; the tool then retries with a bearer token whose audience is https://mcp.auth.is. The MCP forwards that token to api.auth.is for every call.
Your first connect is your sign-up. The OAuth flow lands on login.auth.is, where you create your account and accept terms — the whoami and create_team tools take over from there.
The tool surface
There are 34 tools. whoami and get_started are registered first so they surface at the top of the list. Every mutating tool tells you, in its result, that the change is live immediately on your running issuer — issuer-affecting changes bump the issuer's configVersion and invalidate the live provider cache with no restart.
Onboarding
| Tool | What it does |
|---|---|
whoami | Returns your user (id, email, name) and your teams. The connection heartbeat. |
get_started | Inspects your account and returns a tailored, ordered checklist, each step naming the exact tool to call next. Ask "what now?" any time. |
Teams — /teams
| Tool | What it does |
|---|---|
list_teams | Every team you belong to, with your role. |
get_team | One team plus its issuer (id, slug, configVersion). The issuer.id is what every issuer/client/provider/theme/key tool takes as issuerId. |
create_team | Creates a team and, atomically, its first issuer at {slug}.auth.is. You become the owner. |
Issuers & keys — /issuers, /signing-keys
| Tool | What it does |
|---|---|
get_issuer | The issuer's settings: registration mode, session TTL, passkey default, resource servers, theme. Never key material. |
update_issuer_settings | Merge a patch: registrationMode, sessionTtlSeconds, or passkeysDefaultEnabled. Owner only. |
list_signing_keys | Public key lifecycle (kid, status active/next/retired, timestamps). Never key material. |
rotate_signing_keys | Drive one step of zero-downtime rotation: prepare, then promote, then retire. Owner only. |
Clients — /clients
| Tool | What it does |
|---|---|
list_clients | Secret-free summaries of every client under an issuer. |
get_client | One client's full non-secret metadata. The secret is never returned, not even masked. |
create_client | Register a new client. Confidential clients get a one-time secret. Owner only. |
update_client | General fields: name, post-logout URIs, require_pkce, registration_enabled. Owner only. |
update_client_redirect_uris | Replace the entire redirect-URI set (not additive). Owner only. |
rotate_client_secret | Mint a new confidential secret (returned once); the old one stops working immediately. Owner only. |
toggle_client_passkeys | Enable/disable the passkey second factor for a client. Owner only. |
set_client_providers | Restrict which federation providers this client offers. Owner only. |
update_client_token_ttls | Set id_token and/or refresh_token lifetimes (seconds). Owner only. |
delete_client | Permanently delete a client and revoke its grants. Owner only. |
Members & invites — /members, /invites
| Tool | What it does |
|---|---|
list_members | The team roster with roles and join dates. |
update_member_role | Promote to owner or demote to member. Owner only; the last owner cannot be demoted. |
remove_member | Remove a member (or leave, yourself). The last owner cannot be removed. |
list_invites | Pending plus recently accepted/revoked/expired invites, with derived status. Owner only. |
invite_member | Email a single-use join link. The raw link is never returned — only a masked view. Owner only. |
revoke_invite | Revoke a still-pending invite. Owner only. |
Federation providers — /identity-providers
| Tool | What it does |
|---|---|
list_providers | Configured providers with masked config (the upstream secret collapses to hasSecret). |
add_identity_provider | Add a "Continue with …" upstream (google, entra, kenni, oidc). Owner only. |
update_identity_provider | Partially update a provider. The type is immutable. Owner only. |
remove_identity_provider | Remove a provider; blocked while users still sign in through it. Owner only. |
Theming — /theming
| Tool | What it does |
|---|---|
preview_theme | Generate a theme from an accent color and return a live, signed preview URL. Read-only — nothing is stored. |
tweak_theme_stop | Override a single generated color stop (or the gradient) and preview again. Still no write. |
apply_theme | Persist a theme as the issuer's brand. Owner only. |
apply_client_theme | Persist a per-client theme override (client wins over issuer). Owner only. |
Who can do what
Reads are open to any member of the team; mutations that change the issuer or the roster are owner only. A non-owner attempting an owner-only tool gets a permission error. auth.is never reveals whether a team you cannot access exists — you get a generic not-found. See Members for the full role model.