auth.isdocs
Get started

Connect the MCP

The auth.is MCP server at https://mcp.auth.is is the management surface. Everything you can configure — teams, issuers, clients, members, invites, federation providers, theming, and signing keys — is an MCP tool your AI assistant calls on your behalf. There is no separate admin console; the conversation is the console.

Connecting

Add https://mcp.auth.is as a connector in your AI tool. In Claude (claude.ai), use Settings → Connectors → Add custom connector. In Claude Code:

claude mcp add --transport http auth-is https://mcp.auth.is

See the Quickstart for the full first-run walkthrough.

The auth model — auth.is dogfoods its own IdP

The MCP does not use API keys or personal access tokens. It authenticates you with the exact same OpenID Connect flow your own apps will use — auth.is is a customer of its own identity provider.

Concretely: an unauthenticated call is rejected with a 401 and an RFC 9728 WWW-Authenticate header pointing at the resource metadata. Your tool follows that to the root issuer, registers itself via dynamic client registration, and runs a normal authorization-code + PKCE flow. You sign in (or sign up) and approve the mgmt scope in the browser once; the tool then retries with a bearer token whose audience is https://mcp.auth.is. The MCP forwards that token to api.auth.is for every call.

The tool surface

There are 34 tools. whoami and get_started are registered first so they surface at the top of the list. Every mutating tool tells you, in its result, that the change is live immediately on your running issuer — issuer-affecting changes bump the issuer's configVersion and invalidate the live provider cache with no restart.

Onboarding

ToolWhat it does
whoamiReturns your user (id, email, name) and your teams. The connection heartbeat.
get_startedInspects your account and returns a tailored, ordered checklist, each step naming the exact tool to call next. Ask "what now?" any time.

Teams — /teams

ToolWhat it does
list_teamsEvery team you belong to, with your role.
get_teamOne team plus its issuer (id, slug, configVersion). The issuer.id is what every issuer/client/provider/theme/key tool takes as issuerId.
create_teamCreates a team and, atomically, its first issuer at {slug}.auth.is. You become the owner.

Issuers & keys — /issuers, /signing-keys

ToolWhat it does
get_issuerThe issuer's settings: registration mode, session TTL, passkey default, resource servers, theme. Never key material.
update_issuer_settingsMerge a patch: registrationMode, sessionTtlSeconds, or passkeysDefaultEnabled. Owner only.
list_signing_keysPublic key lifecycle (kid, status active/next/retired, timestamps). Never key material.
rotate_signing_keysDrive one step of zero-downtime rotation: prepare, then promote, then retire. Owner only.

Clients — /clients

ToolWhat it does
list_clientsSecret-free summaries of every client under an issuer.
get_clientOne client's full non-secret metadata. The secret is never returned, not even masked.
create_clientRegister a new client. Confidential clients get a one-time secret. Owner only.
update_clientGeneral fields: name, post-logout URIs, require_pkce, registration_enabled. Owner only.
update_client_redirect_urisReplace the entire redirect-URI set (not additive). Owner only.
rotate_client_secretMint a new confidential secret (returned once); the old one stops working immediately. Owner only.
toggle_client_passkeysEnable/disable the passkey second factor for a client. Owner only.
set_client_providersRestrict which federation providers this client offers. Owner only.
update_client_token_ttlsSet id_token and/or refresh_token lifetimes (seconds). Owner only.
delete_clientPermanently delete a client and revoke its grants. Owner only.

Members & invites — /members, /invites

ToolWhat it does
list_membersThe team roster with roles and join dates.
update_member_rolePromote to owner or demote to member. Owner only; the last owner cannot be demoted.
remove_memberRemove a member (or leave, yourself). The last owner cannot be removed.
list_invitesPending plus recently accepted/revoked/expired invites, with derived status. Owner only.
invite_memberEmail a single-use join link. The raw link is never returned — only a masked view. Owner only.
revoke_inviteRevoke a still-pending invite. Owner only.

Federation providers — /identity-providers

ToolWhat it does
list_providersConfigured providers with masked config (the upstream secret collapses to hasSecret).
add_identity_providerAdd a "Continue with …" upstream (google, entra, kenni, oidc). Owner only.
update_identity_providerPartially update a provider. The type is immutable. Owner only.
remove_identity_providerRemove a provider; blocked while users still sign in through it. Owner only.

Theming — /theming

ToolWhat it does
preview_themeGenerate a theme from an accent color and return a live, signed preview URL. Read-only — nothing is stored.
tweak_theme_stopOverride a single generated color stop (or the gradient) and preview again. Still no write.
apply_themePersist a theme as the issuer's brand. Owner only.
apply_client_themePersist a per-client theme override (client wins over issuer). Owner only.

Who can do what

Reads are open to any member of the team; mutations that change the issuer or the roster are owner only. A non-owner attempting an owner-only tool gets a permission error. auth.is never reveals whether a team you cannot access exists — you get a generic not-found. See Members for the full role model.

Next steps

Connect the MCP · auth.is docs