fctr-okta

This MCP server provides a secure, dual-mode interface to Okta resources for AI-assisted querying. It supports standard MCP mode where tools are exposed directly to the language model (e.g., read_system_instructions, okta_* tools, and execute_code), as well as an agent mode where the AI discovers and composes operations dynamically. Transport is HTTP for remote deployments or STDIO for local desktop workflows. To start with HTTP, run the server in Python (via uv or directly) and point your MCP client to the base URL exposed by the server. The available tools include Okta-specific operations for users, groups, and apps, plus code-execution capabilities to produce rich results (CSV export is supported), all within a sandboxed environment for safety.

Prerequisites:

• Python 3.8+ installed
• Git installed
• Optional: uv (if you prefer running via uv) or Docker if you want containerized deployment

Step-by-step:

1. Clone the repository git clone https://github.com/fctr-id/fctr-okta-mcp-server.git cd fctr-okta-mcp-server

2. Create a virtual environment and activate it (recommended) python -m venv .venv source .venv/bin/activate # macOS/Linux ./.venv\Scripts\activate # Windows

3. Install the package in editable mode pip install -e .

4. Prepare configuration

   • Copy the sample environment file if provided and edit as needed cp .env.sample .env
   • Ensure Okta credentials and transport options are set in the environment

5. Run the server (HTTP transport) python -m fctr_okta_mcp.server --http-transport --i-understand-the-risks

Optional (Docker):

• Build and run a container for STDIO or HTTP modes as shown in the project docs. Ensure environment variables are provided to the container via -e flags or a mounted .env file.

Tips and common issues:

• Ensure ENABLE_AGENT_MODE is set according to your security needs; agent mode discovers APIs dynamically and may expose more surface area.
• For production, prefer OAuth2 with Private Key JWT (OKTA_OAUTH2_PRIVATE_KEY_PEM) and limit tokens appropriately.
• If you encounter transport binding errors, verify MCP_BASE_URL and network connectivity between client and server.
• CSV export can be used to generate reports from query results; confirm file write permissions for the server process.
• If running in Docker, remember to map volumes for logs and results to prevent data loss across restarts.