This MCP server enables large language models or agents to manage your Okta environment via natural language. It leverages Okta's Admin Management APIs through the Okta Python SDK, exposing CRUD-like capabilities for users, groups, applications, policies, and more. The server supports secure authentication modes including Device Authorization Grant and Private Key JWT to suit interactive, containerized, or automated deployments. When destructive actions are requested, the MCP elicitation flow can prompt for confirmation before proceeding, helping prevent accidental data loss. You can connect any compatible MCP client (like Claude Desktop) to issue natural-language instructions such as creating a user, listing failed login attempts, or auditing applications not used recently. For Docker deployments, you can pass credentials and keys through environment variables or bind mounts as shown in the examples, keeping sensitive data outside the image where possible.

Prerequisites:

• Python 3.8+ or Docker
• Optional: uvX package manager if running via uv
• An Okta account with Admin permissions
• A supported MCP client (e.g., Claude Desktop)

Choose an installation method:

Option A: Docker (Recommended for most users)

• Clone the repository and navigate to it git clone https://github.com/okta/okta-mcp-server.git cd okta-mcp-server
• Create a .env file from the example and populate credentials cp .env.example .env

  Edit .env with your Okta credentials

• Start the service with Docker Compose or directly with Docker docker-compose up -d

  Or run the image directly as shown in the examples

Option B: uvx (Python/uv) – if you prefer running with uvx

• Install uvx if you don't have it pip install uvx
• Install the Okta MCP Server package (name assumed: okta-mcp-server) uvx install okta-mcp-server
• Run the server using uvx uvx okta-mcp-server

Option C: Docker with Device Authorization or Private Key JWT (as shown in the README examples)

• Use the provided docker run commands and environment variables to start the container and configure authentication.

Tips and common issues:

• Ensure your environment variables (OKTA_ORG_URL, OKTA_CLIENT_ID, OKTA_SCOPES, OKTA_PRIVATE_KEY, OKTA_KEY_ID) are correctly set for the chosen authentication method.
• When using Device Authorization Grant with Docker, you will need to copy the authentication URL from the container logs and paste it in your browser to complete the flow.
• For private key JWT flows, securely mount or provide the private key and key ID to avoid exposure in logs. Consider using a secret management solution or Docker secrets when deploying to production.
• If you encounter network or API permission errors from Okta, verify your API scopes and that the Okta org URL is correct. Check that the Okta Python SDK version in your environment matches the API endpoints you intend to use.
• The MCP elicitation feature helps prevent destructive actions; ensure your MCP client supports elicitation, or rely on the automatic fallback described in the docs.