Zitadel MCP Server
An MCP (Model Context Protocol) server for Zitadel identity management. Manage users, projects, applications, roles, and service accounts through natural language from AI tools like Claude Code.
"Create a user for jane@example.com, assign her the app:finance role, and give me the auth config." — That's three tool calls the AI handles for you.
Tools (25)
| Category | Tool | Description |
|---|---|---|
| Users | zitadel_list_users | List/search users |
zitadel_get_user | Get user details | |
zitadel_create_user | Create user (sends invite email) | |
zitadel_deactivate_user | Deactivate user | |
zitadel_reactivate_user | Reactivate user | |
| Projects | zitadel_list_projects | List projects |
zitadel_get_project | Get project details | |
zitadel_create_project | Create project | |
| Applications | zitadel_list_apps | List apps in a project |
zitadel_get_app | Get app details + Client ID | |
zitadel_create_oidc_app | Create OIDC application | |
zitadel_update_app | Update app (redirect URIs, etc.) | |
| Roles | zitadel_list_project_roles | List roles in a project |
zitadel_create_project_role | Create a role (e.g., app:finance) | |
zitadel_list_user_grants | List user's role grants | |
zitadel_create_user_grant | Assign roles to user | |
zitadel_remove_user_grant | Remove role grant | |
| Service Accounts | zitadel_create_service_user | Create machine user |
zitadel_create_service_user_key | Generate key pair | |
zitadel_list_service_user_keys | List keys (metadata only) | |
| Organizations | zitadel_get_org | Get current org details |
zitadel_list_orgs | List organizations | |
| Utility | zitadel_get_auth_config | Get .env.local template for an app |
| Portal | portal_register_app | Register app in portal DB |
portal_setup_full_app | One-click: Zitadel + portal setup |
Portal tools (portal_*) are only available when PORTAL_DATABASE_URL is configured.
Prerequisites
- A Zitadel instance (Cloud or self-hosted)
- A service account with Org Owner or IAM Admin role
- A JSON key for the service account
Creating a Service Account
- In the Zitadel Console, go to Users > Service Users > New
- Give it a name (e.g.,
mcp-admin) and select Bearer token type - Go to the service user's Keys tab > New > JSON
- Save the downloaded key file — you'll need the
userId,keyId, and base64-encodedkey - Grant the service account the Org Owner role under Organization > Authorizations
Setup
git clone https://github.com/takleb3rry/zitadel-mcp.git
cd zitadel-mcp
npm install
npm run build
Configuration
Add the server to your MCP client config. The JSON block below works for both options:
- Global (all projects):
~/.claude.jsonunder the"mcpServers"key - Per-project:
.mcp.jsonin the project root
{
"mcpServers": {
"zitadel": {
"command": "node",
"args": ["/path/to/zitadel-mcp/build/index.js"],
"env": {
"ZITADEL_ISSUER": "https://your-instance.zitadel.cloud",
"ZITADEL_SERVICE_ACCOUNT_USER_ID": "...",
"ZITADEL_SERVICE_ACCOUNT_KEY_ID": "...",
"ZITADEL_SERVICE_ACCOUNT_PRIVATE_KEY": "...",
"ZITADEL_ORG_ID": "...",
"ZITADEL_PROJECT_ID": "..."
}
}
}
}
Restart Claude Code after adding the config. The Zitadel tools will appear automatically.
Environment Variables
| Variable | Required | Description |
|---|---|---|
ZITADEL_ISSUER | Yes | Zitadel instance URL |
ZITADEL_SERVICE_ACCOUNT_USER_ID | Yes | Service account user ID |
ZITADEL_SERVICE_ACCOUNT_KEY_ID | Yes | Key ID from the JSON key file |
ZITADEL_SERVICE_ACCOUNT_PRIVATE_KEY | Yes | Base64-encoded RSA private key (the key field from the downloaded JSON) |
ZITADEL_ORG_ID | Yes | Organization ID |
ZITADEL_PROJECT_ID | No | Default project ID for role operations |
PORTAL_DATABASE_URL | No | Postgres connection string (enables portal tools) |
LOG_LEVEL | No | DEBUG, INFO, WARN, ERROR (default: INFO) |
Security
This server has admin-level access to your Zitadel instance. Understand what that means before using it:
- The service account needs Org Owner (or IAM Admin for
zitadel_list_orgs). It can create users, modify roles, and manage applications in your organization. - When you create an OIDC app (
zitadel_create_oidc_app), the client secret is returned in the tool response. It is only available at creation time. The AI assistant (and its conversation history) will see it — save it immediately and treat it as sensitive. - When you generate a service account key (
zitadel_create_service_user_key), the full private key is returned in the tool response. Same caveat: save it, and be aware it's visible in your MCP client's conversation. - All tool arguments containing PII (email, name, URLs) are redacted from debug logs. IDs and tool names are still logged.
- All Zitadel IDs are validated against an alphanumeric format before being used in API paths.
Note for new users: I've scanned all source files in this repo and found nothing notable, but I always recommend you have your own AI or tooling audit the code before installing any MCP server that gets access to your infrastructure. The full source is ~800 lines of TypeScript — a quick review shouldn't take long.
Development
npm run dev # Run with tsx (hot reload)
npm run build # Compile TypeScript
npm start # Run compiled version
npm test # Run tests
License
MIT