Platform
MCP server
Authalla exposes a Model Context Protocol (MCP) server that lets AI assistants manage your tenants, users, OAuth2 clients, branding, domains, and more — directly from your editor or chat.
Quick start
Add the Authalla MCP server URL to your client:
https://login.authalla.com/mcp
That's it. Your MCP client will handle authentication automatically using OAuth2 with PKCE — you'll be prompted to sign in through your browser the first time.
Setup for Claude Code
Add the MCP server with a single command:
claude mcp add authalla https://login.authalla.com/mcp
Claude Code will detect the OAuth2 authorization server from the /.well-known/oauth-protected-resource metadata and open your browser to authenticate.
Once connected, you can ask Claude to manage your Authalla tenant directly:
> Create a new OAuth2 client called "my-app" with redirect URI http://localhost:3000/callback
> Update the login page theme to use dark blue as the primary color
> Add a custom domain app.example.com to my tenant
Setup for Claude Desktop
- Open Claude Desktop and go to Settings > MCP Servers
- Add a new server with the URL:
https://login.authalla.com/mcp
- Claude Desktop will open your browser to authenticate with Authalla
- Once connected, the Authalla tools appear in the tools menu
Setup for VS Code
Add this to your VS Code settings.json (or workspace .vscode/mcp.json):
{
"mcp": {
"servers": {
"authalla": {
"url": "https://login.authalla.com/mcp"
}
}
}
}
VS Code will prompt you to authenticate when the MCP server is first used.
Setup for Cursor
Add a .cursor/mcp.json file to your project root:
{
"mcpServers": {
"authalla": {
"url": "https://login.authalla.com/mcp"
}
}
}
Authentication
The MCP server uses standard OAuth2 with PKCE for authentication. When your MCP client connects for the first time, it:
- Fetches
/.well-known/oauth-protected-resourceto discover the authorization server - Opens your browser to sign in with your Authalla account (passkey, magic link, or social login)
- Receives an access token that is used for all subsequent requests
Tokens are refreshed automatically. You don't need to manage API keys or secrets.
Available tools
The MCP server exposes the following tools for managing your Authalla tenant:
Account
| Tool | Description |
|---|---|
get_me | Get your account info and list of tenants |
Tenants
| Tool | Description |
|---|---|
list_tenants | List all tenants in your account |
get_tenant | Get tenant details |
create_tenant | Create a new tenant |
update_tenant | Update tenant settings |
delete_tenant | Delete a tenant |
Users
| Tool | Description |
|---|---|
list_users | List users in a tenant |
get_user | Get user details |
create_user | Create a new user |
update_user | Update a user |
delete_user | Delete a user |
OAuth2 clients
| Tool | Description |
|---|---|
list_clients | List OAuth2 clients |
get_client | Get client details, redirect URIs, and scopes |
create_client | Create a new OAuth2 client (returns client secret for confidential clients) |
Branding
| Tool | Description |
|---|---|
get_theme | Get login page theme (light and dark mode) |
update_theme | Update login page colors |
Custom domains
| Tool | Description |
|---|---|
list_custom_domains | List custom domains |
get_custom_domain | Get domain details and DNS records |
create_custom_domain | Add a custom domain to your tenant |
verify_custom_domain | Trigger DNS verification |
Custom email domains
| Tool | Description |
|---|---|
list_custom_emails | List email domain configurations |
get_custom_email | Get email domain details and DNS records |
create_custom_email | Configure a custom email domain |
verify_custom_email | Trigger DNS verification |
Social login
| Tool | Description |
|---|---|
list_social_logins | List configured social login providers |
create_social_login | Add a social login provider (Google, GitHub, Apple, Microsoft) |
Multiple tenants
If your account has multiple tenants, tools that operate on a specific tenant accept an optional tenant_id parameter. If your account has only one tenant, it is selected automatically.
Use the get_me tool to list your tenants and their IDs.
M2M access
For automated pipelines or custom integrations, you can authenticate using OAuth2 client credentials instead of a browser login. Create a Backend Service client in the Admin Dashboard and use the client credentials grant:
curl -X POST https://your-tenant.authalla.com/oauth2/token \
-d "grant_type=client_credentials" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "scope=tenants:read users:read clients:read"
The access token can then be passed in the Authorization header when calling the MCP endpoint directly.
Available scopes
| Scope | Description |
|---|---|
tenants:read / tenants:write | Read and manage tenants |
users:read / users:write | Read and manage users |
clients:read / clients:write | Read and manage OAuth2 clients |
theme:read / theme:write | Read and manage branding |
domains:read / domains:write | Read and manage custom domains |
emails:read / emails:write | Read and manage email domains |
social-logins:read / social-logins:write | Read and manage social login providers |