FusionAuth API MCP Server

1

Add it to Claude Code

Run this in a terminal.

Run in terminal
claude mcp add -e "API_KEY_APIKEYAUTH=${API_KEY_APIKEYAUTH}" -e "API_BASE_URL=${API_BASE_URL}" fusionauth-mcp-api -- npx @fusionauth/mcp-api
Required:API_KEY_APIKEYAUTHAPI_BASE_URL+ 1 optional
README.md

A preview release of an MCP server for the FusionAuth API.

Preview FusionAuth API MCP Server (fusionauth-mcp-api)

A preview release of an MCP server for the FusionAuth API. Built with the excellent github.com/harsha-iiiv/openapi-mcp-generator

⚠️ Not for Production Use!

Using this MCP server requires providing the MCP client with a FusionAuth API key. Only use this for dev and test instances. FusionAuth is not responsible for potentially leaking sensitive information.

Prerequisites

  • A running FusionAuth instance
  • Node.js

Configuration

First, set up a limited API key in the FusionAuth instance. Here's documentation on creating an API key and configuring the correct permissions for an API key.

Next, configure your MCP client to use the FusionAuth API MCP server.

For example, to add to Claude Desktop, edit ~/Library/Application Support/Claude/claude_desktop_config.json to include the fusionauth-mcp-api key below.

If you don't have any previous MCP servers installed, it would look like this:

{
  "mcpServers": {
      "fusionauth-mcp-api": {
      "command": "npx",
      "args": [
        "@fusionauth/mcp-api"
      ],
      "env": {
        "API_KEY_APIKEYAUTH": "<your fusionauth api key>",
        "API_BASE_URL": "http://localhost:9011",
        "USE_TOOLS": "retrieve,search"
      }
    }
  }
}

The USE_TOOLS env variable above essentially restricts the available tools to read-only operations. You can omit this variable to allow full access, but you will need a model that can handle about 200k tokens.

Consult your MCP client's documentation to determine exactly how to add an MCP server to your client.

Example Prompts

  • "which tools do you have access to?" should show you all the FusionAuth API tools
  • "how many fusionauth applications do I have?"
  • "how many users do I have in my fusionauth instance?"
  • "add a user with an email address of test@example.com and a password of 'password'" (requires less restricted tools)

Restricting Tools

The default MCP Server has a tool for every API endpoint of FusionAuth. Over 300 of them! However, the tools, descriptions, requests, and responses combine to nearly 200k tokens, which can exceed the context window of many MCP clients.

You can restrict which tools this MCP server makes available by setting the USE_TOOLS env variable as shown above.

Each tool is defined by its prefix. The default prefixes are:

  • create
  • delete
  • patch
  • update
  • retrieve
  • search

There is also an other tool bucket that contains every tool with another prefix. The all tool bucket includes all tools and is the default value.

For example, if you don't need to use any delete or patch methods, the following setting reduces the tool list by 20%.

USE_TOOLS="create,update,retrieve,search,other"

If you only want to allow read-only operations, use the following configuration:

USE_TOOLS="retrieve,search"

This also reduces the tool list size by 66%.

Securing Your MCP Server

There are three different approaches to secure your MCP server and you should combine them to enable secure access to your FusionAuth instance while still meeting your functionality needs. In order of granularity (from coarse to fine-grained):

  • Point to the correct instance. This tool is in preview and we suggest you only point it at a local, dev instance.
  • Enable the correct type of tools. In addition to reducing context window usage, limiting the type of requests your LLM can make can increase security. For instance, if you don't enable the delete set of tools, you don't have to worry about the LLM "helping" you by deleting FusionAuth configuration.
  • Lock down your API key. This allows fine-grained control beyond the tool choice. The MCP server communicates to FusionAuth using an API key. You can limit that API key to only allow it to act on tenants, applications and users by choosing the appropriate set of permissions.

Troubleshooting

Verify your API key has the correct permissions for the operation the MCP client is taking.

Check your MCP client logs; these vary by MCP client and platform. For example, $HOME/Library/Logs/Claude/mcp-server-fusionauth-api-server.log is the location for Claude Desktop on macOS. Consult your client's documentation for the precise location.

Use the modelcontextprotocol

Tools (6)

createCreates new resources in the FusionAuth instance.
deleteDeletes existing resources from the FusionAuth instance.
patchPartially updates existing resources.
updateUpdates existing resources in the FusionAuth instance.
retrieveRetrieves specific data or resources from the FusionAuth instance.
searchSearches for resources within the FusionAuth instance.

Environment Variables

API_KEY_APIKEYAUTHrequiredThe API key for authenticating with the FusionAuth instance.
API_BASE_URLrequiredThe base URL of the FusionAuth instance.
USE_TOOLSComma-separated list of tool prefixes to enable (e.g., retrieve,search).

Configuration

claude_desktop_config.json
{"mcpServers": {"fusionauth-mcp-api": {"command": "npx", "args": ["@fusionauth/mcp-api"], "env": {"API_KEY_APIKEYAUTH": "<your fusionauth api key>", "API_BASE_URL": "http://localhost:9011", "USE_TOOLS": "retrieve,search"}}}}

Try it

Which tools do you have access to?
How many FusionAuth applications do I have?
How many users do I have in my FusionAuth instance?
Add a user with an email address of test@example.com and a password of 'password'

Frequently Asked Questions

What are the key features of FusionAuth API?

Provides an MCP interface for over 300 FusionAuth API endpoints. Supports granular tool restriction via environment variables. Enables natural language management of users and applications. Supports read-only operations for secure exploration.

What can I use FusionAuth API for?

Auditing user counts and application configurations in a dev environment. Quickly retrieving specific user details without manual API calls. Automating the creation of test users for development workflows. Managing authentication configurations through conversational AI.

How do I install FusionAuth API?

Install FusionAuth API by running: npx @fusionauth/mcp-api

What MCP clients work with FusionAuth API?

FusionAuth API works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep FusionAuth API docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.
Open Conare
View all other servers →

Related MCP Servers

Nuclear
Free, open-source music player without ads or tracking.
other17.1K stars
Domain Check
Fast domain availability checker with RDAP/WHOIS lookup and batch checking.
other253 stars
Ableton MCP Extended
Control Ableton Live using natural language via AI assistants
other142 stars
US Government Open Data MCP
MCP Server + TypeScript SDK for 40+ U.S. Government APIs
other90 stars
Garmin Connect
Access your fitness, health, and training data from MCP clients.
other71 stars
BinjaLattice MCP
Secure communication protocol for Binary Ninja and MCP servers
other61 stars