Skip to content

okta-agent

Okta API + MCP Server + A2A Agent for the agent-utilities ecosystem — a typed, action-routed connector for the Okta Management API (users, groups, applications, policies, and the system log).

Official documentation

This site is the canonical reference for okta-agent, maintained alongside every release.

PyPI MCP Server License GitHub

Overview

okta-agent wraps the Okta Management API with typed, deterministic MCP tools and an optional Pydantic-AI agent server. It provides:

  • Api — a Python client (okta_agent.api_client.Api) composed from per-domain mixins. Raw httpx, no Okta SDK; every method documents the developer.okta.com endpoint it calls, captures the latest X-Rate-Limit-* snapshot, and backs off automatically on HTTP 429.
  • Action-routed MCP tools — consolidated, togglable tool modules (okta_users, okta_groups, okta_apps, okta_policies, okta_system) that minimize token overhead in LLM contexts.
  • An A2A agent server — a Pydantic-AI graph agent (console script okta-agent) that calls the MCP tool surface and exposes an AG-UI web interface.

Safety is built in: destructive operations (deactivate / delete / clear sessions / password ops) are blocked unless explicitly allowed per call or via OKTA_ALLOW_DESTRUCTIVE, and credential material is redacted from logs and error envelopes.

okta-agent complements keycloak-agent: the same verb taxonomy over the commercial IdP, so agents can switch identity providers without relearning tools.

Explore the documentation

  • Installation — pip, source, extras, and the prebuilt Docker image.
  • Deployment — run the MCP and agent servers, Docker Compose.
  • Usage — the MCP tools, the Api client, and the CLI.
  • Overview — the action-routed tool surface and architecture.
  • Concepts — the CONCEPT:OKTA-* registry.

Quick start

pip install "okta-agent[mcp]"
okta-mcp                          # stdio MCP server (default transport)

Connect it to an Okta org:

export OKTA_ORG_URL=https://acme.okta.com
export OKTA_API_TOKEN=<api-token>
okta-mcp --transport streamable-http --host 0.0.0.0 --port 8000

See Installation and Deployment for the full matrix (PyPI extras, Docker image, all transports, the agent server).

Backing platform

Okta is a managed SaaS identity platform — there is no self-hosted deployment recipe, so this site intentionally omits the Backing Platform page that connectors to self-hostable systems carry.