Keycloak MCP Server
Manage Keycloak identity and access — users, realms, clients, roles, groups, IDPs and auth — over MCP.
Add to your client
Copy the config for your MCP client and paste it into its config file.
docker pull quay.io/sshaaf/keycloak-mcp-server:latestPaste into ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"keycloak-mcp-server": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://mcp-server.example.com/mcp/sse",
"--header",
"Authorization: Bearer <your-jwt-token>"
]
}
}
}Claude Desktop connects to remote servers through the `mcp-remote` proxy (installed on first run via npx). Restart Claude Desktop after saving.
Step-by-step guides: Add to Claude Desktop · Add to Cursor · Add to Windsurf
Before you start
- A running Keycloak instance (KC_URL) and realm (KC_REALM)
- An OIDC client configured in Keycloak (OIDC_CLIENT_ID)
- A user JWT token (obtainable via scripts/get-mcp-token.sh)
- Docker (to run the container image) or a JVM/GraalVM build environment
About Keycloak MCP Server
A Quarkus-based MCP server that provides programmatic access to Keycloak administration functionality. It enables AI assistants and dev tools to perform comprehensive Keycloak operations — managing users, realms, clients, roles, groups, identity providers, and authentication flows — using each user's own JWT token and SSE transport. Ships with container images, OpenShift/Kubernetes deployment, and GraalVM native-image builds.
Tools & capabilities (8)
User managementCreate, read, update, delete and query Keycloak users.
Realm configurationManage and configure Keycloak realms.
Client administrationAdminister Keycloak clients.
Role managementManage realm and client roles.
Group managementManage Keycloak groups.
Identity provider configurationConfigure identity providers (IDPs).
Authentication flow managementManage Keycloak authentication flows.
Keycloak Discourse searchSearch the Keycloak Discourse community for answers.
When to use it
- Let an AI assistant provision and manage Keycloak users, realms and clients conversationally
- Automate identity and access management tasks across realms from an MCP-enabled IDE
- Configure roles, groups and identity providers without leaving your AI tooling
- Search the Keycloak Discourse community for troubleshooting guidance
Security notes
Each user authenticates with their own JWT token issued by Keycloak; the token is passed as a Bearer credential in the Authorization header. Use the provided scripts/get-mcp-token.sh helper to obtain a token. Serve the SSE endpoint over HTTPS so bearer tokens are not exposed in transit.
Keycloak MCP Server FAQ
How does authentication work?
Each user authenticates with their own JWT token issued by Keycloak. The token is passed as a Bearer credential in the Authorization header of the MCP client config. Use scripts/get-mcp-token.sh to obtain a token.
What transport does it use?
SSE transport over HTTP; the MCP client connects to the server's /mcp/sse endpoint.
How do I run it?
Pull and run the container image from quay.io/sshaaf/keycloak-mcp-server:latest, or build a JAR / GraalVM native image from source with Maven.
Is it official?
No. It is a community project maintained by Shaaf Syed that wraps the official Keycloak Admin Client; it is not published by the Keycloak project itself.
Alternatives to Keycloak MCP Server
Compare all alternatives →
GitHub's official server for repos, issues, PRs, and Actions — local Docker or hosted remote.
Official AWS Labs server that lets agents call any AWS API via the AWS CLI surface.
Bulk Kubernetes port forwarding with an MCP server that lets AI assistants forward services, inspect pods, and monitor traffic.
Compare Keycloak MCP Server with: