How to add Keycloak MCP Server to Claude Desktop
Manage Keycloak identity and access — users, realms, clients, roles, groups, IDPs and auth — over MCP. Paste the config into ~/Library/Application Support/Claude/claude_desktop_config.json and restart Claude Desktop.
Last updated June 14, 2026 · 43★ · sse · oauth
Claude Desktop config for Keycloak MCP Server
docker pull quay.io/sshaaf/keycloak-mcp-server:latest{
"mcpServers": {
"keycloak-mcp-server": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://mcp-server.example.com/mcp/sse",
"--header",
"Authorization: Bearer <your-jwt-token>"
]
}
}
}Claude Desktop connects to remote servers through the `mcp-remote` proxy (installed on first run via npx). Restart Claude Desktop after saving.
Setup steps
- 1Open Claude Desktop → Settings → Developer → Edit Config (this opens ~/Library/Application Support/Claude/claude_desktop_config.json).
- 2Paste the Keycloak MCP Server config below under the top-level "mcpServers" key.
- 3Fill in any placeholder secrets (API keys, paths) in the snippet.
- 4Save the file, then fully quit and reopen Claude Desktop.
- 5Open a chat and confirm Keycloak MCP Server's tools appear under the 🔌 tools menu.
Before you start
- A running Keycloak instance (KC_URL) and realm (KC_REALM)
- An OIDC client configured in Keycloak (OIDC_CLIENT_ID)
- A user JWT token (obtainable via scripts/get-mcp-token.sh)
- Docker (to run the container image) or a JVM/GraalVM build environment
What Keycloak MCP Server can do in Claude Desktop
User managementCreate, read, update, delete and query Keycloak users.
Realm configurationManage and configure Keycloak realms.
Client administrationAdminister Keycloak clients.
Role managementManage realm and client roles.
Group managementManage Keycloak groups.
Identity provider configurationConfigure identity providers (IDPs).
Authentication flow managementManage Keycloak authentication flows.
Keycloak Discourse searchSearch the Keycloak Discourse community for answers.
Security
Each user authenticates with their own JWT token issued by Keycloak; the token is passed as a Bearer credential in the Authorization header. Use the provided scripts/get-mcp-token.sh helper to obtain a token. Serve the SSE endpoint over HTTPS so bearer tokens are not exposed in transit.
Keycloak MCP Server + Claude Desktop FAQ
Where is the Claude Desktop config file?
Claude Desktop reads MCP servers from ~/Library/Application Support/Claude/claude_desktop_config.json. Paste the Keycloak MCP Server config there under the "mcpServers" key and restart the client.
Is Keycloak MCP Server safe to use with Claude Desktop?
Each user authenticates with their own JWT token issued by Keycloak; the token is passed as a Bearer credential in the Authorization header. Use the provided scripts/get-mcp-token.sh helper to obtain a token. Serve the SSE endpoint over HTTPS so bearer tokens are not exposed in transit.
How does authentication work?
Each user authenticates with their own JWT token issued by Keycloak. The token is passed as a Bearer credential in the Authorization header of the MCP client config. Use scripts/get-mcp-token.sh to obtain a token.
What transport does it use?
SSE transport over HTTP; the MCP client connects to the server's /mcp/sse endpoint.
How do I run it?
Pull and run the container image from quay.io/sshaaf/keycloak-mcp-server:latest, or build a JAR / GraalVM native image from source with Maven.