Manage and query your OpenFGA server using AI agents and tooling. Unlock the power of OpenFGA and Auth0 FGA inside agentic tooling and intelligent workflows.
Features
Tools
Store Management
create_store: Creates a new store.list_stores: List all stores.get_store: Get a store's details by its ID.delete_store: Delete a store by its ID.
Authorization Model Management
create_model: Use OpenFGA's DSL to create an authorization model.list_models: List authorization models.get_model: Get an authorization model's details by its ID.verify_model: Verify a DSL representation of an authorization model.get_model_dsl: Get the DSL from a specific authorization model from a particular store.
Relationship Tuples Management
check_permission: Check if something has a relation to an object. This answers, can (user) do (relation) on (object)?grant_permission: Grant permission to something on an object by creating a relationship tuple.revoke_permission: Revoke permission from something on an object by deleting a relationship tuple.list_users: Return a list of users that have a given relationship with a given object.list_objects: Return a list of objects of a type that something has a relation to.
Configuration
The server requires the following configuration options:
| Environment Variable | Default | Description |
|---|---|---|
OPENFGA_MCP_API_URL | http://127.0.0.1:8080 | URL of your OpenFGA server |
The server accepts the following optional configuration options:
| Environment Variable | Default | Description |
|---|---|---|
OPENFGA_MCP_TRANSPORT | stdio | Transport to use for communication with the MCP server (stdio or http) |
OPENFGA_MCP_TRANSPORT_HOST | 127.0.0.1 | The host to bind the MCP server to (only affects HTTP transport) |
OPENFGA_MCP_TRANSPORT_PORT | 8080 | The port to bind the MCP server to (only affects HTTP transport) |
OPENFGA_MCP_TRANSPORT_JSON | false | Whether the MCP server should use JSON responses (only affects HTTP transport) |
OPENFGA_MCP_API_READONLY | false | Whether the MCP server should be read-only |
OPENFGA_MCP_API_RESTRICT | false | Whether the MCP server should be restricted to the configured store and model IDs |
OPENFGA_MCP_API_STORE | null | OpenFGA Store ID the MCP server should use by default |
OPENFGA_MCP_API_MODEL | null | OpenFGA Model ID the MCP server should use by default |
Authentication
By default, the server will try to connect to the OpenFGA server without using authentication.
To use pre-shared key (token) authentication, the server accepts the following configuration options:
| Environment Variable | Default | Description |
|---|---|---|
OPENFGA_MCP_API_TOKEN | null | API token for use with your OpenFGA server |
To use Client Credentials authentication, the server accepts the following configuration options:
| Environment Variable | Default | Description |
|---|---|---|
OPENFGA_MCP_API_CLIENT_ID | null | Client ID for use with your OpenFGA server |
OPENFGA_MCP_API_CLIENT_SECRET | null | Client secret for use with your OpenFGA server |
OPENFGA_MCP_API_ISSUER | null | API issuer for use with your OpenFGA server |
OPENFGA_MCP_API_AUDIENCE | null | API audience for use with your OpenFGA server |
Installation
Docker (Recommended)
docker pull evansims/openfga-mcp:latest
Composer
composer global require evansims/openfga-mcp
Usage
Claude Desktop
Using Docker:
{
"mcpServers": {
"OpenFGA": {
"command": "docker",
"args": [
"run",
"--rm",
"-i",
"-e",
"OPENFGA_MCP_API_URL=http://localhost:8080",
"evansims/openfga-mcp:latest"
]
}
}
}
Using PHP:
{
"mcpServers": {
"OpenFGA": {
"command": "php",
"args": ["/path/to/vendor/bin/openfga-mcp"],
"env": {
"OPENFGA_MCP_API_URL": "http://localhost:8080"
}
}
}
}
Claude Code
Cursor
Windsurf
Warp
Raycast
Contributing
Contributions are welcome! Please ensure all tests pass and linters are satisfied before submitting a pull request.