# Okta End User MCP server
The Okta End User MCP server enables AI assistants to help you understand and retrieve your identity, access, and authentication information in Okta through natural conversation. The Okta End User MCP server helps you understand your identity profile, discover which applications you have access to, and quickly launch applications with SSO links directly from your AI conversation.
# Uses
Use the Okta End User MCP server when you plan to perform the following actions:
- View your own Okta profile information including role, department, and manager
- Discover which applications you currently have access to
- Get direct SSO links to launch applications without navigating Okta
- Understand your organizational context and reporting relationships
- Check your profile attributes and identity information
# Example prompts
What's my job title and department in Okta?Who is my manager?What applications do I have access to?Show me my Okta profile information.Get me the SSO link to launch Salesforce.What apps can I access?
# Okta End User MCP server tools
The Okta End User MCP server provides the following tools:
| Tool | Description |
|---|---|
| get_my_user_profile | Retrieves profile and organizational information for the authenticated user. |
| list_assigned_applications | Retrieves the set of applications currently assigned to the authenticated user. |
| get_application_sso_link | Retrieves the single sign-on (SSO) link for an application assigned to the authenticated user. |
# Install the Okta End User MCP server
Complete the following steps to install a prebuilt MCP server to your project:
Sign in to your Workato account.
Go to AI Hub > MCP servers.
Click + Create MCP server.
Go to the Start with a template section and select the prebuilt MCP server you plan to use.
Click Use this template.
Provide a name for your MCP server in the MCP server name field.
Go to the Connections section and connect to your app account.
Select the connection type you plan to use for the MCP server template.
- User's connection: MCP server tools perform actions based on the identity and permissions of the user who connects to the application. Users authenticate with their own credentials to execute the skill.
- Your connection: This option uses the connection established by the recipe builder and follows the same principles as normal app connections.
Select your connection type
VERIFIED USER ACCESS AUTHENTICATION REQUIREMENTS
Only app connections that use OAuth 2.0 authorization code grant are available for user's connection. Refer to Verified user access for more information.
Complete the app-specific connection setup steps in the following section.
# Okta connection setup
VIRTUAL PRIVATE WORKATO (VPW) CUSTOMERS
This feature requires configuration steps that are specific to your Virtual Private Workato (VPW) instance. If you are a VPW customer, refer to your VPW private documentation for the configuration details for your instances.
Workato recommends using either Authorization code grant authentication (OAuth 2.0) or Client credentials-based authentication (OAuth 2.0) for improved security in your connection. This also allows you to set up granular permissions to control resources that Workato can access in Okta.
Workato supports the following connection types for Okta:
- Authorization code grant authentication (OAuth 2.0)
- Client credentials-based authentication (OAuth 2.0)
- API key-based authentication
Workato recommends using either Authorization code grant authentication (OAuth 2.0) or Client credentials-based authentication (OAuth 2.0) for improved security in your connection. These methods also let you define granular permissions that control which resources Workato can access in Okta.
# Authorization code grant authentication
Log in to your Workato account and go to the project where you plan to add your Okta connection.
Click Create > Connection and select Okta as your connection.
Select the Authorization code grant option from the Authentication type drop-down menu and enter the following information:
| Connection field | Description |
|---|---|
| Connection name | Give this connection a unique name that identifies which Okta instance it is connected to. |
| Okta domain | Enter your Okta domain name (for example, mycompany.okta.com or mytest.oktapreview.com). |
| Client ID | Provide the client ID generated in Okta by completing the following steps. |
| Client secret | Provide the client secret generated in Okta by completing the following steps. |
| Advanced settings | Select the necessary OAuth 2.0 scopes to request from Okta in this connection. These must match the scopes defined in the Okta API Scopes section of your Okta app integration. |
# Generate a client ID and secret for authorization code grant authentication
Complete the following steps to generate a client ID and secret for authorization code grant authentication:
Sign in to your Okta organization as a user with administrator privileges.
Go to the Okta Admin Console and select Applications > Applications.
Navigate to Applications > Applications
Select Create App Integration.
Select Create App Integration
Go to the Create a new app integration page, locate the Sign-in method section, and select OIDC - OpenID Connect.
Create a new app integration
Select Web Application in the Application type section.
Enter a unique App integration name on the New Web App Integration page.
New Web App Integration page
Ensure the Proof of possession field is deselected.
Select the following checkboxes in the Client acting on behalf of a user field of the Grant type section:
- Authorization Code
- Refresh Token
Enter the Workato callback URI in the Sign-in redirect URIs section according to your data center:
- US Data Center:
https://www.workato.com/oauth/callback - EU Data Center:
https://app.eu.workato.com/oauth/callback - JP Data Center:
https://app.jp.workato.com/oauth/callback - SG Data Center:
https://app.sg.workato.com/oauth/callback - AU Data Center:
https://app.au.workato.com/oauth/callback - IL Data Center:
https://app.il.workato.com/oauth/callback - Developer sandbox:
https://app.trial.workato.com/oauth/callback
Sign-in redirect URIs
Select an Assignment option according to your preference and then select Save. Okta creates the app integration.
Copy the Client ID and Client Secret in the new app integration's General tab so you can enter these credentials in Workato's Okta connection settings.
Copy the Client ID and Client Secret
Go to General Settings and ensure the Proof of possession field is deselected.
Go to the Okta API Scopes tab and assign the necessary scopes to the integration. The connection requires the following scopes at a minimum:
okta.logs.readokta.schemas.read
Assign Okta API scopes
# Client credentials-based authentication
Log in to your Workato account and go to the project where you plan to add your Okta connection.
Click Create > Connection > select Okta as your connection.
Select the Client credentials option from the Authentication type drop-down menu and enter the following information:
| Connection field | Description |
|---|---|
| Connection name | Give this connection a unique name that identifies which Okta instance it is connected to. |
| Okta domain | Enter your Okta domain name (for example, mycompany.okta.com or mytest.oktapreview.com). |
| Client ID | Provide the client ID generated in Okta by completing the following steps. |
| Private Key | Provide the private key generated in PEM format in Okta by completing the following steps. |
| Advanced settings | Select the necessary OAuth 2.0 scopes to request from Okta in this connection. These must match the scopes defined in the Okta API Scopes section of your Okta app integration. |
# Generating a client ID and secret for client credentials-based authentication
Complete the following steps to generate a client ID and secret for client credentials-based authentication:
Sign in to your Okta organization as a user with administrator privileges.
Go to the Okta Admin Console and select Applications > Applications.
Select Applications > Applications
Select Create App Integration.
Select Create App Integration
Select API Services in the Sign-in method section of the Create a new app integration page.
Select API Services
Enter a unique App integration name on the New API Services App Integration page and then select Save.
App integration name
Copy the Client ID in the new app integration's General tab.
Copy Client ID
Select Edit and then select Public key / Private key in the Client authentication field.
Select Add key in the PUBLIC KEYS section.
Select Generate new key in the Add a public key section to generate a new key pair.
Add a public key
Select PEM in the Private key section, then copy the private key. Enter this key in Workato's Okta connection settings. You can't retrieve the private key again after leaving the page.
Copy the private key
Select Done.
Select Save in the new app integration's General tab to store and activate the key. You must save the key before you can use it to connect to Workato.
Click Save if you see the message Existing client secrets will no longer be used.
The key status changes to Active.
Activate the key
Go to the Okta API Scopes tab and assign the necessary scopes to the integration. The connection requires the following scopes at a minimum:
okta.logs.readokta.schemas.read
Assign Okta API scopes
# API key-based authentication
The Okta connector uses an API key to authenticate with Okta.
API KEY LIMITATIONS
API keys inherit the permissions of the administrator who created them and aren't scoped. We recommend that you use a scoped OAuth 2.0 access token for improved security.
Okta connection setup
| Connection field | Description |
|---|---|
| Connection name | Give this connection a unique name that identifies which Okta instance it is connected to. |
| Okta domain | Enter your Okta domain name (for example, mycompany.okta.com or mytest.oktapreview.com). |
| API Key | Enter the API key generated from your Okta instance. Go to Security > API > Create token to generate a key. The key inherits the permissions of the administrator who created it. |
API TOKEN PRIVILEGES
Creating API tokens requires administrator privileges. Ensure that you're logged in as an administrator before you proceed. Refer to Okta's documentation (opens new window) for more information.
# How to use Okta End User MCP server tools
Refer to the following sections for detailed information on available tools:
# get_my_user_profile tool
The get_my_user_profile tool retrieves your profile and organizational information. Your LLM uses this tool to provide detailed identity context, including your role, department, title, manager, and other profile attributes.
Try asking:
What's my official job title and department?Show me my Okta profile information.Who is my manager in Okta?What's my role and organizational information?
# list_assigned_applications tool
The list_assigned_applications tool retrieves the applications currently assigned to you. Your LLM uses this tool to show you what applications you can already access through Okta, helping you understand your current access permissions.
Try asking:
What applications do I have access to in Okta?Show me all my assigned apps.List the applications I can use.What tools and services can I access through Okta?
# get_application_sso_link tool
The get_application_sso_link tool retrieves the single sign-on (SSO) link for an application assigned to the authenticated user. Your LLM uses this tool to launch specific apps without navigating to the Okta UI.
Try asking:
Get me the SSO link to launch Salesforce.Give me the direct link to access Google Workspace.Open the SSO link for Zoom.How do I access the HR portal? Get me the link.
# Getting started
View and manage your MCP server tools in the Overview page Tools section. Tool management provides the following capabilities:
TOOLS MUST BE STARTED
Your LLM can only access active tools in your MCP server connector.
Last updated: 2/4/2026, 6:28:29 PM