evansims / openfga-mcp
Query and administer OpenFGA and Auth0 FGA using AI agents.
Requires
- php: ^8.3
- evansims/openfga-php: ^1.5
- guzzlehttp/guzzle: ^7.2
- php-mcp/server: ^3.2
Requires (Dev)
- dev-main
- v1.0.0
- dev-renovate/ghcr.io-psalm-psalm-github-actions
- dev-renovate/github-codeql-action-3.x
- dev-renovate/vimeo-psalm-6.x-lockfile
- dev-renovate/actions-cache-4.x
- dev-dependabot/github_actions/actions-minor-patch-c0a0bce6de
- dev-renovate/composer-2
- dev-dependabot/docker/composer-20462d7
- dev-renovate/rector-rector-2.x-lockfile
- dev-renovate/major-github-artifact-actions
- dev-renovate/php-8.x
- dev-renovate/friendsofphp-php-cs-fixer-3.x-lockfile
- dev-renovate/phpstan-packages
- dev-dependabot/docker/php-455b202
- dev-renovate/github-codeql-action-digest
- dev-renovate/configure
- dev-dependabot/docker/composer-e7a1c40
- dev-dependabot/github_actions/actions-minor-patch-b033b81e51
- dev-feat/add-docs-tools
- dev-feat/support-docs-resources
- dev-feat/support-fetching-library-documentation
- dev-refactor/support-offline-mode
- dev-feat/enhance-prompts
- dev-dependabot/github_actions/actions-minor-patch-a6f1693b3a
This package is auto-updated.
Last update: 2025-08-08 16:28:44 UTC
README
OpenFGA MCP Server
AI-powered authorization management for OpenFGA
Connect OpenFGA and Auth0 FGA to AI agents via the Model Context Protocol.
Use Cases
- Plan & Design - Design efficient authorization model using best practice patterns
- Generate Code - Generate accurate SDK integrations with comprehensive documentation context
- Manage Instances - Query and control live OpenFGA servers through AI agents
Quick Start
Offline Mode (Default)
Design models and generate code without a server:
{ "mcpServers": { "OpenFGA": { "command": "docker", "args": [ "run", "--rm", "-i", "--pull=always", "evansims/openfga-mcp:latest" ] } } }
Online Mode
Connect to OpenFGA for full management capabilities:
{ "mcpServers": { "OpenFGA": { "command": "docker", "args": [ "run", "--rm", "-i", "--pull=always", "-e", "OPENFGA_MCP_API_URL=http://host.docker.internal:8080", "evansims/openfga-mcp:latest" ] } } }
Safety: Write operations are disabled by default. Set
OPENFGA_MCP_API_WRITEABLE=true
to enable.
Docker Networking: For your
OPENFGA_MCP_API_URL
usehost.docker.internal
when running OpenFGA on your local machine, container names for Docker networks, or full URLs for remote instances.
Works with Claude Desktop, Claude Code, Cursor, Windsurf, Zed, and other MCP clients.
Configuration
MCP Transport
Variable | Default | Description |
---|---|---|
OPENFGA_MCP_TRANSPORT |
stdio |
Supports stdio or http (Streamable HTTP.) |
OPENFGA_MCP_TRANSPORT_HOST |
127.0.0.1 |
IP to listen for connections on. Only applicable when using http transport. |
OPENFGA_MCP_TRANSPORT_PORT |
9090 |
Port to listen for connections on. Only applicable when using http transport. |
OPENFGA_MCP_TRANSPORT_SSE |
true |
Enables Server-Sent Events (SSE) streams for responses. |
OPENFGA_MCP_TRANSPORT_STATELESS |
false |
Enables stateless mode for session-less clients. |
OpenFGA
Variable | Default | Description |
---|---|---|
OPENFGA_MCP_API_URL |
OpenFGA server URL | |
OPENFGA_MCP_API_WRITEABLE |
false |
Enables write operations |
OPENFGA_MCP_API_STORE |
Default requests to a specific store ID | |
OPENFGA_MCP_API_MODEL |
Default requests to a specific model ID | |
OPENFGA_MCP_API_RESTRICT |
false |
Restrict requests to configured default store/model |
OpenFGA Authentication
Authentication | Variable | Default | Description |
---|---|---|---|
Pre-Shared Keys | OPENFGA_MCP_API_TOKEN |
API Token | |
Client Credentials | OPENFGA_MCP_API_CLIENT_ID |
Client ID | |
OPENFGA_MCP_API_CLIENT_SECRET |
Client Secret | ||
OPENFGA_MCP_API_ISSUER |
Token Issuer | ||
OPENFGA_MCP_API_AUDIENCE |
API Audience |
See docker-compose.example.yml
for complete examples.
Features
Management Tools
- Stores: Create, list, get, delete stores
- Models: Create models with DSL, list, get, verify
- Permissions: Check, grant, revoke permissions; query users and objects
SDK Documentation
Comprehensive documentation for accurate code generation:
- All OpenFGA SDKs (PHP, Go, Python, Java, .NET, JavaScript, Laravel)
- Class and method documentation with code examples
- Advanced search with language filtering
AI Prompts
Design & Planning
- Domain-specific model design
- RBAC to ReBAC migration
- Hierarchical relationships
- Performance optimization
Implementation
- Step-by-step model creation
- Relationship patterns
- Test generation
- Security patterns
Troubleshooting
- Permission debugging
- Security audits
- Least privilege implementation
Resources & URIs
openfga://stores
- List storesopenfga://store/{id}/model/{modelId}
- Model detailsopenfga://docs/{sdk}/class/{className}
- SDK documentationopenfga://docs/search/{query}
- Search documentation
Smart Completions
Auto-completion for store IDs, model IDs, relations, users, and objects when connected.