README

OpenFGA MCP Server

Stop writing authorization logic. Start asking questions.

Manage and query your OpenFGA server using AI agents and tooling. Unlock the power of OpenFGA and Auth0 FGA inside agentic tooling and intelligent workflows.

Features

Tools

Store Management

create_store: Creates a new store.
list_stores: List all stores.
get_store: Get a store's details by its ID.
delete_store: Delete a store by its ID.

Authorization Model Management

create_model: Use OpenFGA's DSL to create an authorization model.
list_models: List authorization models.
get_model: Get an authorization model's details by its ID.
verify_model: Verify a DSL representation of an authorization model.
get_model_dsl: Get the DSL from a specific authorization model from a particular store.

Relationship Tuples Management

check_permission: Check if something has a relation to an object. This answers, can (user) do (relation) on (object)?
grant_permission: Grant permission to something on an object by creating a relationship tuple.
revoke_permission: Revoke permission from something on an object by deleting a relationship tuple.
list_users: Return a list of users that have a given relationship with a given object.
list_objects: Return a list of objects of a type that something has a relation to.

Configuration

The server requires the following configuration options:

Environment Variable	Default	Description
`OPENFGA_MCP_API_URL`	`http://127.0.0.1:8080`	URL of your OpenFGA server

The server accepts the following optional configuration options:

Environment Variable	Default	Description
`OPENFGA_MCP_TRANSPORT`	`stdio`	Transport to use for communication with the MCP server (`stdio` or `http`)
`OPENFGA_MCP_TRANSPORT_HOST`	`127.0.0.1`	The host to bind the MCP server to (only affects HTTP transport)
`OPENFGA_MCP_TRANSPORT_PORT`	`8080`	The port to bind the MCP server to (only affects HTTP transport)
`OPENFGA_MCP_TRANSPORT_JSON`	`false`	Whether the MCP server should use JSON responses (only affects HTTP transport)
`OPENFGA_MCP_API_READONLY`	`false`	Whether the MCP server should be read-only
`OPENFGA_MCP_API_RESTRICT`	`false`	Whether the MCP server should be restricted to the configured store and model IDs
`OPENFGA_MCP_API_STORE`	`null`	OpenFGA Store ID the MCP server should use by default
`OPENFGA_MCP_API_MODEL`	`null`	OpenFGA Model ID the MCP server should use by default

Authentication

By default, the server will try to connect to the OpenFGA server without using authentication.

To use pre-shared key (token) authentication, the server accepts the following configuration options:

Environment Variable	Default	Description
`OPENFGA_MCP_API_TOKEN`	`null`	API token for use with your OpenFGA server

To use Client Credentials authentication, the server accepts the following configuration options:

Environment Variable	Default	Description
`OPENFGA_MCP_API_CLIENT_ID`	`null`	Client ID for use with your OpenFGA server
`OPENFGA_MCP_API_CLIENT_SECRET`	`null`	Client secret for use with your OpenFGA server
`OPENFGA_MCP_API_ISSUER`	`null`	API issuer for use with your OpenFGA server
`OPENFGA_MCP_API_AUDIENCE`	`null`	API audience for use with your OpenFGA server

Installation

Docker (Recommended)

docker pull evansims/openfga-mcp:latest

Composer

composer global require evansims/openfga-mcp

Usage

Claude Desktop

Using Docker:

{
  "mcpServers": {
    "OpenFGA": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "-e",
        "OPENFGA_MCP_API_URL=http://localhost:8080",
        "evansims/openfga-mcp:latest"
      ]
    }
  }
}

Using PHP:

{
  "mcpServers": {
    "OpenFGA": {
      "command": "php",
      "args": ["/path/to/vendor/bin/openfga-mcp"],
      "env": {
        "OPENFGA_MCP_API_URL": "http://localhost:8080"
      }
    }
  }
}

Claude Code

Cursor

Windsurf

Warp

Raycast

Contributing

Contributions are welcome! Please ensure all tests pass and linters are satisfied before submitting a pull request.

evansims / openfga-mcp

Maintainers

Details