OpenFGA

An MCP server for managing authorization models with OpenFGA, an open-source authorization system.

View on GitHub →

Manage and query your OpenFGA server using AI agents and tooling. Unlock the power of OpenFGA and Auth0 FGA inside agentic tooling and intelligent workflows.

Features

Tools

Store Management

  • create_store: Creates a new store.
  • list_stores: List all stores.
  • get_store: Get a store's details by its ID.
  • delete_store: Delete a store by its ID.

Authorization Model Management

  • create_model: Use OpenFGA's DSL to create an authorization model.
  • list_models: List authorization models.
  • get_model: Get an authorization model's details by its ID.
  • verify_model: Verify a DSL representation of an authorization model.
  • get_model_dsl: Get the DSL from a specific authorization model from a particular store.

Relationship Tuples Management

  • check_permission: Check if something has a relation to an object. This answers, can (user) do (relation) on (object)?

  • grant_permission: Grant permission to something on an object by creating a relationship tuple.

  • revoke_permission: Revoke permission from something on an object by deleting a relationship tuple.

  • list_users: Return a list of users that have a given relationship with a given object.

  • list_objects: Return a list of objects of a type that something has a relation to.

Configuration

The server requires the following configuration options:

Environment VariableDefaultDescription
OPENFGA_MCP_API_URLhttp://127.0.0.1:8080URL of your OpenFGA server

The server accepts the following optional configuration options:

Environment VariableDefaultDescription
OPENFGA_MCP_TRANSPORTstdioTransport to use for communication with the MCP server (stdio or http)
OPENFGA_MCP_TRANSPORT_HOST127.0.0.1The host to bind the MCP server to (only affects HTTP transport)
OPENFGA_MCP_TRANSPORT_PORT8080The port to bind the MCP server to (only affects HTTP transport)
OPENFGA_MCP_TRANSPORT_JSONfalseWhether the MCP server should use JSON responses (only affects HTTP transport)
OPENFGA_MCP_API_READONLYfalseWhether the MCP server should be read-only
OPENFGA_MCP_API_RESTRICTfalseWhether the MCP server should be restricted to the configured store and model IDs
OPENFGA_MCP_API_STOREnullOpenFGA Store ID the MCP server should use by default
OPENFGA_MCP_API_MODELnullOpenFGA Model ID the MCP server should use by default

Authentication

By default, the server will try to connect to the OpenFGA server without using authentication.

To use pre-shared key (token) authentication, the server accepts the following configuration options:

Environment VariableDefaultDescription
OPENFGA_MCP_API_TOKENnullAPI token for use with your OpenFGA server

To use Client Credentials authentication, the server accepts the following configuration options:

Environment VariableDefaultDescription
OPENFGA_MCP_API_CLIENT_IDnullClient ID for use with your OpenFGA server
OPENFGA_MCP_API_CLIENT_SECRETnullClient secret for use with your OpenFGA server
OPENFGA_MCP_API_ISSUERnullAPI issuer for use with your OpenFGA server
OPENFGA_MCP_API_AUDIENCEnullAPI audience for use with your OpenFGA server

Installation

Docker (Recommended)

docker pull evansims/openfga-mcp:latest

Composer

composer global require evansims/openfga-mcp

Usage

Claude Desktop

Using Docker:

{
  "mcpServers": {
    "OpenFGA": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "-e",
        "OPENFGA_MCP_API_URL=http://localhost:8080",
        "evansims/openfga-mcp:latest"
      ]
    }
  }
}

Using PHP:

{
  "mcpServers": {
    "OpenFGA": {
      "command": "php",
      "args": ["/path/to/vendor/bin/openfga-mcp"],
      "env": {
        "OPENFGA_MCP_API_URL": "http://localhost:8080"
      }
    }
  }
}

Claude Code

Cursor

Windsurf

Warp

Raycast

Contributing

Contributions are welcome! Please ensure all tests pass and linters are satisfied before submitting a pull request.

Related Servers