https://github.com/evansims/openfga-mcp
Model Context Protocol server enabling querying and management of OpenFGA and Auth0 FGA authorization stores for automation, intelligent tooling, and natural language.
https://github.com/evansims/openfga-mcp
authorization automation generative-ai mcp model-context-protocol openfga
Last synced: about 1 month ago
JSON representation
Model Context Protocol server enabling querying and management of OpenFGA and Auth0 FGA authorization stores for automation, intelligent tooling, and natural language.
- Host: GitHub
- URL: https://github.com/evansims/openfga-mcp
- Owner: evansims
- License: apache-2.0
- Created: 2025-03-06T18:55:02.000Z (7 months ago)
- Default Branch: main
- Last Pushed: 2025-08-19T04:31:34.000Z (about 2 months ago)
- Last Synced: 2025-08-19T06:23:29.401Z (about 2 months ago)
- Topics: authorization, automation, generative-ai, mcp, model-context-protocol, openfga
- Language: PHP
- Homepage: https://openfga.dev
- Size: 1.74 MB
- Stars: 10
- Watchers: 1
- Forks: 3
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: .github/CONTRIBUTING.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: .github/SECURITY.md
Awesome Lists containing this project
- mcp-index - OpenFGA MCP Server - Enables Large Language Models to interact with OpenFGA stores, facilitating reading, searching, and manipulation tasks. Supports fine-grained authorization through agentic AI and vibe coding. (Cloud Services)
README
OpenFGA MCP Server
AI-powered authorization management for OpenFGA
Connect [OpenFGA](https://openfga.dev/) and [Auth0 FGA](https://auth0.com/fine-grained-authorization) to AI agents via the Model Context Protocol.
## Use Cases
- **Plan & Design** - Design efficient authorization model using best practice patterns
- **Generate Code** - Generate accurate SDK integrations with comprehensive documentation context
- **Manage Instances** - Query and control live OpenFGA servers through AI agents
## Quick Start
### Offline Mode (Default)
Design models and generate code without a server:
```json
{
"mcpServers": {
"OpenFGA": {
"command": "docker",
"args": [
"run",
"--rm",
"-i",
"--pull=always",
"evansims/openfga-mcp:latest"
]
}
}
}
```
### Online Mode
Connect to OpenFGA for full management capabilities:
```json
{
"mcpServers": {
"OpenFGA": {
"command": "docker",
"args": [
"run",
"--rm",
"-i",
"--pull=always",
"-e",
"OPENFGA_MCP_API_URL=http://host.docker.internal:8080",
"evansims/openfga-mcp:latest"
]
}
}
}
```
> **Safety:** Write operations are disabled by default. Set `OPENFGA_MCP_API_WRITEABLE=true` to enable.
> **Docker Networking:** For your `OPENFGA_MCP_API_URL` use `host.docker.internal` when running OpenFGA on your local machine, container names for Docker networks, or full URLs for remote instances.
Works with [Claude Desktop](https://claude.ai/download), [Claude Code](https://www.anthropic.com/claude-code), [Cursor](https://cursor.sh), [Windsurf](https://windsurf.com), [Zed](https://zed.dev), and other MCP clients.
## Configuration
### MCP Transport
| Variable | Default | Description |
| --------------------------------- | ----------- | ------------------------------------------------------------------------------- |
| `OPENFGA_MCP_TRANSPORT` | `stdio` | Supports `stdio` or `http` (Streamable HTTP.) |
| `OPENFGA_MCP_TRANSPORT_HOST` | `127.0.0.1` | IP to listen for connections on. Only applicable when using `http` transport. |
| `OPENFGA_MCP_TRANSPORT_PORT` | `9090` | Port to listen for connections on. Only applicable when using `http` transport. |
| `OPENFGA_MCP_TRANSPORT_SSE` | `true` | Enables Server-Sent Events (SSE) streams for responses. |
| `OPENFGA_MCP_TRANSPORT_STATELESS` | `false` | Enables stateless mode for session-less clients. |
### OpenFGA
| Variable | Default | Description |
| --------------------------- | ------- | --------------------------------------------------- |
| `OPENFGA_MCP_API_URL` | | OpenFGA server URL |
| `OPENFGA_MCP_API_WRITEABLE` | `false` | Enables write operations |
| `OPENFGA_MCP_API_STORE` | | Default requests to a specific store ID |
| `OPENFGA_MCP_API_MODEL` | | Default requests to a specific model ID |
| `OPENFGA_MCP_API_RESTRICT` | `false` | Restrict requests to configured default store/model |
### OpenFGA Authentication
| Authentication | Variable | Default | Description |
| ------------------ | ------------------------------- | ------- | ------------- |
| Pre-Shared Keys | `OPENFGA_MCP_API_TOKEN` | | API Token |
| Client Credentials | `OPENFGA_MCP_API_CLIENT_ID` | | Client ID |
| | `OPENFGA_MCP_API_CLIENT_SECRET` | | Client Secret |
| | `OPENFGA_MCP_API_ISSUER` | | Token Issuer |
| | `OPENFGA_MCP_API_AUDIENCE` | | API Audience |
See [`docker-compose.example.yml`](docker-compose.example.yml) for complete examples.
## Features
### Management Tools
- **Stores**: Create, list, get, delete stores
- **Models**: Create models with [DSL](https://openfga.dev/docs/configuration-language), list, get, verify
- **Permissions**: Check, grant, revoke permissions; query users and objects
### SDK Documentation
Comprehensive documentation for accurate code generation:
- All OpenFGA SDKs (PHP, Go, Python, Java, .NET, JavaScript, Laravel)
- Class and method documentation with code examples
- Advanced search with language filtering
### AI Prompts
**Design & Planning**
- Domain-specific model design
- RBAC to ReBAC migration
- Hierarchical relationships
- Performance optimization
**Implementation**
- Step-by-step model creation
- Relationship patterns
- Test generation
- Security patterns
**Troubleshooting**
- Permission debugging
- Security audits
- Least privilege implementation
### Resources & URIs
- `openfga://stores` - List stores
- `openfga://store/{id}/model/{modelId}` - Model details
- `openfga://docs/{sdk}/class/{className}` - SDK documentation
- `openfga://docs/search/{query}` - Search documentation
### Smart Completions
Auto-completion for store IDs, model IDs, relations, users, and objects when connected.
---
- [Contributing](./.github/CONTRIBUTING.md) | [Apache 2.0 License](./LICENSE)