// SCAN REPORT

Zitadel MCP

26 tools. 15 can modify or destroy data without limits.

3 destructive tools with no built-in limits. Policy required.

Last updated:

15 can modify or destroy data
11 read-only
26 tools total

Community server · catalogue entry verified 12/06/2026

How to control Zitadel MCP ↓

TOOL MAP

What Zitadel MCP exposes to your agents

Read (11) Write / Execute (12) Destructive / Financial (3)

Running more than one server? Check your whole stack →

MOST DANGEROUS TOOLS
Critical Risk

The most dangerous Zitadel MCP tools

Destructive · High zitadel_delete_user The tool irreversibly deletes user data from an authentication system. Destructive · High zitadel_remove_user_grant This tool irreversibly deletes or revokes access control permissions (role grants). Destructive · High zitadel_deactivate_user Deactivating a user account revokes their ability to authenticate, which is a significant irreversible-in-effect action (even if technically re-activatable, it locks the user out immediately). Write · Medium portal_register_app This tool creates a new database record in the portal database, which is a write operation.

15 of Zitadel MCP's 26 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

POLICY

How to control Zitadel MCP

PolicyLayer is an MCP gateway — it sits between your AI agents and Zitadel MCP, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations
{
  "zitadel_delete_user": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "zitadel_reactivate_user": {
    "limits": [
      {
        "counter": "zitadel_reactivate_user_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "zitadel_get_app": {
    "limits": [
      {
        "counter": "zitadel_get_app_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register Zitadel MCP — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON ZITADEL →

Free to start. No card required.

FULL CATALOGUE

All 26 Zitadel MCP tools

DESTRUCTIVE 3 tools
Destructive zitadel_delete_user Permanently delete a user. This action cannot be undone. Requires confirm: true. Consider using zitadel_deacti Destructive zitadel_remove_user_grant Remove a role grant from a user by grant ID. Requires confirm: true. Destructive zitadel_deactivate_user Deactivate a user account. The user will no longer be able to log in. Requires confirm: true.
WRITE 12 tools
Write zitadel_reactivate_user Reactivate a previously deactivated user account. Write portal_register_app Register an application in the app-portal database so it appears in the portal UI. This only creates the porta Write portal_setup_full_app One-click app setup: creates a Zitadel project (or uses existing), OIDC application, project role, AND registe Write zitadel_create_oidc_app Create a new OIDC application in a Zitadel project. Returns the Client ID (and Client Secret for confidential Write zitadel_create_project Create a new project in Zitadel. Projects contain applications, roles, and grants. Write zitadel_create_service_user Create a new service account (machine user) for API access. Service accounts authenticate via JWT keys, not pa Write zitadel_create_service_user_key Generate a new key pair for a service account. The private key is returned ONLY at creation time — save it imm Write zitadel_create_user Create a new human user in Zitadel. An invitation email will be sent automatically so the user can set their p Write zitadel_create_user_grant Assign roles to a user by creating a grant. Validates that the roles exist in the project before granting. Write zitadel_lock_user Lock a user account. The user will not be able to log in until unlocked. Requires confirm: true. Write zitadel_unlock_user Unlock a previously locked user account. Write zitadel_update_app Update an OIDC application\
READ 11 tools
Read zitadel_get_app Get details of a specific application including its Client ID and OIDC configuration. Read zitadel_get_auth_config Get the environment variables needed for a new application\ Read zitadel_get_org Get details of the current organization (based on the configured ZITADEL_ORG_ID). Read zitadel_get_project Get details of a specific project by its ID. Read zitadel_get_user Get detailed information about a specific user by their user ID. Read zitadel_list_apps List all applications in a Zitadel project. Read zitadel_list_project_roles List all roles defined in a Zitadel project (e.g., Read zitadel_list_projects List all projects in the Zitadel organization. Read zitadel_list_service_user_keys List existing keys for a service account. Shows key metadata only (not private keys). Read zitadel_list_user_grants List role grants for a specific user, showing which roles they have been assigned. Read zitadel_list_users List or search users in the Zitadel instance. Returns user details including name, email, status, and login na
EXPLORE

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Sperax Ecosystem Crypto & DeFI MCP Server 1318 tools
admin
Mcp Afip 1300 tools
admin
Mcp Ap2 1300 tools
admin
BNB Chain MCP 1240 tools
admin
Nodebench 824 tools
admin
Amazon Bedrock Knowledge Base Retrieval MCP Server 805 tools
admin
Amazon Data Processing MCP Server 805 tools
admin
Amazon ECS MCP Server 805 tools
admin
FAQ

Questions about Zitadel MCP

Can an AI agent delete data through the Zitadel MCP server? +

Yes. The Zitadel MCP server exposes 3 destructive tools including zitadel_delete_user, zitadel_remove_user_grant, zitadel_deactivate_user. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Zitadel MCP? +

The Zitadel MCP server has 12 write tools including zitadel_reactivate_user, portal_register_app, portal_setup_full_app. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach Zitadel MCP.

How many tools does the Zitadel MCP server expose? +

26 tools across 3 categories: Destructive, Read, Write. 11 are read-only. 15 can modify, create, or delete data.

How do I enforce a policy on Zitadel MCP? +

Register the Zitadel MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Zitadel MCP tool call.

Deterministic rules across all 26 Zitadel MCP tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

ENFORCE POLICY ON ZITADEL →

Free to start. No card required.

26 Zitadel MCP tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.