The Mcp Api MCP server exposes tools that can move money, delete data, or destroy resources. Without policy enforcement, an autonomous agent has unrestricted access to every one of them.
Destructive tools (cancelActionWithId, changePasswordWithId, deleteAPIKeyWithId) permanently delete resources. There is no undo. An agent calling these in a retry loop causes irreversible damage.
Write operations (actionUserWithId, activateReactorWithId, approveDeviceWithId) modify state. Without rate limits, an agent can make hundreds of changes in seconds -- faster than any human can review or revert.
Execute tools (startIdentityProviderLoginWithId, startPasswordlessLoginWithId, startTwoFactorLoginWithId) trigger processes with side effects. Builds, notifications, workflows -- all fired without throttling.
These Mcp Api tools can modify, create, or destroy resources. Without a policy, your agent has unrestricted access to all of them.
actionUserWithId Takes an action on a user. The user being actioned is called the "actionee" and the user taking the action is called the "actioner". Both user ids are required in the request object. Write activateReactorWithId Activates the FusionAuth Reactor using a license Id and optionally a license text (for air-gapped deployments) Write approveDeviceWithId Approve a device grant. Write commentOnUserWithId Adds a comment to the user's account. Write completeVerifyIdentityWithId Completes verification of an identity using verification codes from the Verify Start API. Write completeWebAuthnAssertionWithId Complete a WebAuthn authentication ceremony by validating the signature against the previously generated challenge without logging the user in Write completeWebAuthnLoginWithId Complete a WebAuthn authentication ceremony by validating the signature against the previously generated challenge and then login the user in Write completeWebAuthnRegistrationWithId Complete a WebAuthn registration ceremony by validating the client request and saving the new credential Write createAPIKey Creates an API key. You can optionally specify a unique Id for the key, if not provided one will be generated. an API key can only be created with equal or lesser authority. An API key cannot create another API key unless it is granted to that API key. If an API key is locked to a tenant, it can only create API Keys for that same tenant. Write createAPIKeyWithId Creates an API key. You can optionally specify a unique Id for the key, if not provided one will be generated. an API key can only be created with equal or lesser authority. An API key cannot create another API key unless it is granted to that API key. If an API key is locked to a tenant, it can only create API Keys for that same tenant. Write createApplication Creates an application. You can optionally specify an Id for the application, if not provided one will be generated. Write createApplicationRole Creates a new role for an application. You must specify the Id of the application you are creating the role for. You can optionally specify an Id for the role inside the ApplicationRole object itself, if not provided one will be generated. Write createApplicationRoleWithId Creates a new role for an application. You must specify the Id of the application you are creating the role for. You can optionally specify an Id for the role inside the ApplicationRole object itself, if not provided one will be generated. Write createApplicationWithId Creates an application. You can optionally specify an Id for the application, if not provided one will be generated. Write createAuditLogWithId Creates an audit log with the message and user name (usually an email). Audit logs should be written anytime you make changes to the FusionAuth database. When using the FusionAuth App web interface, any changes are automatically written to the audit log. However, if you are accessing the API, you must write the audit logs yourself. Write createConnector Creates a connector. You can optionally specify an Id for the connector, if not provided one will be generated. Write createConnectorWithId Creates a connector. You can optionally specify an Id for the connector, if not provided one will be generated. Write createConsent Creates a user consent type. You can optionally specify an Id for the consent type, if not provided one will be generated. Write createConsentWithId Creates a user consent type. You can optionally specify an Id for the consent type, if not provided one will be generated. Write createEmailTemplate Creates an email template. You can optionally specify an Id for the template, if not provided one will be generated. Write createEmailTemplateWithId Creates an email template. You can optionally specify an Id for the template, if not provided one will be generated. Write createEntity Creates an Entity. You can optionally specify an Id for the Entity. If not provided one will be generated. Write createEntityType Creates a Entity Type. You can optionally specify an Id for the Entity Type, if not provided one will be generated. Write createEntityTypePermission Creates a new permission for an entity type. You must specify the Id of the entity type you are creating the permission for. You can optionally specify an Id for the permission inside the EntityTypePermission object itself, if not provided one will be generated. Write createEntityTypePermissionWithId Creates a new permission for an entity type. You must specify the Id of the entity type you are creating the permission for. You can optionally specify an Id for the permission inside the EntityTypePermission object itself, if not provided one will be generated. Write createEntityTypeWithId Creates a Entity Type. You can optionally specify an Id for the Entity Type, if not provided one will be generated. Write createEntityWithId Creates an Entity. You can optionally specify an Id for the Entity. If not provided one will be generated. Write createFamily Creates a family with the user Id in the request as the owner and sole member of the family. You can optionally specify an Id for the family, if not provided one will be generated. Write createFamilyWithId Creates a family with the user Id in the request as the owner and sole member of the family. You can optionally specify an Id for the family, if not provided one will be generated. Write createForm Creates a form. You can optionally specify an Id for the form, if not provided one will be generated. Write createFormField Creates a form field. You can optionally specify an Id for the form, if not provided one will be generated. Write createFormFieldWithId Creates a form field. You can optionally specify an Id for the form, if not provided one will be generated. Write createFormWithId Creates a form. You can optionally specify an Id for the form, if not provided one will be generated. Write createGroup Creates a group. You can optionally specify an Id for the group, if not provided one will be generated. Write createGroupMembersWithId Creates a member in a group. Write createGroupWithId Creates a group. You can optionally specify an Id for the group, if not provided one will be generated. Write createIdentityProvider Creates an identity provider. You can optionally specify an Id for the identity provider, if not provided one will be generated. Write createIdentityProviderWithId Creates an identity provider. You can optionally specify an Id for the identity provider, if not provided one will be generated. Write createIntrospect Inspect an access token issued as the result of the Client Credentials Grant. OR Inspect an access token issued as the result of the User based grant such as the Authorization Code Grant, Implicit Grant, the User Credentials Grant or the Refresh Grant. Write createIPAccessControlList Creates an IP Access Control List. You can optionally specify an Id on this create request, if one is not provided one will be generated. Write createIPAccessControlListWithId Creates an IP Access Control List. You can optionally specify an Id on this create request, if one is not provided one will be generated. Write createLambda Creates a Lambda. You can optionally specify an Id for the lambda, if not provided one will be generated. Write createLambdaWithId Creates a Lambda. You can optionally specify an Id for the lambda, if not provided one will be generated. Write createLogout The Logout API is intended to be used to remove the refresh token and access token cookies if they exist on the client and revoke the refresh token stored. This API takes the refresh token in the JSON body. OR The Logout API is intended to be used to remove the refresh token and access token cookies if they exist on the client and revoke the refresh token stored. This API does nothing if the request does not contain an access token or refresh token cookies. Write createMessageTemplate Creates an message template. You can optionally specify an Id for the template, if not provided one will be generated. Write createMessageTemplateWithId Creates an message template. You can optionally specify an Id for the template, if not provided one will be generated. Write createMessenger Creates a messenger. You can optionally specify an Id for the messenger, if not provided one will be generated. Write createMessengerWithId Creates a messenger. You can optionally specify an Id for the messenger, if not provided one will be generated. Write createOAuthScope Creates a new custom OAuth scope for an application. You must specify the Id of the application you are creating the scope for. You can optionally specify an Id for the OAuth scope on the URL, if not provided one will be generated. Write createOAuthScopeWithId Creates a new custom OAuth scope for an application. You must specify the Id of the application you are creating the scope for. You can optionally specify an Id for the OAuth scope on the URL, if not provided one will be generated. Write createTenant Creates a tenant. You can optionally specify an Id for the tenant, if not provided one will be generated. Write createTenantWithId Creates a tenant. You can optionally specify an Id for the tenant, if not provided one will be generated. Write createTheme Creates a Theme. You can optionally specify an Id for the theme, if not provided one will be generated. Write createThemeWithId Creates a Theme. You can optionally specify an Id for the theme, if not provided one will be generated. Write createToken Exchange User Credentials for a Token. If you will be using the Resource Owner Password Credential Grant, you will make a request to the Token endpoint to exchange the user’s email and password for an access token. OR Exchange a Refresh Token for an Access Token. If you will be using the Refresh Token Grant, you will make a request to the Token endpoint to exchange the user’s refresh token for an access token. OR Exchanges an OAuth authorization code and code_verifier for an access token. Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint and a code_verifier for an access token. OR Exchanges an OAuth authorization code for an access token. Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint for an access token. OR Make a Client Credentials grant request to obtain an access token. Write createUser Creates a user. You can optionally specify an Id for the user, if not provided one will be generated. Write createUserAction Creates a user action. This action cannot be taken on a user until this call successfully returns. Anytime after that the user action can be applied to any user. Write createUserActionReason Creates a user reason. This user action reason cannot be used when actioning a user until this call completes successfully. Anytime after that the user action reason can be used. Write createUserActionReasonWithId Creates a user reason. This user action reason cannot be used when actioning a user until this call completes successfully. Anytime after that the user action reason can be used. Write createUserActionWithId Creates a user action. This action cannot be taken on a user until this call successfully returns. Anytime after that the user action can be applied to any user. Write createUserChangePassword Changes a user's password using their access token (JWT) instead of the changePasswordId A common use case for this method will be if you want to allow the user to change their own password. Remember to send refreshToken in the request body if you want to get a new refresh token when login using the returned oneTimePassword. OR Changes a user's password using their identity (loginId and password). Using a loginId instead of the changePasswordId bypasses the email verification and allows a password to be changed directly without first calling the #forgotPassword method. Write createUserConsent Creates a single User consent. Write createUserConsentWithId Creates a single User consent. Write createUserLinkWithId Link an external user from a 3rd party identity provider to a FusionAuth user. Write createUserVerifyEmail Administratively verify a user's email address. Use this method to bypass email verification for the user. The request body will contain the userId to be verified. An API key is required when sending the userId in the request body. OR Confirms a user's email address. The request body will contain the verificationId. You may also be required to send a one-time use code based upon your configuration. When the tenant is configured to gate a user until their email address is verified, this procedures requires two values instead of one. The verificationId is a high entropy value and the one-time use code is a low entropy value that is easily entered in a user interactive form. The two values together are able to confirm a user's email address and mark the user's email address as verified. Write createUserWithId Creates a user. You can optionally specify an Id for the user, if not provided one will be generated. Write createWebhook Creates a webhook. You can optionally specify an Id for the webhook, if not provided one will be generated. Write createWebhookWithId Creates a webhook. You can optionally specify an Id for the webhook, if not provided one will be generated. Write enableTwoFactorWithId Enable two-factor authentication for a user. Write exchangeRefreshTokenForJWTWithId Exchange a refresh token for a new JWT. Write generateKey Generate a new RSA or EC key pair or an HMAC secret. Write generateKeyWithId Generate a new RSA or EC key pair or an HMAC secret. Write generateTwoFactorRecoveryCodesWithId Generate two-factor recovery codes for a user. Generating two-factor recovery codes will invalidate any existing recovery codes. Write generateTwoFactorSecretUsingJWTWithId Generate a Two Factor secret that can be used to enable Two Factor authentication for a User. The response will contain both the secret and a Base32 encoded form of the secret which can be shown to a User when using a 2 Step Authentication application such as Google Authenticator. Write identityProviderLoginWithId Handles login via third-parties including Social login, external OAuth and OpenID Connect, and other login systems. Write importKey Import an existing RSA or EC key pair or an HMAC secret. Write importKeyWithId Import an existing RSA or EC key pair or an HMAC secret. Write importRefreshTokensWithId Bulk imports refresh tokens. This request performs minimal validation and runs batch inserts of refresh tokens with the expectation that each token represents a user that already exists and is registered for the corresponding FusionAuth Application. This is done to increases the insert performance. Therefore, if you encounter an error due to a database key violation, the response will likely offer a generic explanation. If you encounter an error, you may optionally enable additional validation to receive a JSON response body with specific validation errors. This will slow the request down but will allow you to identify the cause of the failure. See the validateDbConstraints request parameter. Write importUsersWithId Bulk imports users. This request performs minimal validation and runs batch inserts of users with the expectation that each user does not yet exist and each registration corresponds to an existing FusionAuth Application. This is done to increases the insert performance. Therefore, if you encounter an error due to a database key violation, the response will likely offer a generic explanation. If you encounter an error, you may optionally enable additional validation to receive a JSON response body with specific validation errors. This will slow the request down but will allow you to identify the cause of the failure. See the validateDbConstraints request parameter. Write importWebAuthnCredentialWithId Import a WebAuthn credential Write issueJWTWithId Issue a new access token (JWT) for the requested Application after ensuring the provided JWT is valid. A valid access token is properly signed and not expired. <p> This API may be used in an SSO configuration to issue new tokens for another application after the user has obtained a valid token from authentication. Write loginPingWithId Sends a ping to FusionAuth indicating that the user was automatically logged into an application. When using FusionAuth's SSO or your own, you should call this if the user is already logged in centrally, but accesses an application where they no longer have a session. This helps correctly track login counts, times and helps with reporting. Write loginPingWithRequestWithId Sends a ping to FusionAuth indicating that the user was automatically logged into an application. When using FusionAuth's SSO or your own, you should call this if the user is already logged in centrally, but accesses an application where they no longer have a session. This helps correctly track login counts, times and helps with reporting. Write loginWithId Authenticates a user to FusionAuth. This API optionally requires an API key. See <code>Application.loginConfiguration.requireAuthentication</code>. Write modifyActionWithId Modifies a temporal user action by changing the expiration of the action and optionally adding a comment to the action. Write passwordlessLoginWithId Complete a login request using a passwordless code Write patchAPIKeyWithId Updates an API key with the given Id. Write patchApplicationRoleWithId Updates, via PATCH, the application role with the given Id for the application. Write patchApplicationWithId Updates, via PATCH, the application with the given Id. Write patchConnectorWithId Updates, via PATCH, the connector with the given Id. Write patchConsentWithId Updates, via PATCH, the consent with the given Id. Write patchEmailTemplateWithId Updates, via PATCH, the email template with the given Id. Write patchEntityTypePermissionWithId Patches the permission with the given Id for the entity type. Write patchEntityTypeWithId Updates, via PATCH, the Entity Type with the given Id. Write patchEntityWithId Updates, via PATCH, the Entity with the given Id. Write patchFormFieldWithId Patches the form field with the given Id. Write patchFormWithId Patches the form with the given Id. Write patchGroupWithId Updates, via PATCH, the group with the given Id. Write patchIdentityProviderWithId Updates, via PATCH, the identity provider with the given Id. Write patchIntegrationsWithId Updates, via PATCH, the available integrations. Write patchIPAccessControlListWithId Update the IP Access Control List with the given Id. Write patchLambdaWithId Updates, via PATCH, the lambda with the given Id. Write patchMessageTemplateWithId Updates, via PATCH, the message template with the given Id. Write patchMessengerWithId Updates, via PATCH, the messenger with the given Id. Write patchOAuthScopeWithId Updates, via PATCH, the custom OAuth scope with the given Id for the application. Write patchRegistrationWithId Updates, via PATCH, the registration for the user with the given Id and the application defined in the request. Write patchSystemConfigurationWithId Updates, via PATCH, the system configuration. Write patchTenantWithId Updates, via PATCH, the tenant with the given Id. Write patchThemeWithId Updates, via PATCH, the theme with the given Id. Write patchUserActionReasonWithId Updates, via PATCH, the user action reason with the given Id. Write patchUserActionWithId Updates, via PATCH, the user action with the given Id. Write patchUserConsentWithId Updates, via PATCH, a single User consent by Id. Write patchUserWithId Updates, via PATCH, the user with the given Id. Write patchWebhookWithId Patches the webhook with the given Id. Write reconcileJWTWithId Reconcile a User to FusionAuth using JWT issued from another Identity Provider. Write register Registers a user for an application. If you provide the User and the UserRegistration object on this request, it will create the user as well as register them for the application. This is called a Full Registration. However, if you only provide the UserRegistration object, then the user must already exist and they will be registered for the application. The user Id can also be provided and it will either be used to look up an existing user or it will be used for the newly created User. Write registerWithId Registers a user for an application. If you provide the User and the UserRegistration object on this request, it will create the user as well as register them for the application. This is called a Full Registration. However, if you only provide the UserRegistration object, then the user must already exist and they will be registered for the application. The user Id can also be provided and it will either be used to look up an existing user or it will be used for the newly created User. Write sendEmailWithId Send an email using an email template Id. You can optionally provide <code>requestData</code> to access key value pairs in the email template. Write sendFamilyRequestEmailWithId Sends out an email to a parent that they need to register and create a family or need to log in and add a child to their existing family. Write sendPasswordlessCodeWithId Send a passwordless authentication code in an email to complete login. Write sendTwoFactorCodeForEnableDisableWithId Send a Two Factor authentication code to assist in setting up Two Factor authentication or disabling. Write sendTwoFactorCodeForLoginUsingMethodWithId Send a Two Factor authentication code to allow the completion of Two Factor authentication. Write sendVerifyIdentityWithId Send a verification code using the appropriate transport for the identity type being verified. Write twoFactorLoginWithId Complete login using a 2FA challenge Write updateAPIKeyWithId Updates an API key with the given Id. Write updateApplicationRoleWithId Updates the application role with the given Id for the application. Write updateApplicationWithId Updates the application with the given Id. OR Reactivates the application with the given Id. Write updateConnectorWithId Updates the connector with the given Id. Write updateConsentWithId Updates the consent with the given Id. Write updateEmailTemplateWithId Updates the email template with the given Id. Write updateEntityTypePermissionWithId Updates the permission with the given Id for the entity type. Write updateEntityTypeWithId Updates the Entity Type with the given Id. Write updateEntityWithId Updates the Entity with the given Id. Write updateFormFieldWithId Updates the form field with the given Id. Write updateFormWithId Updates the form with the given Id. Write updateGroupMembersWithId Creates a member in a group. Write updateGroupWithId Updates the group with the given Id. Write updateIdentityProviderWithId Updates the identity provider with the given Id. Write updateIntegrationsWithId Updates the available integrations. Write updateIPAccessControlListWithId Updates the IP Access Control List with the given Id. Write updateKeyWithId Updates the key with the given Id. Write updateLambdaWithId Updates the lambda with the given Id. Write updateMessageTemplateWithId Updates the message template with the given Id. Write updateMessengerWithId Updates the messenger with the given Id. Write updateOAuthScopeWithId Updates the OAuth scope with the given Id for the application. Write updateRegistrationWithId Updates the registration for the user with the given Id and the application defined in the request. Write updateSystemConfigurationWithId Updates the system configuration. Write updateTenantWithId Updates the tenant with the given Id. Write updateThemeWithId Updates the theme with the given Id. Write updateUserActionReasonWithId Updates the user action reason with the given Id. Write updateUserActionWithId Updates the user action with the given Id. OR Reactivates the user action with the given Id. Write updateUserConsentWithId Updates a single User consent by Id. Write updateUserFamilyWithId Updates a family with a given Id. OR Adds a user to an existing family. The family Id must be specified. Write updateUserVerifyEmail Re-sends the verification email to the user. If the Application has configured a specific email template this will be used instead of the tenant configuration. OR Re-sends the verification email to the user. OR Generate a new Email Verification Id to be used with the Verify Email API. This API will not attempt to send an email to the User. This API may be used to collect the verificationId for use with a third party system. Write updateUserVerifyRegistration Re-sends the application registration verification email to the user. OR Generate a new Application Registration Verification Id to be used with the Verify Registration API. This API will not attempt to send an email to the User. This API may be used to collect the verificationId for use with a third party system. Write updateUserWithId Updates the user with the given Id. OR Reactivates the user with the given Id. Write updateWebhookWithId Updates the webhook with the given Id. Write upsertEntityGrantWithId Creates or updates an Entity Grant. This is when a User/Entity is granted permissions to an Entity. Write vendJWTWithId It's a JWT vending machine! Issue a new access token (JWT) with the provided claims in the request. This JWT is not scoped to a tenant or user, it is a free form token that will contain what claims you provide. <p> The iat, exp and jti claims will be added by FusionAuth, all other claims must be provided by the caller. If a TTL is not provided in the request, the TTL will be retrieved from the default Tenant or the Tenant specified on the request either by way of the X-FusionAuth-TenantId request header, or a tenant scoped API key. Write cancelActionWithId Cancels the user action. Destructive changePasswordWithId Changes a user's password using the change password Id. This usually occurs after an email has been sent to the user and they clicked on a link to reset their password. As of version 1.32.2, prefer sending the changePasswordId in the request body. To do this, omit the first parameter, and set the value in the request body. Destructive deleteAPIKeyWithId Deletes the API key for the given Id. Destructive deleteApplicationRoleWithId Hard deletes an application role. This is a dangerous operation and should not be used in most circumstances. This permanently removes the given role from all users that had it. Destructive deleteApplicationWithId Hard deletes an application. This is a dangerous operation and should not be used in most circumstances. This will delete the application, any registrations for that application, metrics and reports for the application, all the roles for the application, and any other data associated with the application. This operation could take a very long time, depending on the amount of data in your database. OR Deactivates the application with the given Id. Destructive deleteConnectorWithId Deletes the connector for the given Id. Destructive deleteConsentWithId Deletes the consent for the given Id. Destructive deleteEmailTemplateWithId Deletes the email template for the given Id. Destructive deleteEntityGrantWithId Deletes an Entity Grant for the given User or Entity. Destructive deleteEntityTypePermissionWithId Hard deletes a permission. This is a dangerous operation and should not be used in most circumstances. This permanently removes the given permission from all grants that had it. Destructive deleteEntityTypeWithId Deletes the Entity Type for the given Id. Destructive deleteEntityWithId Deletes the Entity for the given Id. Destructive deleteFormFieldWithId Deletes the form field for the given Id. Destructive deleteFormWithId Deletes the form for the given Id. Destructive deleteGroupMembersWithId Removes users as members of a group. Destructive deleteGroupWithId Deletes the group for the given Id. Destructive deleteIdentityProviderWithId Deletes the identity provider for the given Id. Destructive deleteIPAccessControlListWithId Deletes the IP Access Control List for the given Id. Destructive deleteJwtRefresh Revokes refresh tokens using the information in the JSON body. The handling for this method is the same as the revokeRefreshToken method and is based on the information you provide in the RefreshDeleteRequest object. See that method for additional information. OR Revoke all refresh tokens that belong to a user by user Id for a specific application by applicationId. OR Revoke all refresh tokens that belong to a user by user Id. OR Revoke all refresh tokens that belong to an application by applicationId. OR Revokes a single refresh token by using the actual refresh token value. This refresh token value is sensitive, so be careful with this API request. OR Revokes refresh tokens. Usage examples: - Delete a single refresh token, pass in only the token. revokeRefreshToken(token) - Delete all refresh tokens for a user, pass in only the userId. revokeRefreshToken(null, userId) - Delete all refresh tokens for a user for a specific application, pass in both the userId and the applicationId. revokeRefreshToken(null, userId, applicationId) - Delete all refresh tokens for an application revokeRefreshToken(null, null, applicationId) Note: <code>null</code> may be handled differently depending upon the programming language. See also: (method names may vary by language... but you'll figure it out) - revokeRefreshTokenById - revokeRefreshTokenByToken - revokeRefreshTokensByUserId - revokeRefreshTokensByApplicationId - revokeRefreshTokensByUserIdForApplication Destructive deleteKeyWithId Deletes the key for the given Id. Destructive deleteLambdaWithId Deletes the lambda for the given Id. Destructive deleteMessageTemplateWithId Deletes the message template for the given Id. Destructive deleteMessengerWithId Deletes the messenger for the given Id. Destructive deleteOAuthScopeWithId Hard deletes a custom OAuth scope. OAuth workflows that are still requesting the deleted OAuth scope may fail depending on the application's unknown scope policy. Destructive deleteTenantWithId Deletes the tenant based on the given request (sent to the API as JSON). This permanently deletes all information, metrics, reports and data associated with the tenant and everything under the tenant (applications, users, etc). OR Deletes the tenant for the given Id asynchronously. This method is helpful if you do not want to wait for the delete operation to complete. OR Deletes the tenant based on the given Id on the URL. This permanently deletes all information, metrics, reports and data associated with the tenant and everything under the tenant (applications, users, etc). Destructive deleteThemeWithId Deletes the theme for the given Id. Destructive deleteUserActionReasonWithId Deletes the user action reason for the given Id. Destructive deleteUserActionWithId Deletes the user action for the given Id. This permanently deletes the user action and also any history and logs of the action being applied to any users. OR Deactivates the user action with the given Id. Destructive deleteUserBulk Deletes the users with the given Ids, or users matching the provided JSON query or queryString. The order of preference is Ids, query and then queryString, it is recommended to only provide one of the three for the request. This method can be used to deactivate or permanently delete (hard-delete) users based upon the hardDelete boolean in the request body. Using the dryRun parameter you may also request the result of the action without actually deleting or deactivating any users. OR Deactivates the users with the given Ids. Destructive deleteUserLinkWithId Remove an existing link that has been made from a 3rd party identity provider to a FusionAuth user. Destructive deleteUserRegistrationWithId Deletes the user registration for the given user and application along with the given JSON body that contains the event information. OR Deletes the user registration for the given user and application. Destructive deleteUserTwoFactorWithId Disable two-factor authentication for a user using a JSON body rather than URL parameters. OR Disable two-factor authentication for a user. Destructive deleteUserWithId Deletes the user based on the given request (sent to the API as JSON). This permanently deletes all information, metrics, reports and data associated with the user. OR Deletes the user for the given Id. This permanently deletes all information, metrics, reports and data associated with the user. OR Deactivates the user with the given Id. Destructive deleteWebAuthnCredentialWithId Deletes the WebAuthn credential for the given Id. Destructive deleteWebhookWithId Deletes the webhook for the given Id. Destructive forgotPasswordWithId Begins the forgot password sequence, which kicks off an email to the user so that they can reset their password. Destructive reindexWithId Requests Elasticsearch to delete and rebuild the index for FusionAuth users or entities. Be very careful when running this request as it will increase the CPU and I/O load on your database until the operation completes. Generally speaking you do not ever need to run this operation unless instructed by FusionAuth support, or if you are migrating a database another system and you are not brining along the Elasticsearch index. You have been warned. Destructive removeUserFromFamilyWithId Removes a user from the family with the given Id. Destructive revokeRefreshTokenByIdWithId Revokes a single refresh token by the unique Id. The unique Id is not sensitive as it cannot be used to obtain another JWT. Destructive revokeUserConsentWithId Revokes a single User consent by Id. Destructive startIdentityProviderLoginWithId Begins a login request for a 3rd party login that requires user interaction such as HYPR. Execute startPasswordlessLoginWithId Start a passwordless login request by generating a passwordless code. This code can be sent to the User using the Send Passwordless Code API or using a mechanism outside of FusionAuth. The passwordless login is completed by using the Passwordless Login API with this code. Execute startTwoFactorLoginWithId Start a Two-Factor login request by generating a two-factor identifier. This code can then be sent to the Two Factor Send API (/api/two-factor/send)in order to send a one-time use code to a user. You can also use one-time use code returned to send the code out-of-band. The Two-Factor login is completed by making a request to the Two-Factor Login API (/api/two-factor/login). with the two-factor identifier and the one-time use code. This API is intended to allow you to begin a Two-Factor login outside a normal login that originated from the Login API (/api/login). Execute startVerifyIdentityWithId Start a verification of an identity by generating a code. This code can be sent to the User using the Verify Send API Verification Code API or using a mechanism outside of FusionAuth. The verification is completed by using the Verify Complete API with this code. Execute startWebAuthnLoginWithId Start a WebAuthn authentication ceremony by generating a new challenge for the user Execute startWebAuthnRegistrationWithId Start a WebAuthn registration ceremony by generating a new challenge for the user Execute These rules are based on the tool categories exposed by the Mcp Api MCP server. Adjust the limits to match your use case.
cancelActionWithId:
rules:
- action: deny
on_deny: "Destructive operations blocked by policy" Destructive tools should never be available to autonomous agents without human approval.
actionUserWithId:
rules:
- name: "write-rate-limit"
rate_limit: 30/hour
on_deny: "Write rate limit reached" Prevents bulk unintended modifications from agents caught in loops.
checkChangePasswordUsingIdWithId:
rules:
- action: allow
rate_limit: 60/minute Controls API costs and prevents retry loops from exhausting upstream rate limits.
This is the complete policy file for Mcp Api. It lists every tool with suggested default rules. Download it, adjust the limits, and run with Intercept.
version: "1" default: "deny" tools: cancelActionWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" changePasswordWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteAPIKeyWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteApplicationRoleWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteApplicationWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteConnectorWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteConsentWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteEmailTemplateWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteEntityGrantWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteEntityTypePermissionWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteEntityTypeWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteEntityWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteFormFieldWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteFormWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteGroupMembersWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteGroupWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteIdentityProviderWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteIPAccessControlListWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteJwtRefresh: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteKeyWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteLambdaWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteMessageTemplateWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteMessengerWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteOAuthScopeWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteTenantWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteThemeWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteUserActionReasonWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteUserActionWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteUserBulk: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteUserLinkWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteUserRegistrationWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteUserTwoFactorWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteUserWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteWebAuthnCredentialWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" deleteWebhookWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" forgotPasswordWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" reindexWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" removeUserFromFamilyWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" revokeRefreshTokenByIdWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" revokeUserConsentWithId: rules: - action: deny on_deny: "Destructive operation blocked by policy" startIdentityProviderLoginWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true startPasswordlessLoginWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true startTwoFactorLoginWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true startVerifyIdentityWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true startWebAuthnLoginWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true startWebAuthnRegistrationWithId: rules: - action: allow rate_limit: 10/hour validate: required_args: true checkChangePasswordUsingIdWithId: rules: - action: allow rate_limit: 60/minute lookupIdentityProviderWithId: rules: - action: allow rate_limit: 60/minute retrieveActionWithId: rules: - action: allow rate_limit: 60/minute retrieveAPIKeyWithId: rules: - action: allow rate_limit: 60/minute retrieveApplication: rules: - action: allow rate_limit: 60/minute retrieveApplicationWithId: rules: - action: allow rate_limit: 60/minute retrieveAuditLogWithId: rules: - action: allow rate_limit: 60/minute retrieveConnectorWithId: rules: - action: allow rate_limit: 60/minute retrieveConsentWithId: rules: - action: allow rate_limit: 60/minute retrieveDailyActiveReportWithId: rules: - action: allow rate_limit: 60/minute retrieveDeviceUserCode: rules: - action: allow rate_limit: 60/minute retrieveEmailTemplate: rules: - action: allow rate_limit: 60/minute retrieveEmailTemplatePreviewWithId: rules: - action: allow rate_limit: 60/minute retrieveEmailTemplateWithId: rules: - action: allow rate_limit: 60/minute retrieveEntityGrantWithId: rules: - action: allow rate_limit: 60/minute retrieveEntityTypeWithId: rules: - action: allow rate_limit: 60/minute retrieveEntityWithId: rules: - action: allow rate_limit: 60/minute retrieveEventLogWithId: rules: - action: allow rate_limit: 60/minute retrieveFamiliesWithId: rules: - action: allow rate_limit: 60/minute retrieveFamilyMembersByFamilyIdWithId: rules: - action: allow rate_limit: 60/minute retrieveFormFieldWithId: rules: - action: allow rate_limit: 60/minute retrieveFormWithId: rules: - action: allow rate_limit: 60/minute retrieveGroupWithId: rules: - action: allow rate_limit: 60/minute retrieveIdentityProviderByTypeWithId: rules: - action: allow rate_limit: 60/minute retrieveIdentityProviderLink: rules: - action: allow rate_limit: 60/minute retrieveIdentityProviderWithId: rules: - action: allow rate_limit: 60/minute retrieveIPAccessControlListWithId: rules: - action: allow rate_limit: 60/minute retrieveJsonWebKeySetWithId: rules: - action: allow rate_limit: 60/minute retrieveJwtPublicKey: rules: - action: allow rate_limit: 60/minute retrieveKeysWithId: rules: - action: allow rate_limit: 60/minute retrieveKeyWithId: rules: - action: allow rate_limit: 60/minute retrieveLambdasByTypeWithId: rules: - action: allow rate_limit: 60/minute retrieveLambdaWithId: rules: - action: allow rate_limit: 60/minute retrieveMessageTemplate: rules: - action: allow rate_limit: 60/minute retrieveMessageTemplatePreviewWithId: rules: - action: allow rate_limit: 60/minute retrieveMessageTemplateWithId: rules: - action: allow rate_limit: 60/minute retrieveMessengerWithId: rules: - action: allow rate_limit: 60/minute retrieveMonthlyActiveReportWithId: rules: - action: allow rate_limit: 60/minute retrieveOauthConfigurationWithId: rules: - action: allow rate_limit: 60/minute retrieveOAuthScopeWithId: rules: - action: allow rate_limit: 60/minute retrieveOpenIdConfigurationWithId: rules: - action: allow rate_limit: 60/minute retrievePasswordValidationRulesWithId: rules: - action: allow rate_limit: 60/minute retrievePasswordValidationRulesWithTenantIdWithId: rules: - action: allow rate_limit: 60/minute retrievePendingChildrenWithId: rules: - action: allow rate_limit: 60/minute retrievePendingLinkWithId: rules: - action: allow rate_limit: 60/minute retrieveReactorMetricsWithId: rules: - action: allow rate_limit: 60/minute retrieveRefreshTokenByIdWithId: rules: - action: allow rate_limit: 60/minute retrieveRefreshTokensWithId: rules: - action: allow rate_limit: 60/minute retrieveRegistrationReportWithId: rules: - action: allow rate_limit: 60/minute retrieveRegistrationWithId: rules: - action: allow rate_limit: 60/minute retrieveReportLogin: rules: - action: allow rate_limit: 60/minute retrieveStatus: rules: - action: allow rate_limit: 60/minute retrieveSystemHealthWithId: rules: - action: allow rate_limit: 60/minute retrieveTenantWithId: rules: - action: allow rate_limit: 60/minute retrieveThemeWithId: rules: - action: allow rate_limit: 60/minute retrieveTotalReportWithId: rules: - action: allow rate_limit: 60/minute retrieveTwoFactorRecoveryCodesWithId: rules: - action: allow rate_limit: 60/minute retrieveTwoFactorStatusWithId: rules: - action: allow rate_limit: 60/minute retrieveUser: rules: - action: allow rate_limit: 60/minute retrieveUserAction: rules: - action: allow rate_limit: 60/minute retrieveUserActioning: rules: - action: allow rate_limit: 60/minute retrieveUserActionReason: rules: - action: allow rate_limit: 60/minute retrieveUserActionReasonWithId: rules: - action: allow rate_limit: 60/minute retrieveUserActionWithId: rules: - action: allow rate_limit: 60/minute retrieveUserChangePassword: rules: - action: allow rate_limit: 60/minute retrieveUserCommentsWithId: rules: - action: allow rate_limit: 60/minute retrieveUserConsentsWithId: rules: - action: allow rate_limit: 60/minute retrieveUserConsentWithId: rules: - action: allow rate_limit: 60/minute retrieveUserInfoFromAccessTokenWithId: rules: - action: allow rate_limit: 60/minute retrieveUserRecentLogin: rules: - action: allow rate_limit: 60/minute retrieveUserWithId: rules: - action: allow rate_limit: 60/minute retrieveVersionWithId: rules: - action: allow rate_limit: 60/minute retrieveWebAuthnCredentialsForUserWithId: rules: - action: allow rate_limit: 60/minute retrieveWebAuthnCredentialWithId: rules: - action: allow rate_limit: 60/minute retrieveWebhook: rules: - action: allow rate_limit: 60/minute retrieveWebhookAttemptLogWithId: rules: - action: allow rate_limit: 60/minute retrieveWebhookEventLogWithId: rules: - action: allow rate_limit: 60/minute retrieveWebhookWithId: rules: - action: allow rate_limit: 60/minute searchApplicationsWithId: rules: - action: allow rate_limit: 60/minute searchAuditLogsWithId: rules: - action: allow rate_limit: 60/minute searchConsentsWithId: rules: - action: allow rate_limit: 60/minute searchEmailTemplatesWithId: rules: - action: allow rate_limit: 60/minute searchEntitiesByIdsWithId: rules: - action: allow rate_limit: 60/minute searchEntitiesWithId: rules: - action: allow rate_limit: 60/minute searchEntityGrantsWithId: rules: - action: allow rate_limit: 60/minute searchEntityTypesWithId: rules: - action: allow rate_limit: 60/minute searchEventLogsWithId: rules: - action: allow rate_limit: 60/minute searchGroupMembersWithId: rules: - action: allow rate_limit: 60/minute searchGroupsWithId: rules: - action: allow rate_limit: 60/minute searchIdentityProvidersWithId: rules: - action: allow rate_limit: 60/minute searchIPAccessControlListsWithId: rules: - action: allow rate_limit: 60/minute searchKeysWithId: rules: - action: allow rate_limit: 60/minute searchLambdasWithId: rules: - action: allow rate_limit: 60/minute searchLoginRecordsWithId: rules: - action: allow rate_limit: 60/minute searchTenantsWithId: rules: - action: allow rate_limit: 60/minute searchThemesWithId: rules: - action: allow rate_limit: 60/minute searchUserCommentsWithId: rules: - action: allow rate_limit: 60/minute searchUsersByIdsWithId: rules: - action: allow rate_limit: 60/minute searchUsersByQueryWithId: rules: - action: allow rate_limit: 60/minute searchWebhookEventLogsWithId: rules: - action: allow rate_limit: 60/minute searchWebhooksWithId: rules: - action: allow rate_limit: 60/minute validateDeviceWithId: rules: - action: allow rate_limit: 60/minute validateJWTWithId: rules: - action: allow rate_limit: 60/minute verifyIdentityWithId: rules: - action: allow rate_limit: 60/minute verifyUserRegistrationWithId: rules: - action: allow rate_limit: 60/minute actionUserWithId: rules: - action: allow rate_limit: 30/hour activateReactorWithId: rules: - action: allow rate_limit: 30/hour approveDeviceWithId: rules: - action: allow rate_limit: 30/hour commentOnUserWithId: rules: - action: allow rate_limit: 30/hour completeVerifyIdentityWithId: rules: - action: allow rate_limit: 30/hour completeWebAuthnAssertionWithId: rules: - action: allow rate_limit: 30/hour completeWebAuthnLoginWithId: rules: - action: allow rate_limit: 30/hour completeWebAuthnRegistrationWithId: rules: - action: allow rate_limit: 30/hour createAPIKey: rules: - action: allow rate_limit: 30/hour createAPIKeyWithId: rules: - action: allow rate_limit: 30/hour createApplication: rules: - action: allow rate_limit: 30/hour createApplicationRole: rules: - action: allow rate_limit: 30/hour createApplicationRoleWithId: rules: - action: allow rate_limit: 30/hour createApplicationWithId: rules: - action: allow rate_limit: 30/hour createAuditLogWithId: rules: - action: allow rate_limit: 30/hour createConnector: rules: - action: allow rate_limit: 30/hour createConnectorWithId: rules: - action: allow rate_limit: 30/hour createConsent: rules: - action: allow rate_limit: 30/hour createConsentWithId: rules: - action: allow rate_limit: 30/hour createEmailTemplate: rules: - action: allow rate_limit: 30/hour createEmailTemplateWithId: rules: - action: allow rate_limit: 30/hour createEntity: rules: - action: allow rate_limit: 30/hour createEntityType: rules: - action: allow rate_limit: 30/hour createEntityTypePermission: rules: - action: allow rate_limit: 30/hour createEntityTypePermissionWithId: rules: - action: allow rate_limit: 30/hour createEntityTypeWithId: rules: - action: allow rate_limit: 30/hour createEntityWithId: rules: - action: allow rate_limit: 30/hour createFamily: rules: - action: allow rate_limit: 30/hour createFamilyWithId: rules: - action: allow rate_limit: 30/hour createForm: rules: - action: allow rate_limit: 30/hour createFormField: rules: - action: allow rate_limit: 30/hour createFormFieldWithId: rules: - action: allow rate_limit: 30/hour createFormWithId: rules: - action: allow rate_limit: 30/hour createGroup: rules: - action: allow rate_limit: 30/hour createGroupMembersWithId: rules: - action: allow rate_limit: 30/hour createGroupWithId: rules: - action: allow rate_limit: 30/hour createIdentityProvider: rules: - action: allow rate_limit: 30/hour createIdentityProviderWithId: rules: - action: allow rate_limit: 30/hour createIntrospect: rules: - action: allow rate_limit: 30/hour createIPAccessControlList: rules: - action: allow rate_limit: 30/hour createIPAccessControlListWithId: rules: - action: allow rate_limit: 30/hour createLambda: rules: - action: allow rate_limit: 30/hour createLambdaWithId: rules: - action: allow rate_limit: 30/hour createLogout: rules: - action: allow rate_limit: 30/hour createMessageTemplate: rules: - action: allow rate_limit: 30/hour createMessageTemplateWithId: rules: - action: allow rate_limit: 30/hour createMessenger: rules: - action: allow rate_limit: 30/hour createMessengerWithId: rules: - action: allow rate_limit: 30/hour createOAuthScope: rules: - action: allow rate_limit: 30/hour createOAuthScopeWithId: rules: - action: allow rate_limit: 30/hour createTenant: rules: - action: allow rate_limit: 30/hour createTenantWithId: rules: - action: allow rate_limit: 30/hour createTheme: rules: - action: allow rate_limit: 30/hour createThemeWithId: rules: - action: allow rate_limit: 30/hour createToken: rules: - action: allow rate_limit: 30/hour createUser: rules: - action: allow rate_limit: 30/hour createUserAction: rules: - action: allow rate_limit: 30/hour createUserActionReason: rules: - action: allow rate_limit: 30/hour createUserActionReasonWithId: rules: - action: allow rate_limit: 30/hour createUserActionWithId: rules: - action: allow rate_limit: 30/hour createUserChangePassword: rules: - action: allow rate_limit: 30/hour createUserConsent: rules: - action: allow rate_limit: 30/hour createUserConsentWithId: rules: - action: allow rate_limit: 30/hour createUserLinkWithId: rules: - action: allow rate_limit: 30/hour createUserVerifyEmail: rules: - action: allow rate_limit: 30/hour createUserWithId: rules: - action: allow rate_limit: 30/hour createWebhook: rules: - action: allow rate_limit: 30/hour createWebhookWithId: rules: - action: allow rate_limit: 30/hour enableTwoFactorWithId: rules: - action: allow rate_limit: 30/hour exchangeRefreshTokenForJWTWithId: rules: - action: allow rate_limit: 30/hour generateKey: rules: - action: allow rate_limit: 30/hour generateKeyWithId: rules: - action: allow rate_limit: 30/hour generateTwoFactorRecoveryCodesWithId: rules: - action: allow rate_limit: 30/hour generateTwoFactorSecretUsingJWTWithId: rules: - action: allow rate_limit: 30/hour identityProviderLoginWithId: rules: - action: allow rate_limit: 30/hour importKey: rules: - action: allow rate_limit: 30/hour importKeyWithId: rules: - action: allow rate_limit: 30/hour importRefreshTokensWithId: rules: - action: allow rate_limit: 30/hour importUsersWithId: rules: - action: allow rate_limit: 30/hour importWebAuthnCredentialWithId: rules: - action: allow rate_limit: 30/hour issueJWTWithId: rules: - action: allow rate_limit: 30/hour loginPingWithId: rules: - action: allow rate_limit: 30/hour loginPingWithRequestWithId: rules: - action: allow rate_limit: 30/hour loginWithId: rules: - action: allow rate_limit: 30/hour modifyActionWithId: rules: - action: allow rate_limit: 30/hour passwordlessLoginWithId: rules: - action: allow rate_limit: 30/hour patchAPIKeyWithId: rules: - action: allow rate_limit: 30/hour patchApplicationRoleWithId: rules: - action: allow rate_limit: 30/hour patchApplicationWithId: rules: - action: allow rate_limit: 30/hour patchConnectorWithId: rules: - action: allow rate_limit: 30/hour patchConsentWithId: rules: - action: allow rate_limit: 30/hour patchEmailTemplateWithId: rules: - action: allow rate_limit: 30/hour patchEntityTypePermissionWithId: rules: - action: allow rate_limit: 30/hour patchEntityTypeWithId: rules: - action: allow rate_limit: 30/hour patchEntityWithId: rules: - action: allow rate_limit: 30/hour patchFormFieldWithId: rules: - action: allow rate_limit: 30/hour patchFormWithId: rules: - action: allow rate_limit: 30/hour patchGroupWithId: rules: - action: allow rate_limit: 30/hour patchIdentityProviderWithId: rules: - action: allow rate_limit: 30/hour patchIntegrationsWithId: rules: - action: allow rate_limit: 30/hour patchIPAccessControlListWithId: rules: - action: allow rate_limit: 30/hour patchLambdaWithId: rules: - action: allow rate_limit: 30/hour patchMessageTemplateWithId: rules: - action: allow rate_limit: 30/hour patchMessengerWithId: rules: - action: allow rate_limit: 30/hour patchOAuthScopeWithId: rules: - action: allow rate_limit: 30/hour patchRegistrationWithId: rules: - action: allow rate_limit: 30/hour patchSystemConfigurationWithId: rules: - action: allow rate_limit: 30/hour patchTenantWithId: rules: - action: allow rate_limit: 30/hour patchThemeWithId: rules: - action: allow rate_limit: 30/hour patchUserActionReasonWithId: rules: - action: allow rate_limit: 30/hour patchUserActionWithId: rules: - action: allow rate_limit: 30/hour patchUserConsentWithId: rules: - action: allow rate_limit: 30/hour patchUserWithId: rules: - action: allow rate_limit: 30/hour patchWebhookWithId: rules: - action: allow rate_limit: 30/hour reconcileJWTWithId: rules: - action: allow rate_limit: 30/hour register: rules: - action: allow rate_limit: 30/hour registerWithId: rules: - action: allow rate_limit: 30/hour sendEmailWithId: rules: - action: allow rate_limit: 30/hour sendFamilyRequestEmailWithId: rules: - action: allow rate_limit: 30/hour sendPasswordlessCodeWithId: rules: - action: allow rate_limit: 30/hour sendTwoFactorCodeForEnableDisableWithId: rules: - action: allow rate_limit: 30/hour sendTwoFactorCodeForLoginUsingMethodWithId: rules: - action: allow rate_limit: 30/hour sendVerifyIdentityWithId: rules: - action: allow rate_limit: 30/hour twoFactorLoginWithId: rules: - action: allow rate_limit: 30/hour updateAPIKeyWithId: rules: - action: allow rate_limit: 30/hour updateApplicationRoleWithId: rules: - action: allow rate_limit: 30/hour updateApplicationWithId: rules: - action: allow rate_limit: 30/hour updateConnectorWithId: rules: - action: allow rate_limit: 30/hour updateConsentWithId: rules: - action: allow rate_limit: 30/hour updateEmailTemplateWithId: rules: - action: allow rate_limit: 30/hour updateEntityTypePermissionWithId: rules: - action: allow rate_limit: 30/hour updateEntityTypeWithId: rules: - action: allow rate_limit: 30/hour updateEntityWithId: rules: - action: allow rate_limit: 30/hour updateFormFieldWithId: rules: - action: allow rate_limit: 30/hour updateFormWithId: rules: - action: allow rate_limit: 30/hour updateGroupMembersWithId: rules: - action: allow rate_limit: 30/hour updateGroupWithId: rules: - action: allow rate_limit: 30/hour updateIdentityProviderWithId: rules: - action: allow rate_limit: 30/hour updateIntegrationsWithId: rules: - action: allow rate_limit: 30/hour updateIPAccessControlListWithId: rules: - action: allow rate_limit: 30/hour updateKeyWithId: rules: - action: allow rate_limit: 30/hour updateLambdaWithId: rules: - action: allow rate_limit: 30/hour updateMessageTemplateWithId: rules: - action: allow rate_limit: 30/hour updateMessengerWithId: rules: - action: allow rate_limit: 30/hour updateOAuthScopeWithId: rules: - action: allow rate_limit: 30/hour updateRegistrationWithId: rules: - action: allow rate_limit: 30/hour updateSystemConfigurationWithId: rules: - action: allow rate_limit: 30/hour updateTenantWithId: rules: - action: allow rate_limit: 30/hour updateThemeWithId: rules: - action: allow rate_limit: 30/hour updateUserActionReasonWithId: rules: - action: allow rate_limit: 30/hour updateUserActionWithId: rules: - action: allow rate_limit: 30/hour updateUserConsentWithId: rules: - action: allow rate_limit: 30/hour updateUserFamilyWithId: rules: - action: allow rate_limit: 30/hour updateUserVerifyEmail: rules: - action: allow rate_limit: 30/hour updateUserVerifyRegistration: rules: - action: allow rate_limit: 30/hour updateUserWithId: rules: - action: allow rate_limit: 30/hour updateWebhookWithId: rules: - action: allow rate_limit: 30/hour upsertEntityGrantWithId: rules: - action: allow rate_limit: 30/hour vendJWTWithId: rules: - action: allow rate_limit: 30/hour
Download the policy
curl -o io-fusionauth-mcp-api.yaml https://raw.githubusercontent.com/policylayer/intercept/main/policies/io-fusionauth-mcp-api.yaml
Run Intercept in front of the server
intercept -c io-fusionauth-mcp-api.yaml -- npx -y @@fusionauth/mcp-api
Works with any MCP client:
Every tool call is now checked against your policy before it reaches Mcp Api. Denied calls are blocked and logged. Allowed calls pass through with no latency impact.
Open source. One binary. Zero dependencies.
npx -y @policylayer/intercept