// MCP TOOL REFERENCE

ZITADEL MCP TOOLS

26 tools from the Zitadel MCP MCP Server, categorised by risk level.

// ALL 26 ZITADEL MCP TOOLS

READ 11 tools

Read zitadel_get_app Get details of a specific application including its Client ID and OIDC configuration. Read zitadel_get_auth_config Get the environment variables needed for a new application\ Read zitadel_get_org Get details of the current organization (based on the configured ZITADEL_ORG_ID). Read zitadel_get_project Get details of a specific project by its ID. Read zitadel_get_user Get detailed information about a specific user by their user ID. Read zitadel_list_apps List all applications in a Zitadel project. Read zitadel_list_project_roles List all roles defined in a Zitadel project (e.g., Read zitadel_list_projects List all projects in the Zitadel organization. Read zitadel_list_service_user_keys List existing keys for a service account. Shows key metadata only (not private keys). Read zitadel_list_user_grants List role grants for a specific user, showing which roles they have been assigned. Read zitadel_list_users List or search users in the Zitadel instance. Returns user details including name, email, status, and login...

WRITE 12 tools

Write zitadel_reactivate_user Reactivate a previously deactivated user account. Write portal_register_app Register an application in the app-portal database so it appears in the portal UI. This only creates the po... Write portal_setup_full_app One-click app setup: creates a Zitadel project (or uses existing), OIDC application, project role, AND regi... Write zitadel_create_oidc_app Create a new OIDC application in a Zitadel project. Returns the Client ID (and Client Secret for confidenti... Write zitadel_create_project Create a new project in Zitadel. Projects contain applications, roles, and grants. Write zitadel_create_service_user Create a new service account (machine user) for API access. Service accounts authenticate via JWT keys, not... Write zitadel_create_service_user_key Generate a new key pair for a service account. The private key is returned ONLY at creation time — save it ... Write zitadel_create_user Create a new human user in Zitadel. An invitation email will be sent automatically so the user can set thei... Write zitadel_create_user_grant Assign roles to a user by creating a grant. Validates that the roles exist in the project before granting. Write zitadel_lock_user Lock a user account. The user will not be able to log in until unlocked. Requires confirm: true. Write zitadel_unlock_user Unlock a previously locked user account. Write zitadel_update_app Update an OIDC application\

DESTRUCTIVE 3 tools

Destructive zitadel_delete_user Permanently delete a user. This action cannot be undone. Requires confirm: true. Consider using zitadel_dea... Destructive zitadel_remove_user_grant Remove a role grant from a user by grant ID. Requires confirm: true. Destructive zitadel_deactivate_user Deactivate a user account. The user will no longer be able to log in. Requires confirm: true.

// FAQ

How many tools does the Zitadel MCP MCP server have? +

The Zitadel MCP MCP server exposes 26 tools across 3 categories: Read, Write, Destructive.

How do I enforce policies on Zitadel MCP tools? +

Route the Zitadel MCP server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard; they are enforced on every call before it reaches the server.

What risk categories do Zitadel MCP tools fall into? +

Zitadel MCP tools are categorised as Read (11), Write (12), Destructive (3). Each category has a recommended default policy.

Enforce policy on every Zitadel MCP tool call.

Start from Zitadel MCP, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.

CHECK YOUR STACK →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.