MCP Server

Returns the full project configuration: enabled auth providers, billing plans with prices, roles, and organizations.

Returns framework-specific SDK integration code. Supports nextjs, react, node, react-native, and flutter.

Verifies a JWT token issued by AuthGate and returns the decoded claims. Useful for debugging auth flows.

List end users with pagination. Returns user details, password status, and email verification state.

Get a single end user by ID with linked accounts, password credential status, and MFA enrollment.

Permanently delete an end user and all associated data (cascading).

Send a password reset email to an end user. Requires email, password credential, and a configured callback URL.

Manually set or unset the email verified status for an end user.

Resend an email verification OTP to an end user with an unverified email.

List active sessions, optionally filtered by end user ID.

Get full details of a specific session by ID.

Revoke (invalidate) an active session.

List organizations with pagination. Returns each org with its member count.

Get a single organization with full details: members (with user info and role), pending invitations, and member count.

Create an organization with a name, slug, and optional member limit.

Update an organization's name, slug, image, member limit, or metadata. Supports partial updates with slug uniqueness validation.

Permanently delete an organization. Cascading deletes are handled by database foreign keys.

List members of an organization with their user details and role.

Add an end user to an organization. Validates membership limits, duplicate check, and assigns default role.

Change a member's role within an organization.

Remove a member from an organization.

List all roles defined for the project with their permissions.

Create a role with a unique key and optional permissions list.

Update a role's name, permissions, or default status. The role key is immutable. Setting a role as default cascades (unsets previous default).

Delete a role. Blocked (409) if any organization members are currently assigned to it.

List all authentication providers and their enabled/disabled status for the project.

Enable or disable authentication providers (Google, GitHub, Discord, Azure, Apple, email, magic-link, SMS).

List all configured callback URLs for the project.

Add a callback URL to the project. Must be a valid URL.

Remove a callback URL by ID.

List all API keys for the project. Returns metadata only (keys are never exposed after creation).

Generate a new API key. The full key is returned once — store it securely.

Revoke all existing API keys and generate a new one. Returns the new key once.

Revoke a single API key by ID.

List all billing plans (products) with their prices. Supports filtering archived plans.

Create a billing plan with optional monthly price. Use for setting up Free, Pro, Enterprise tiers.

Get a user's billing entitlements: active subscription, plan features, and metered usage.

Create a billing migration to move subscribers between plans. Automatically maps prices by interval and currency.

Get a billing migration with its items grouped by status (pending, completed, failed).

Execute a pending billing migration, moving all subscribers to the target plan.

Report metered usage events in batch. Supports idempotency keys to prevent double-counting.

Get aggregated usage summary for the current billing period.

List audit events with optional filters: event type, actor ID, target ID, and date range. Paginated, newest first.

List all distinct event types that have been recorded in audit logs.

List security alerts with optional status and severity filters.

Acknowledge a security alert (marks it as seen).

Resolve a security alert (marks it as handled).

Get aggregate security statistics: counts by status and severity.

List all email template types, showing whether each uses a custom or default template.

Get the full email template (subject + TipTap JSON content) for a specific type.

Create or update a custom email template. Validates the template by rendering before saving.

Render a preview of an email template with sample variables. Returns HTML and substituted subject.

Delete a custom template, reverting to the built-in default.

List all RBAC resources defined for the project.

List all RBAC roles with their permission grants.

Create an RBAC resource with defined actions.

Create an RBAC role with permission grants across resources.

Get the current RBAC configuration state: all resources, roles, and conditions managed as code.

Check whether a specific user has a permission on a resource, based on their org membership and role.

Declaratively sync RBAC configuration. Creates, updates, or archives resources and roles to match the desired state.

Export all data for a specific end user: profile, sessions, audit events, and organization memberships. Useful for GDPR data subject requests.