Skip to content
Kotauth

Tool Reference

This page documents every tool exposed by @kotauth/mcp. Tools are grouped by domain and follow the same resource model as the REST API.

All tools require a valid API key with the appropriate scope. Calling a tool without the required scope returns a 403 Forbidden error.

Users

Section titled “Users”

Read scope: users:read · Write scope: users:write

list_users

Section titled “list_users”

List users in the workspace with optional filtering.

ParameterTypeRequiredDescription
searchstringNoFilter by username, email, or name prefix

Returns a paginated list of user objects.

get_user

Section titled “get_user”

Get detailed information about a specific user.

ParameterTypeRequiredDescription
userIdintegerYesUser ID

Returns the full user object including email verification and MFA status.

create_user

Section titled “create_user”

Create a new user in the workspace.

ParameterTypeRequiredDescription
usernamestringYesUnique username (alphanumeric, dots, underscores, hyphens)
emailstringYesEmail address
fullNamestringNoDisplay name
passwordstringYesInitial password (min 4 characters)

Returns the created user object. The username must be unique within the workspace.

update_user

Section titled “update_user”

Update an existing user’s profile.

ParameterTypeRequiredDescription
userIdintegerYesUser ID
emailstringNoNew email address
fullNamestringNoNew display name

Omitted fields retain their current values (partial update).

disable_user

Section titled “disable_user”

Soft-delete a user. The user’s data is preserved but they can no longer authenticate.

ParameterTypeRequiredDescription
userIdintegerYesUser ID to disable

assign_user_role

Section titled “assign_user_role”

Assign a role to a user.

ParameterTypeRequiredDescription
userIdintegerYesUser ID
roleIdintegerYesRole ID to assign

remove_user_role

Section titled “remove_user_role”

Remove a role from a user.

ParameterTypeRequiredDescription
userIdintegerYesUser ID
roleIdintegerYesRole ID to remove

Roles

Section titled “Roles”

Read scope: roles:read · Write scope: roles:write

list_roles

Section titled “list_roles”

List all roles in the workspace with their scope and description.

No parameters.

create_role

Section titled “create_role”

Create a new role.

ParameterTypeRequiredDescription
namestringYesRole name (alphanumeric, dots, underscores, hyphens)
descriptionstringNoHuman-readable description
scopestringNo"tenant" (default) or "client"

delete_role

Section titled “delete_role”

Permanently delete a role. Users and groups that had this role lose it immediately.

ParameterTypeRequiredDescription
roleIdintegerYesRole ID to delete

Groups

Section titled “Groups”

Read scope: groups:read · Write scope: groups:write

list_groups

Section titled “list_groups”

List all groups with their hierarchy and parent relationships.

No parameters.

create_group

Section titled “create_group”

Create a new group, optionally nested under a parent.

ParameterTypeRequiredDescription
namestringYesGroup name
descriptionstringNoGroup description
parentGroupIdintegerNoParent group ID for nesting

delete_group

Section titled “delete_group”

Delete a group. Members lose any roles inherited through this group.

ParameterTypeRequiredDescription
groupIdintegerYesGroup ID to delete

manage_group_member

Section titled “manage_group_member”

Add or remove a user from a group. Users inherit all roles assigned to their groups.

ParameterTypeRequiredDescription
groupIdintegerYesGroup ID
userIdintegerYesUser ID
actionstringYes"add" or "remove"

Applications

Section titled “Applications”

Read scope: applications:read · Write scope: applications:write

list_applications

Section titled “list_applications”

List all OAuth2/OIDC clients registered in the workspace.

No parameters.

update_application

Section titled “update_application”

Update an OAuth application’s configuration.

ParameterTypeRequiredDescription
applicationIdintegerYesApplication ID
namestringNoNew application name
descriptionstringNoNew description
accessTypestringNo"public" or "confidential"
redirectUrisstring[]NoAllowed redirect URIs

Omitted fields retain their current values (partial update).

Sessions

Section titled “Sessions”

Read scope: sessions:read · Write scope: sessions:write

list_sessions

Section titled “list_sessions”

List all active sessions in the workspace with IP addresses and expiry times.

No parameters.

revoke_session

Section titled “revoke_session”

Force-terminate a session. The user must re-authenticate.

ParameterTypeRequiredDescription
sessionIdintegerYesSession ID to revoke

Audit Logs

Section titled “Audit Logs”

Read scope: audit_logs:read

query_audit_logs

Section titled “query_audit_logs”

Query the immutable audit log with optional filters.

ParameterTypeRequiredDescription
eventTypestringNoFilter by event type (e.g. LOGIN_SUCCESS, ADMIN_USER_CREATED)
userIdintegerNoFilter by user ID
limitintegerNoNumber of events to return (1–200, default: 50)
offsetintegerNoPagination offset (default: 0)

Common event types include: LOGIN_SUCCESS, LOGIN_FAILED, ADMIN_USER_CREATED, ADMIN_USER_UPDATED, ADMIN_ROLE_ASSIGNED, MFA_ENROLLMENT_STARTED, SESSION_REVOKED, PASSWORD_RESET_COMPLETED.

User Attributes

Section titled “User Attributes”

Read scope: user_attributes:read · Write scope: user_attributes:write

list_user_attributes

Section titled “list_user_attributes”

List all custom attributes for a user. Returns a key-value map.

ParameterTypeRequiredDescription
userIdintegerYesUser ID

set_user_attribute

Section titled “set_user_attribute”

Set a key-value attribute on a user. Creates the attribute if it doesn’t exist, updates it if it does.

ParameterTypeRequiredDescription
userIdintegerYesUser ID
keystringYesAttribute key (max 64 chars)
valuestringYesAttribute value (max 1024 chars)

If a claim mapper exists for this key, the value will appear in newly issued JWTs.

delete_user_attribute

Section titled “delete_user_attribute”

Remove an attribute from a user.

ParameterTypeRequiredDescription
userIdintegerYesUser ID
keystringYesAttribute key to delete

Claim Mappers

Section titled “Claim Mappers”

Read scope: claim_mappers:read · Write scope: claim_mappers:write

list_claim_mappers

Section titled “list_claim_mappers”

List all claim mappers configured for the workspace.

No parameters.

set_claim_mapper

Section titled “set_claim_mapper”

Create or update a claim mapper. Maps a user attribute key to a JWT claim name.

ParameterTypeRequiredDescription
attributeKeystringYesUser attribute key to map
claimNamestringYesJWT claim name (max 128 chars, must not be a reserved OIDC claim)
includeInAccessbooleanNoInclude in access tokens (default: true)
includeInIdbooleanNoInclude in ID tokens (default: false)

delete_claim_mapper

Section titled “delete_claim_mapper”

Remove a claim mapper. The mapped claim will no longer appear in newly issued tokens.

ParameterTypeRequiredDescription
attributeKeystringYesAttribute key of the mapper to delete

Error handling

Section titled “Error handling”

All tools return structured errors following RFC 9457 Problem Details:

{
  "type": "https://kotauth.dev/errors/403",
  "title": "Forbidden",
  "status": 403,
  "detail": "API key does not have the required scope: users:write"
}

Common error scenarios:

StatusCause
401Invalid or missing API key
403API key lacks the required scope
404Resource not found (wrong ID or workspace)
409Conflict — duplicate username or role name
422Validation error — invalid email format, password too short, etc.