MCP server for Authentik API with diagnostic and read-only capabilities
Project description
Authentik Diagnostic MCP Server
A Model Context Protocol (MCP) server that provides read-only diagnostic and monitoring capabilities for Authentik instances. This server is designed specifically for monitoring, troubleshooting, and gaining insights into your Authentik deployment without making any modifications.
Features
Event Monitoring & Audit Logs
- Comprehensive event tracking and audit trail analysis
- Real-time monitoring of authentication events
- Event filtering and search capabilities
- Historical event analysis for troubleshooting
User Information (Read-Only)
- User account status monitoring
- User activity tracking
- Group membership analysis
- Authentication history review
System Health Monitoring
- System configuration review
- Version and build information
- Health status checks
- Configuration drift detection
Application Status Monitoring
- Application availability monitoring
- Provider status tracking
- Flow execution monitoring
- Integration health checks
Diagnostic Capabilities
- Issue identification and analysis
- Performance monitoring
- Security event analysis
- Compliance reporting
Installation
Using pip
pip install authentik-diag-mcp
Using uv
uv add authentik-diag-mcp
Usage
Command Line
authentik-diag-mcp --base-url https://your-authentik-instance.com --token your-readonly-token
Configuration Options
--base-url: Base URL of your Authentik instance (required)--token: Authentik API token with read permissions (required)--no-verify-ssl: Disable SSL certificate verification
Environment Variables
export AUTHENTIK_BASE_URL=https://your-authentik-instance.com
export AUTHENTIK_TOKEN=your-readonly-token
API Token Setup
For diagnostic purposes, create a token with minimal read-only permissions:
- Log in to your Authentik instance as an administrator
- Navigate to Directory > Tokens
- Click Create to create a new token
- Set Intent to "API"
- Choose minimal read permissions (no write/delete permissions needed)
- Copy the generated token for use with this diagnostic server
Available Diagnostic Tools
Event Monitoring
authentik_list_events- List system events with advanced filteringauthentik_get_event- Get detailed event informationauthentik_search_events- Search events by context and criteriaauthentik_get_user_events- Get events for specific users
User Information (Read-Only)
authentik_get_user_info- Get user information for diagnosticsauthentik_list_users_info- List users with basic informationauthentik_get_user_events- Analyze user-specific events
Group Information (Read-Only)
authentik_get_group_info- Get group information for diagnosticsauthentik_list_groups_info- List groups with membership detailsauthentik_get_group_members- Analyze group membership
Application Status (Read-Only)
authentik_get_application_status- Check application healthauthentik_list_applications_status- Monitor all applications
Flow Status (Read-Only)
authentik_get_flow_status- Check flow execution statusauthentik_list_flows_status- Monitor all authentication flows
System Health
authentik_get_system_config- Review system configurationauthentik_get_version_info- Get version and build information
Provider Status (Read-Only)
authentik_list_providers_status- Monitor provider healthauthentik_get_provider_status- Check specific provider status
Resources
Access to read-only diagnostic resources:
authentik://events- Event monitoring and audit logsauthentik://users/info- User information for diagnosticsauthentik://groups/info- Group information for diagnosticsauthentik://applications/status- Application status monitoringauthentik://flows/status- Flow status monitoringauthentik://system/health- System health information
Example Usage
# Monitor recent authentication events
events = await authentik_list_events({
"action": "login",
"ordering": "-created",
"page_size": 20
})
# Check user account status
user_info = await authentik_get_user_info({"user_id": 123})
# Analyze failed login attempts
failed_logins = await authentik_search_events({
"search": "failed",
"action": "login_failed"
})
# Get system health information
system_config = await authentik_get_system_config()
# Monitor application status
app_status = await authentik_list_applications_status()
Monitoring Use Cases
Security Monitoring
- Track failed authentication attempts
- Monitor suspicious login patterns
- Analyze access violations
- Review privilege escalations
Performance Analysis
- Identify slow authentication flows
- Monitor API response times
- Analyze user experience metrics
- Track system performance trends
Compliance Reporting
- Generate audit reports
- Track user access patterns
- Monitor data access events
- Compliance verification
Troubleshooting
- Diagnose authentication issues
- Identify configuration problems
- Analyze user experience issues
- Debug integration problems
Security Features
Read-Only Design
- No write operations supported
- Safe for production monitoring
- Minimal permissions required
- No data modification risk
Audit Trail
- All diagnostic queries are logged
- Tracking of monitoring activities
- Compliance with audit requirements
- Transparent operation logging
Best Practices
Token Management
- Use dedicated read-only tokens
- Rotate tokens regularly
- Monitor token usage
- Restrict token scope
Monitoring Strategy
- Regular health checks
- Automated alerting
- Trend analysis
- Proactive monitoring
Security
- Always use HTTPS
- Verify SSL certificates
- Monitor access logs
- Implement rate limiting
Development
Local Development
git clone https://github.com/goauthentik/authentik-diag-mcp
cd authentik-diag-mcp/python/authentik-diag-mcp
uv sync
uv run authentik-diag-mcp --base-url http://localhost:9000 --token your-token
Testing
uv run pytest
Code Quality
uv run black src/
uv run isort src/
uv run ruff check src/
uv run mypy src/
License
MIT License - see LICENSE file for details.
Support
Contributing
We welcome contributions! Please see our Contributing Guide for details.
Changelog
See CHANGELOG.md for version history and changes.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file authentik_diag_mcp-0.1.1.tar.gz.
File metadata
- Download URL: authentik_diag_mcp-0.1.1.tar.gz
- Upload date:
- Size: 8.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.7.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b52bcf9961f7000f8d50b5297e91a0d5ee75d2aba8507efa4fb87843a670dfe
|
|
| MD5 |
7d93212ff9307e013e1d0567cd170b08
|
|
| BLAKE2b-256 |
4b18e36869efeb2eec880965396254afb5c73054dbf65d780811c78269836aea
|
File details
Details for the file authentik_diag_mcp-0.1.1-py3-none-any.whl.
File metadata
- Download URL: authentik_diag_mcp-0.1.1-py3-none-any.whl
- Upload date:
- Size: 8.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.7.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c1d7c27da17e545377c9cb281592b0b0df812f3eb063e8c7d90109743c075ecb
|
|
| MD5 |
f1414d2d346d3a8dc2995e013dad8933
|
|
| BLAKE2b-256 |
02ae767aa2fc1d51ca9ecf92791784e8155c47b12f40cca1227b0af03ac6d8b6
|
