Okta login toolkit with an interactive CLI and MCP session reuse

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for bunizao from gravatar.com bunizao

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: bunizao
  • Tags authentication , mcp , okta , playwright , sso
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

okta-auth

Alpha: this project is under active development. APIs, tool signatures, and session formats may change between releases.

okta-auth is an Okta login toolkit with two entry points:

  • okta: interactive CLI for humans
  • okta-auth: MCP server for AI agents that reuse saved sessions

Sessions are stored under ~/.okta-auth/sessions/. Existing sessions under ~/.okta-auth-mcp/sessions/ are migrated automatically.

Install

uv tool

uv tool install okta-auth-cli

pipx

pipx install okta-auth-cli

pip

pip install okta-auth-cli

Browser setup

The project uses Playwright for browser automation. It automatically prefers a local Chrome or Edge install when available.

If no supported system browser is found, install Playwright Chromium:

playwright install chromium

Upgrade

  • uv tool: uv tool upgrade okta-auth-cli
  • pipx: pipx upgrade okta-auth-cli
  • pip: pip install -U okta-auth-cli

Quick Start

1. Configure credentials

Run the built-in wizard:

okta config

If the wizard asks for a TOTP secret and you are not sure where to find it, see TOTP Secret.

The wizard supports two providers:

  • keyring: store credentials in the OS credential manager
  • op: generate ~/.okta-auth/op.env with op://... references for op run

Only non-secret settings such as the default URL and provider metadata are stored in ~/.okta-auth/config.json.

2. Log in

okta

Or pass a target URL directly:

okta https://portal.company.com

The login flow is headless by default. Use --headed to show the browser.

3. Reuse the session from MCP

Once configured, AI agents can authenticate with the saved session or with the credential provider you configured.

TOTP Secret

The TOTP secret is the Base32 key behind your authenticator app. You typically must capture it during initial MFA enrollment.

During Okta MFA setup

  1. Go to Settings -> Security Methods in Okta.
  2. Choose Google Authenticator or another TOTP-compatible factor.
  3. On the QR screen, click Can't scan?
  4. Copy the displayed Base32 secret.
  5. Complete enrollment by entering the generated code.

This project does not currently support portals that rely only on the Okta Verify push app for MFA.

If you already enrolled and lost the secret

You usually need to remove and re-enroll the authenticator factor to get a new secret.

Credential Setup

Credential resolution order is:

  1. Explicit CLI or MCP arguments
  2. Environment variables
  3. Stored keyring credentials when the selected provider is keyring

Recommended: OS keyring

This is the default and recommended local setup:

okta config --provider keyring

What gets stored:

  • username, password, totp_secret: OS keyring only
  • default_url: ~/.okta-auth/config.json

Typical keyring backends:

  • macOS: Keychain Access
  • Windows: Credential Manager / Credential Locker
  • Linux: Secret Service or KWallet

If no secure backend is available, the wizard refuses to fall back to plaintext.

1Password CLI

If you already manage secrets in 1Password:

okta config --provider op

What gets stored:

  • vault, item, field names, default_url: ~/.okta-auth/config.json
  • OKTA_USERNAME, OKTA_PASSWORD, optional OKTA_TOTP_SECRET references: ~/.okta-auth/op.env

The generated env file contains op://... references, not plaintext values.

Launch the CLI or MCP server through op run:

op run --env-file=$HOME/.okta-auth/op.env -- okta
op run --env-file=$HOME/.okta-auth/op.env -- uvx --from okta-auth-cli okta-auth

1Password vault, item, and field names must be compatible with secret reference paths. If a name contains unsupported separators such as /, use the object's unique ID instead.

Environment variables

Environment variables are still supported for CI, ephemeral shells, or external secret managers. They override okta config values.

export OKTA_USERNAME="you@company.com"
export OKTA_PASSWORD="your-okta-password"
export OKTA_TOTP_SECRET="JBSWY3DPEHPK3PXP"

Manual 1Password setup

If you do not want to use the wizard, you can set up op run manually.

  1. Create a login item:
op item create --category login --title "Okta MCP" \
  username="you@company.com" \
  password="your-okta-password" \
  totp_secret="JBSWY3DPEHPK3PXP"
  1. Create ~/.okta-auth/op.env:
OKTA_USERNAME=op://Personal/Okta MCP/username
OKTA_PASSWORD=op://Personal/Okta MCP/password
OKTA_TOTP_SECRET=op://Personal/Okta MCP/totp_secret
  1. Launch through op run:
op run --env-file=$HOME/.okta-auth/op.env -- uvx --from okta-auth-cli okta-auth

CLI

Common commands

  • okta [url]: log in and save a session
  • okta config: open the credential wizard
  • okta config --provider keyring: force keyring configuration
  • okta config --provider op: force 1Password configuration
  • okta config --show: show current config status
  • okta config --reset: remove saved config and credentials
  • okta check <url>: verify a stored session
  • okta list: list stored sessions
  • okta delete <url>: delete a stored session
  • okta cookies <url>: inspect stored cookies

Example

okta https://portal.company.com --username you@company.com --headed

MCP Server

MCP tools

Tool Description
okta_login Authenticate to a target URL and store session state
okta_check_session Verify whether a stored session is still valid
okta_list_sessions List saved sessions and metadata
okta_delete_session Remove a stored session
okta_get_cookies Retrieve cookies from a stored session

Claude Code

claude mcp add okta-auth -- uvx --from okta-auth-cli okta-auth

If you use 1Password:

claude mcp add okta-auth -- op run --env-file=$HOME/.okta-auth/op.env -- uvx --from okta-auth-cli okta-auth

Claude Desktop / Cursor / Windsurf

Default:

{
  "mcpServers": {
    "okta-auth": {
      "command": "uvx",
      "args": ["--from", "okta-auth-cli", "okta-auth"]
    }
  }
}

With 1Password:

{
  "mcpServers": {
    "okta-auth": {
      "command": "op",
      "args": ["run", "--env-file=/Users/yourname/.okta-auth/op.env", "--", "uvx", "--from", "okta-auth-cli", "okta-auth"]
    }
  }
}

Use okta for the interactive CLI. Use okta-auth only when wiring the package into an MCP client.

Security

  • This project is intended for local trusted execution.
  • Session files and cookies are sensitive credentials.
  • Prefer okta config over passing credentials directly on the command line.
  • Prefer keyring or op run over plaintext shell files.
  • Never post cookie values, passwords, or TOTP secrets in issues or logs.

Development

uv venv && source .venv/bin/activate
uv pip install -e '.[dev]'
playwright install chromium

Run checks locally:

ruff format --check .
ruff check .
pytest

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for bunizao from gravatar.com bunizao

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: bunizao
  • Tags authentication , mcp , okta , playwright , sso
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.2.2

This version

0.2.1

0.2.0

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

okta_auth_cli-0.2.1.tar.gz (91.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

okta_auth_cli-0.2.1-py3-none-any.whl (29.3 kB view details)

Uploaded Python 3

File details

Details for the file okta_auth_cli-0.2.1.tar.gz.

File metadata

  • Download URL: okta_auth_cli-0.2.1.tar.gz
  • Upload date:
  • Size: 91.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for okta_auth_cli-0.2.1.tar.gz
Algorithm Hash digest
SHA256 33d6cafa32326d77e5316cdee3450aa499379ec8fe707c1ff75e64f212c3821d
MD5 28c29e7ac8d1dd6a8fc3d974b72d1633
BLAKE2b-256 7b154ff13d5c2a08f8e9d0d5fca9e62f4586b4610b63c433543b1b431b5f346d

See more details on using hashes here.

Provenance

The following attestation bundles were made for okta_auth_cli-0.2.1.tar.gz:

Publisher: release.yml on bunizao/okta-auth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file okta_auth_cli-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: okta_auth_cli-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 29.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for okta_auth_cli-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 2ef30803ddaf0f4e80b32241d9d20c5e04e0e15ccfc0cd005cd0505f2592eae1
MD5 47907ce6c945f786614294868abd866e
BLAKE2b-256 ba9746014e5f34b2affb2b36159c83bf6058c343fd082578f5510385eb9c8893

See more details on using hashes here.

Provenance

The following attestation bundles were made for okta_auth_cli-0.2.1-py3-none-any.whl:

Publisher: release.yml on bunizao/okta-auth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page