Understanding Scopes
For security purposes, the Auth0 Model Context Protocol server grants no scopes by default and required scopes must be requested during initialization. After your server is initialized, you can manually set scopes using a glob pattern, an example of which is below:
# Select all read scopes
npx @auth0/auth0-mcp-server init --scopes 'read:*'
# Select multiple scope patterns (comma-separated)
npx @auth0/auth0-mcp-server init --scopes 'read:*,create:clients,update:actions'Was this helpful?
/
Depending on the type of management operation or tool you wish to use, you may need to request additional scopes to successfully execute the MCP operation on your client. Below are the available scopes.
Management operation scopes
| Management Operation | MCP Tool | Required Scope | Potential Implications |
|---|---|---|---|
| Get details about a specific Auth0 application | auth0_get_application |
read:clients |
Allows viewing potentially sensitive application configuration details |
| Get details about a specific Auth0 application | auth0_get_application |
read:clients |
Allows viewing potentially sensitive application configuration details |
| Create a new Auth0 application | auth0_create_application |
create:clients |
Enables creating new applications that could be used for authentication flows |
| Update an existing Auth0 application | auth0_update_application |
update:clients |
Can modify critical application settings, potentially disrupting authentication for users |
| List all resource servers (APIs) in the Auth0 tenant | auth0_list_resource_servers |
read:resource_servers |
Exposes all API configurations and their scopes |
| Get details about a specific Auth0 resource server | auth0_create_resource_server |
create:resource_servers |
Reveals API configuration details including signing algorithms and token settings |
| Create a new Auth0 resource server (API) | auth0_get_resource_server |
read:resource_servers |
Allows defining new APIs and scopes that could be used for access control |
| Update an existing Auth0 resource server (API) | auth0_update_resource_server |
update:resource_servers |
Can modify API configurations, potentially affecting applications that rely on those APIs |
| List all actions in the Auth0 tenant | auth0_list_actions |
read:actions |
Reveals all custom code that runs during authentication flows |
| Get details about a specific Auth0 action | auth0_get_action |
read:actions |
Exposes custom code and logic for authentication flows |
| Create a new Auth0 action | auth0_create_action |
create:actions |
Allows creation of custom code that can modify authentication flows and user data |
| Update an existing Auth0 action | auth0_update_action |
update:actions |
Can modify custom code that affects authentication security and behavior |
| Deploy an Auth0 action | auth0_deploy_action |
update:actions |
Pushes custom code into production, potentially affecting all users' authentication experience |
| List logs from the Auth0 tenant | auth0_list_logs |
read:logs |
Exposes detailed information about user activity, failed logins, and security events |
| Get a specific log entry by ID | auth0_get_log |
read:logs |
Provides detailed data about specific authentication events, potentially including PII |
| List all forms in the Auth0 tenant | auth0_list_forms |
read:forms |
Reveals custom form configurations for login, registration, and password reset |
| Get details about a specific Auth0 form | auth0_get_form |
read:forms |
Exposes detailed form configuration including field validation and design |
| Create a new Auth0 form | auth0_create_form |
create:forms |
Allows creation of custom authentication forms that collect user data |
| Update an existing Auth0 form | auth0_update_form |
update:forms |
Can modify user-facing forms, potentially affecting authentication experience |
| Publish an Auth0 form | auth0_publish_form |
update:forms |
Makes form changes live for all users, potentially affecting production authentication |