Skip to main content
Opal offers specialized Model Context Protocol (MCP) servers that allow your AI agents to interact with Opal through Opal’s REST API. These servers are generated using Speakeasy Gram, which transforms OpenAPI specifications into MCP servers optimized for AI interactions. With these MCP servers, AI assistants can help you manage access control through natural language:
“Show me all users in the Engineering group.” “Create an access request for the Production database.” “What access changes happened to our AWS resources this week?” “Which users have access to financial reporting resources?”

Available MCP Servers

Opal provides three specialized MCP servers, each designed for specific use cases:

Admin User Provisioning

Purpose: Manage user access in Opal. View user permissions and add or remove access to resources and groups. Use cases:
  • Generate an overview of a user’s access across resources and groups
  • Add or remove users from resources and groups
  • Update user access levels and durations
  • Manage group memberships
Installation: Admin User Provisioning MCP Server

Admin Access Investigation and Auditing

Purpose: View Opal events and syncs to investigate access and audit changes. Use cases:
  • Investigate historical access patterns and anomalous access
  • Audit changes in organizational structure or role assignments
  • Review sync errors and propagation status
  • Monitor access requests and approvals
  • Track user access reviews and compliance activities
Installation: Admin Access Investigation and Auditing MCP Server

End User Self-Service

Purpose: Request access to Opal resources, groups, and bundles. Use cases:
  • Browse available resources, groups, and bundles
  • Create access requests for yourself or as part of a workflow
  • Check request status and view your current access
  • Use in combination with other MCP servers (e.g., request access to Retool, then use Retool’s MCP server to query data)
Installation: End User Self-Service MCP Server

Legacy Server (Full API Access)

For users who need access to the complete Opal API surface or prefer local-only execution, the general-purpose MCP server remains available. Installation: opal-mcp on GitHub

Requirements

To set up any MCP server, you’ll need:
  • Opal Admin permissions (for Admin servers) or a standard Opal user account (for End User Self-Service)
  • An Opal API key
  • An MCP-compatible client such as Claude Desktop, Cursor, or VS Code
For servers that create or modify objects, set the API key scope to Full access.

Installation

Each MCP server has its own installation page with step-by-step instructions for different clients:
  1. Visit the installation page for the server you want to use
  2. Select your client (Cursor, Claude Desktop, VS Code, etc.)
  3. Follow the installation instructions
  4. Configure your Opal API key when prompted
The installation pages provide client-specific configuration details and raw MCP configuration for clients not listed.

Audit requests performed by MCP agents

Requests and actions performed by MCP agents are logged the same as requests performed by users—you can filter the events table by API key to see requests made by the given agent. You may want to add context to your request reasons to indicate they’re created by an MCP agent. For example, with Cursor, you could add a rule to include a message in all request reasons that the request was created by an MCP agent.