> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# Admin Auditing MCP Server
> Let admins audit access with Opal using our Admin Auditing MCP server.
Opal's admin auditing MCP provides a set of tools that enables admins to use AI agents to view Opal events and syncs to investigate access and audit changes. Use cases include:
* Investigate historical access patterns and anomalous access
* Audit changes in organizational structure or role assignments
* Review sync errors and propagation status
* Monitor access requests and approvals
* Track user access reviews and compliance activities
## Installation
First, create an API Token in your Opal environment. Then, select a method and follow the instructions below.
If you run self-hosted, remember to replace [https://app.opal.dev](https://app.opal.dev) to your own
domain.
To install, run the following command in your shell:
```
claude mcp add --transport http opal-admin-auditing https://app.opal.dev/mcp/admin-auditing --header "Authorization: Bearer ${OPAL_API_TOKEN}"
```
Then authenticate with Opal.
```
claude /mcp
```
To learn more, see Claude Code [documentation](https://code.claude.com/docs/en/mcp).
To install, add the following to your `~/.cursor/mcp.json` file:
```
{
"mcpServers": {
"opal-end-user": {
"transport": "http",
"url": "https://app.opal.dev/mcp/admin-auditing",
"headers": {
"Authorization": "Bearer ${env:OPAL_API_TOKEN}"
}
}
}
}
```
Define your `OPAL_API_TOKEN`, and make sure you open Cursor from the same shell.
```
export OPAL_API_TOKEN="secret"
```
```
open -a Cursor
```
To learn more, see Cursor [documentation](https://cursor.com/docs/mcp).
To install, add the following to your `~/.gemini/settings.json`
```
{
"mcpServers": {
"opal-end-user": {
"httpUrl": "https://app.opal.dev/mcp/admin-auditing",
"headers": {
"Authorization": "Bearer ${OPAL_API_TOKEN}"
}
}
}
}
```
To learn more, see Gemini [documentation](https://geminicli.com/docs/tools/mcp-server/).
MCP is an open protocol supported by many other clients, and your specific client documentation can advise you how to connect. Key inputs:
* Transport `http`
* Endpoint `https://app.opal.dev/mcp/admin-auditing`
* Add the header `Authorization: Bearer ${OPAL_API_TOKEN}`.
## Available Tools
| Tool | Description |
| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| `opal_get_resource` | Retrieves a resource. |
| `opal_get_resources` | Returns a list of resources for your organization. |
| `opal_get_sync_errors` | Returns a list of recent sync errors that have occurred since the last successful sync. |
| `opal_get_resource_visibility` | Gets the visibility of this resource. |
| `opal_get_uar` | Retrieves a specific UAR. |
| `opal_get_ua_rs` | Returns a list of `UAR` objects. |
| `opal_get_on_call_schedules` | Returns a list of `OnCallSchedule` objects. |
| `opal_get_message_channels` | Returns a list of `MessageChannel` objects. |
| `opal_get_tags` | Returns a list of tags created by your organization. |
| `opal_sessions` | Returns a list of `Session` objects. |
| `opal_get_user_tags` | Returns all tags applied to the user. |
| `opal_get_users` | Returns a list of users for your organization. |
| `opal_get_resource_scoped_role_permissions` | Returns all the scoped role permissions that apply to the given resource. Only `OPAL_SCOPED_ROLE` resource type supports this field. |
| `opal_get_resource_tags` | Returns all tags applied to the resource. |
| `opal_get_resource_nhis` | Gets the list of non-human identities with access to this resource. |
| `opal_get_resource_users` | Gets the list of users for this resource. |
| `opal_get_nhis` | Returns a list of non-human identities for your organization. |
| `opal_get_resource_reviewer_stages` | Gets the list of reviewer stages for a resource. |
| `opal_get_resource_reviewers` | Gets the list of owner IDs of the reviewers for a resource. |
| `opal_get_resource_message_channels` | Gets the list of audit message channels attached to a resource. |
| `opal_get_requests` | Returns a list of requests for your organization that is visible by the admin. |
| `opal_get_request` | Returns a request by ID. |
| `opal_get_owner_users` | Gets the list of users for this owner, in escalation priority order if applicable. |
| `opal_get_owners` | Returns a list of `Owner` objects. |
| `opal_get_idp_group_mappings` | Returns the configured set of available `IdpGroupMapping` objects for an Okta app. |
| `opal_get_group_users` | Gets the list of users for this group. |
| `opal_get_group_visibility` | Gets the visibility of this group. |
| `opal_events` | Returns a list of `Event` objects. |
| `opal_get_groups` | Returns a list of groups for your organization. |
| `opal_get_group_containing_groups` | Gets the list of groups that the group gives access to. |
| `opal_get_group_on_call_schedules` | Gets the list of on call schedules attached to a group. |
| `opal_get_group_resources` | Gets the list of resources that the group gives access to. |
| `opal_get_group_message_channels` | Gets the list of audit and reviewer message channels attached to a group. |
| `opal_get_bundle_groups` | Returns a list of `Group` objects in a given bundle. |
| `opal_get_bundle_visibility` | Gets the visibility of the bundle. |
| `opal_get_bundle_resources` | Returns a list of `Resource` objects in a given bundle. |
| `opal_get_apps` | Returns a list of `App` objects. |
| `opal_get_configuration_templates` | Returns a list of `ConfigurationTemplate` objects. |
| `opal_get_bundles` | Returns a list of `Bundle` objects. |