Can I use Okta as a CLI?

Yes. KosmoKrator exposes a Okta CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose Okta through MCP?

Yes. The KosmoKrator MCP gateway can expose selected Okta tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are Okta credentials stored?

Okta credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for Okta MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

identity

Okta CLI for AI Agents

Use the Okta CLI from KosmoKrator to call Okta tools headlessly, return JSON, inspect schemas, and automate workflows from coding agents, scripts, and CI.

10 functions 6 read 4 write API token auth

Submit Okta feedback View package source

Okta CLI Setup

Okta can be configured headlessly with `kosmokrator integrations:configure okta`.

# Install KosmoKrator first if it is not available on PATH.
curl -fsSL https://raw.githubusercontent.com/OpenCompanyApp/kosmokrator/main/install.sh | bash

# Configure and verify this integration.
kosmokrator integrations:configure okta --set api_token="$OKTA_API_TOKEN" --set domain="$OKTA_DOMAIN" --enable --read allow --write ask --json
kosmokrator integrations:doctor okta --json
kosmokrator integrations:status --json

Credentials

Authentication type: API token api_token. Configure credentials once, then use the same stored profile from scripts, coding CLIs, Lua code mode, and the MCP gateway.

Key	Env var	Type	Required	Label
`api_token`	`OKTA_API_TOKEN`	Secret `secret`	yes	API Token
`domain`	`OKTA_DOMAIN`	Text `string`	yes	Okta Domain

Call Okta Headlessly

Use the generic call form when another coding CLI or script needs a stable universal interface.

kosmo integrations:call okta.okta_list_users '{
  "limit": 1,
  "q": "example_q"
}' --json

Use the provider shortcut form for shorter human-facing commands.

kosmo integrations:okta okta_list_users '{
  "limit": 1,
  "q": "example_q"
}' --json

Agent Discovery Commands

These commands return structured output for coding agents that need to inspect capabilities before choosing a function.

kosmo integrations:docs okta --json
kosmo integrations:docs okta.okta_list_users --json
kosmo integrations:schema okta.okta_list_users --json
kosmo integrations:search "Okta" --json
kosmo integrations:list --json

All CLI Functions

Every function below can be called headlessly. The generic form is stable across all integrations; the provider shortcut is shorter but specific to Okta.

`okta.okta_list_users`

Read read

List users in the Okta organization. Returns user profiles with IDs, names, emails, and status. Supports search filtering by name or email.

Parameters: limit, q

Generic CLI call

kosmo integrations:call okta.okta_list_users '{"limit":1,"q":"example_q"}' --json

Provider shortcut

kosmo integrations:okta okta_list_users '{"limit":1,"q":"example_q"}' --json

`okta.okta_get_user`

Read read

Get details for a specific Okta user by ID or login email. Returns the full user profile including status, group memberships, and assigned applications.

Parameters: id

Generic CLI call

kosmo integrations:call okta.okta_get_user '{"id":"example_id"}' --json

Provider shortcut

kosmo integrations:okta okta_get_user '{"id":"example_id"}' --json

`okta.okta_get_current_user`

Read read

Get the profile of the currently authenticated Okta API token owner. Useful for verifying the integration connection and identifying which service account is in use.

Parameters: none

Generic CLI call

kosmo integrations:call okta.okta_get_current_user '{}' --json

Provider shortcut

kosmo integrations:okta okta_get_current_user '{}' --json

`okta.okta_create_user`

Write write

Create a new user in Okta. Requires a profile with at least firstName, lastName, email, and login. Optionally provide credentials (password) and control activation.

Parameters: profile, credentials, activate

Generic CLI call

kosmo integrations:call okta.okta_create_user '{"profile":"example_profile","credentials":"example_credentials","activate":true}' --json

Provider shortcut

kosmo integrations:okta okta_create_user '{"profile":"example_profile","credentials":"example_credentials","activate":true}' --json

`okta.okta_update_user`

Write write

Update an existing Okta user profile. Provide only the profile fields you want to change — other fields remain unchanged.

Parameters: id, profile, credentials

Generic CLI call

kosmo integrations:call okta.okta_update_user '{"id":"example_id","profile":"example_profile","credentials":"example_credentials"}' --json

Provider shortcut

kosmo integrations:okta okta_update_user '{"id":"example_id","profile":"example_profile","credentials":"example_credentials"}' --json

`okta.okta_deactivate_user`

Write write

Deactivate an Okta user. The user will be unable to sign in but their data is retained. This action can be reversed by reactivating the user in the Okta admin console.

Parameters: id

Generic CLI call

kosmo integrations:call okta.okta_deactivate_user '{"id":"example_id"}' --json

Provider shortcut

kosmo integrations:okta okta_deactivate_user '{"id":"example_id"}' --json

`okta.okta_list_groups`

Read read

List groups in the Okta organization. Returns group names and IDs. Supports search filtering by group name.

Parameters: q

Generic CLI call

kosmo integrations:call okta.okta_list_groups '{"q":"example_q"}' --json

Provider shortcut

kosmo integrations:okta okta_list_groups '{"q":"example_q"}' --json

`okta.okta_get_group`

Read read

Get details for a specific Okta group by ID. Returns the group name, description, and type.

Parameters: id

Generic CLI call

kosmo integrations:call okta.okta_get_group '{"id":"example_id"}' --json

Provider shortcut

kosmo integrations:okta okta_get_group '{"id":"example_id"}' --json

`okta.okta_add_user_to_group`

Write write

Add a user to an Okta group. The user will inherit the group's assigned applications and permissions.

Parameters: groupId, userId

Generic CLI call

kosmo integrations:call okta.okta_add_user_to_group '{"groupId":"example_groupId","userId":"example_userId"}' --json

Provider shortcut

kosmo integrations:okta okta_add_user_to_group '{"groupId":"example_groupId","userId":"example_userId"}' --json

`okta.okta_list_applications`

Read read

List applications in the Okta organization. Returns application names, IDs, statuses, and types.

Parameters: none

Generic CLI call

kosmo integrations:call okta.okta_list_applications '{}' --json

Provider shortcut

kosmo integrations:okta okta_list_applications '{}' --json

Function Schemas

Use these parameter tables when building CLI payloads without calling integrations:schema first.

`okta.okta_list_users`

List users in the Okta organization. Returns user profiles with IDs, names, emails, and status. Supports search filtering by name or email.

Operation: Read read
Schema command: kosmo integrations:schema okta.okta_list_users --json

Parameter	Type	Required	Description
`limit`	integer	no	Maximum number of users to return (1–200, default: 200).
`q`	string	no	Search query to filter users by first name, last name, or email.

`okta.okta_get_user`

Get details for a specific Okta user by ID or login email. Returns the full user profile including status, group memberships, and assigned applications.

Operation: Read read
Schema command: kosmo integrations:schema okta.okta_get_user --json

Parameter	Type	Required	Description
`id`	string	yes	The Okta user ID or login email address.

`okta.okta_get_current_user`

Get the profile of the currently authenticated Okta API token owner. Useful for verifying the integration connection and identifying which service account is in use.

Operation: Read read
Schema command: kosmo integrations:schema okta.okta_get_current_user --json

Parameter	Type	Required	Description
No parameters.

`okta.okta_create_user`

Create a new user in Okta. Requires a profile with at least firstName, lastName, email, and login. Optionally provide credentials (password) and control activation.

Operation: Write write
Schema command: kosmo integrations:schema okta.okta_create_user --json

Parameter	Type	Required	Description
`profile`	object	yes	User profile object. Required fields: firstName, lastName, email, login. Optional: mobilePhone, secondEmail, title, department, organization, etc.
`credentials`	object	no	User credentials. Example: {"password": {"value": "TempPass123!"}}. Omit to let Okta send an activation email.
`activate`	boolean	no	Whether to activate the user immediately (default: true). If false, the user is created in STAGED status.

`okta.okta_update_user`

Update an existing Okta user profile. Provide only the profile fields you want to change — other fields remain unchanged.

Operation: Write write
Schema command: kosmo integrations:schema okta.okta_update_user --json

Parameter	Type	Required	Description
`id`	string	yes	The Okta user ID or login email to update.
`profile`	object	yes	Updated profile fields. Only include fields you want to change (e.g., firstName, lastName, email, title, department, etc.).
`credentials`	object	no	Updated credentials (e.g., new password). Optional.

`okta.okta_deactivate_user`

Deactivate an Okta user. The user will be unable to sign in but their data is retained. This action can be reversed by reactivating the user in the Okta admin console.

Operation: Write write
Schema command: kosmo integrations:schema okta.okta_deactivate_user --json

Parameter	Type	Required	Description
`id`	string	yes	The Okta user ID or login email to deactivate.

`okta.okta_list_groups`

List groups in the Okta organization. Returns group names and IDs. Supports search filtering by group name.

Operation: Read read
Schema command: kosmo integrations:schema okta.okta_list_groups --json

Parameter	Type	Required	Description
`q`	string	no	Search query to filter groups by name.

`okta.okta_get_group`

Get details for a specific Okta group by ID. Returns the group name, description, and type.

Operation: Read read
Schema command: kosmo integrations:schema okta.okta_get_group --json

Parameter	Type	Required	Description
`id`	string	yes	The Okta group ID.

`okta.okta_add_user_to_group`

Add a user to an Okta group. The user will inherit the group's assigned applications and permissions.

Operation: Write write
Schema command: kosmo integrations:schema okta.okta_add_user_to_group --json

Parameter	Type	Required	Description
`groupId`	string	yes	The Okta group ID.
`userId`	string	yes	The Okta user ID.

`okta.okta_list_applications`

List applications in the Okta organization. Returns application names, IDs, statuses, and types.

Operation: Read read
Schema command: kosmo integrations:schema okta.okta_list_applications --json

Parameter	Type	Required	Description
No parameters.

Permissions

Headless calls still follow the integration read/write permission policy. Configure read/write defaults with integrations:configure. Add --force only for trusted automation that should bypass that policy.