Can I use Okta as a CLI?

Yes. KosmoKrator exposes a Okta CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose Okta through MCP?

Yes. The KosmoKrator MCP gateway can expose selected Okta tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are Okta credentials stored?

Okta credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for Okta MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

data

Okta CLI for AI Agents

Use the Okta CLI from KosmoKrator to call Okta tools headlessly, return JSON, inspect schemas, and automate workflows from coding agents, scripts, and CI.

Okta CLI Setup

Okta can be configured headlessly with `kosmokrator integrations:configure okta`.

Install, configure, and verify

# Install KosmoKrator first if it is not available on PATH.
curl -fsSL https://raw.githubusercontent.com/OpenCompanyApp/kosmokrator/main/install.sh | bash

# Configure and verify this integration.
kosmokrator integrations:configure okta --set api_token="$OKTA_API_TOKEN" --set domain="$OKTA_DOMAIN" --enable --read allow --write ask --json
kosmokrator integrations:doctor okta --json
kosmokrator integrations:status --json

Credentials

Authentication type: API token api_token. Configure credentials once, then reuse the same stored profile from scripts, coding CLIs, Lua, and MCP.

Key	Env var	Type	Required	Label
`api_token`	`OKTA_API_TOKEN`	Secret `secret`	yes	API Token
`domain`	`OKTA_DOMAIN`	Text `string`	yes	Okta Domain

Command Patterns

The generic command is stable across every integration. The provider shortcut is shorter for humans.

Generic CLI call

kosmo integrations:call okta.okta_list_users '{"limit":1,"q":"example_q"}' --json

Provider shortcut

kosmo integrations:okta okta_list_users '{"limit":1,"q":"example_q"}' --json

Discovery

These commands return structured output for coding agents that need to inspect capabilities before choosing a function.

Discovery commands

kosmo integrations:docs okta --json
kosmo integrations:docs okta.okta_list_users --json
kosmo integrations:schema okta.okta_list_users --json
kosmo integrations:search "Okta" --json
kosmo integrations:list --json

Automation Contexts

The same configured command surface works in these environments. The command does not change unless the host wrapper, credentials, or permissions change.

CI Run integration calls from CI jobs with JSON output, explicit credentials, and predictable exit status. Cron Jobs Schedule repeatable integration workflows from cron while keeping credentials in KosmoKrator config. Shell Scripts Call integration functions from shell scripts with stable JSON input and output. Headless Automation Use KosmoKrator as a non-interactive integration runtime for local automations and wrappers. Coding Agents Let coding agents discover schemas and execute integration functions through CLI commands or MCP.

CLI Functions

Every function below can be called headlessly. Commands are highlighted, copyable, and scroll horizontally when payloads are long.

`okta.okta_list_users`

List users in the Okta organization. Returns user profiles with IDs, names, emails, and status. Supports search filtering by name or email.

Read read

Parameters: limit, q

Generic call

kosmo integrations:call okta.okta_list_users '{"limit":1,"q":"example_q"}' --json

Shortcut

kosmo integrations:okta okta_list_users '{"limit":1,"q":"example_q"}' --json

`okta.okta_get_user`

Get details for a specific Okta user by ID or login email. Returns the full user profile including status, group memberships, and assigned applications.

Read read

Parameters: id

Generic call

kosmo integrations:call okta.okta_get_user '{"id":"example_id"}' --json

Shortcut

kosmo integrations:okta okta_get_user '{"id":"example_id"}' --json

`okta.okta_get_current_user`

Get the profile of the currently authenticated Okta API token owner. Useful for verifying the integration connection and identifying which service account is in use.

Read read

Parameters: none

Generic call

kosmo integrations:call okta.okta_get_current_user '{}' --json

Shortcut

kosmo integrations:okta okta_get_current_user '{}' --json

`okta.okta_create_user`

Create a new user in Okta. Requires a profile with at least firstName, lastName, email, and login. Optionally provide credentials (password) and control activation.

Write write

Parameters: profile, credentials, activate

Generic call

kosmo integrations:call okta.okta_create_user '{"profile":"example_profile","credentials":"example_credentials","activate":true}' --json

Shortcut

kosmo integrations:okta okta_create_user '{"profile":"example_profile","credentials":"example_credentials","activate":true}' --json

`okta.okta_update_user`

Update an existing Okta user profile. Provide only the profile fields you want to change — other fields remain unchanged.

Write write

Parameters: id, profile, credentials

Generic call

kosmo integrations:call okta.okta_update_user '{"id":"example_id","profile":"example_profile","credentials":"example_credentials"}' --json

Shortcut

kosmo integrations:okta okta_update_user '{"id":"example_id","profile":"example_profile","credentials":"example_credentials"}' --json

`okta.okta_deactivate_user`

Deactivate an Okta user. The user will be unable to sign in but their data is retained. This action can be reversed by reactivating the user in the Okta admin console.

Write write

Parameters: id

Generic call

kosmo integrations:call okta.okta_deactivate_user '{"id":"example_id"}' --json

Shortcut

kosmo integrations:okta okta_deactivate_user '{"id":"example_id"}' --json

`okta.okta_list_groups`

List groups in the Okta organization. Returns group names and IDs. Supports search filtering by group name.

Read read

Parameters: q

Generic call

kosmo integrations:call okta.okta_list_groups '{"q":"example_q"}' --json

Shortcut

kosmo integrations:okta okta_list_groups '{"q":"example_q"}' --json

`okta.okta_get_group`

Get details for a specific Okta group by ID. Returns the group name, description, and type.

Read read

Parameters: id

Generic call

kosmo integrations:call okta.okta_get_group '{"id":"example_id"}' --json

Shortcut

kosmo integrations:okta okta_get_group '{"id":"example_id"}' --json

`okta.okta_add_user_to_group`

Add a user to an Okta group. The user will inherit the group's assigned applications and permissions.

Write write

Parameters: groupId, userId

Generic call

kosmo integrations:call okta.okta_add_user_to_group '{"groupId":"example_groupId","userId":"example_userId"}' --json

Shortcut

kosmo integrations:okta okta_add_user_to_group '{"groupId":"example_groupId","userId":"example_userId"}' --json

`okta.okta_list_applications`

List applications in the Okta organization. Returns application names, IDs, statuses, and types.

Read read

Parameters: none

Generic call

kosmo integrations:call okta.okta_list_applications '{}' --json

Shortcut

kosmo integrations:okta okta_list_applications '{}' --json

Function Schemas

Use these parameter tables when building CLI payloads without calling integrations:schema first.

okta.okta_list_users 2 parameters

Schema command

kosmo integrations:schema okta.okta_list_users --json

Parameter	Type	Required	Description
`limit`	integer	no	Maximum number of users to return (1–200, default: 200).
`q`	string	no	Search query to filter users by first name, last name, or email.

okta.okta_get_user 1 parameters

Schema command

kosmo integrations:schema okta.okta_get_user --json

Parameter	Type	Required	Description
`id`	string	yes	The Okta user ID or login email address.

okta.okta_get_current_user 0 parameters

Schema command

kosmo integrations:schema okta.okta_get_current_user --json

Parameter	Type	Required	Description
No parameters.

okta.okta_create_user 3 parameters

Schema command

kosmo integrations:schema okta.okta_create_user --json

Parameter	Type	Required	Description
`profile`	object	yes	User profile object. Required fields: firstName, lastName, email, login. Optional: mobilePhone, secondEmail, title, department, organization, etc.
`credentials`	object	no	User credentials. Example: {"password": {"value": "TempPass123!"}}. Omit to let Okta send an activation email.
`activate`	boolean	no	Whether to activate the user immediately (default: true). If false, the user is created in STAGED status.

okta.okta_update_user 3 parameters

Schema command

kosmo integrations:schema okta.okta_update_user --json

Parameter	Type	Required	Description
`id`	string	yes	The Okta user ID or login email to update.
`profile`	object	yes	Updated profile fields. Only include fields you want to change (e.g., firstName, lastName, email, title, department, etc.).
`credentials`	object	no	Updated credentials (e.g., new password). Optional.

okta.okta_deactivate_user 1 parameters

Schema command

kosmo integrations:schema okta.okta_deactivate_user --json

Parameter	Type	Required	Description
`id`	string	yes	The Okta user ID or login email to deactivate.

okta.okta_list_groups 1 parameters

Schema command

kosmo integrations:schema okta.okta_list_groups --json

Parameter	Type	Required	Description
`q`	string	no	Search query to filter groups by name.

okta.okta_get_group 1 parameters

Schema command

kosmo integrations:schema okta.okta_get_group --json

Parameter	Type	Required	Description
`id`	string	yes	The Okta group ID.

okta.okta_add_user_to_group 2 parameters

Schema command

kosmo integrations:schema okta.okta_add_user_to_group --json

Parameter	Type	Required	Description
`groupId`	string	yes	The Okta group ID.
`userId`	string	yes	The Okta user ID.

okta.okta_list_applications 0 parameters

Schema command

kosmo integrations:schema okta.okta_list_applications --json

Parameter	Type	Required	Description
No parameters.

Permissions

Headless calls still follow the integration read/write permission policy. Configure read/write defaults with integrations:configure. Add --force only for trusted automation that should bypass that policy.