Can I use Okta as a CLI?

Yes. KosmoKrator exposes a Okta CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose Okta through MCP?

Yes. The KosmoKrator MCP gateway can expose selected Okta tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are Okta credentials stored?

Okta credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for Okta MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

data

Okta Lua API for KosmoKrator Agents

Agent-facing Lua documentation and function reference for the Okta KosmoKrator integration.

Lua Namespace

Agents call this integration through app.integrations.okta.*. Use lua_read_doc("integrations.okta") inside KosmoKrator to discover the same reference at runtime.

Call Lua from the Headless CLI

Use kosmo integrations:lua when a shell script, CI job, cron job, or another coding CLI should run a deterministic Okta workflow without starting an interactive agent session.

Inline Lua call

kosmo integrations:lua --eval 'dump(app.integrations.okta.list_users({limit = 1, q = "example_q"}))' --json

Read Lua docs headlessly

kosmo integrations:lua --eval 'print(docs.read("okta"))' --json
kosmo integrations:lua --eval 'print(docs.read("okta.list_users"))' --json

Workflow file

Put repeatable logic in a Lua file, then execute it with JSON output for the calling process.

workflow.lua

local okta = app.integrations.okta
local result = okta.list_users({limit = 1, q = "example_q"})

dump(result)

Run the workflow

kosmo integrations:lua workflow.lua --json
kosmo integrations:lua workflow.lua --force --json

Namespace note. integrations:lua exposes app.integrations.okta, app.mcp.*, docs.*, json.*, and regex.*. Use app.integrations.okta.default.* or app.integrations.okta.work.* when you configured named credential accounts.

MCP-only Lua

If the script only needs configured MCP servers and does not need Okta, use the narrower mcp:lua command.

MCP Lua command

# Use mcp:lua for MCP-only scripts; use integrations:lua for this integration namespace.
kosmo mcp:lua --eval 'dump(mcp.servers())' --json

Agent-Facing Lua Docs

This is the rendered version of the full Lua documentation exposed to agents when they inspect the integration namespace.

Okta — Lua API Reference

okta_list_users

List users in the Okta organization.

Parameters

Name	Type	Required	Description
`limit`	integer	no	Maximum number of users to return (1–200, default: 200)
`q`	string	no	Search query to filter users by first name, last name, or email

Example

-- List all users
local result = app.integrations.okta.list_users({})

for _, user in ipairs(result) do
  print(user.profile.login .. " — " .. user.profile.firstName .. " " .. user.profile.lastName .. " (" .. user.status .. ")")
end

-- Search for a user
local result = app.integrations.okta.list_users({ q = "john" })

okta_get_user

Get details for a specific Okta user.

Parameters

Name	Type	Required	Description
`id`	string	yes	Okta user ID or login email address

Example

local user = app.integrations.okta.get_user({ id = "00u1a2b3c4d5e6f7g8h9" })
print(user.profile.login)
print(user.profile.email)
print(user.status)

okta_get_current_user

Get the profile of the currently authenticated API token owner.

Parameters

None.

Example

local me = app.integrations.okta.get_current_user({})
print("Connected as: " .. me.profile.login)

okta_create_user

Create a new user in Okta.

Parameters

Name	Type	Required	Description
`profile`	object	yes	User profile. Required: `firstName`, `lastName`, `email`, `login`
`credentials`	object	no	User credentials, e.g. `{ password = { value = "TempPass123!" } }`
`activate`	boolean	no	Activate immediately (default: `true`)

Profile Fields

Field	Type	Description
`firstName`	string	Required. First name
`lastName`	string	Required. Last name
`email`	string	Required. Primary email
`login`	string	Required. Login username (often same as email)
`mobilePhone`	string	Mobile phone number
`secondEmail`	string	Backup email
`title`	string	Job title
`department`	string	Department name
`organization`	string	Organization name

Example

local user = app.integrations.okta.create_user({
  profile = {
    firstName = "Jane",
    lastName = "Doe",
    email = "jane.doe@example.com",
    login = "jane.doe@example.com",
    title = "Software Engineer",
    department = "Engineering"
  },
  activate = true
})

print("Created user: " .. user.id)

With password

local user = app.integrations.okta.create_user({
  profile = {
    firstName = "Jane",
    lastName = "Doe",
    email = "jane.doe@example.com",
    login = "jane.doe@example.com"
  },
  credentials = {
    password = { value = "TempPass123!" }
  },
  activate = true
})

okta_update_user

Update an existing Okta user profile.

Parameters

Name	Type	Required	Description
`id`	string	yes	Okta user ID or login email
`profile`	object	yes	Fields to update (only include what you want to change)
`credentials`	object	no	Updated credentials

Example

local user = app.integrations.okta.update_user({
  id = "00u1a2b3c4d5e6f7g8h9",
  profile = {
    title = "Senior Engineer",
    department = "Platform"
  }
})

okta_deactivate_user

Deactivate an Okta user. The user cannot sign in but data is retained.

Parameters

Name	Type	Required	Description
`id`	string	yes	Okta user ID or login email

Example

app.integrations.okta.deactivate_user({ id = "00u1a2b3c4d5e6f7g8h9" })
print("User deactivated")

okta_list_groups

List groups in the Okta organization.

Parameters

Name	Type	Required	Description
`q`	string	no	Search query to filter groups by name

Example

-- List all groups
local groups = app.integrations.okta.list_groups({})
for _, group in ipairs(groups) do
  print(group.id .. ": " .. group.profile.name)
end

-- Search for a group
local groups = app.integrations.okta.list_groups({ q = "Engineering" })

okta_get_group

Get details for a specific Okta group.

Parameters

Name	Type	Required	Description
`id`	string	yes	Okta group ID

Example

local group = app.integrations.okta.get_group({ id = "00g1a2b3c4d5e6f7g8h9" })
print(group.profile.name)
print(group.profile.description or "(no description)")

okta_add_user_to_group

Add a user to an Okta group.

Parameters

Name	Type	Required	Description
`groupId`	string	yes	Okta group ID
`userId`	string	yes	Okta user ID

Example

app.integrations.okta.add_user_to_group({
  groupId = "00g1a2b3c4d5e6f7g8h9",
  userId = "00u1a2b3c4d5e6f7g8h9"
})
print("User added to group")

okta_list_applications

List applications in the Okta organization.

Parameters

None.

Example

local apps = app.integrations.okta.list_applications({})
for _, app in ipairs(apps) do
  print(app.id .. ": " .. app.label .. " (" .. app.status .. ")")
end

Multi-Account Usage

If you have multiple Okta organizations configured, use account-specific namespaces:

-- Default account (always works)
app.integrations.okta.list_users({})

-- Explicit default (portable across setups)
app.integrations.okta.default.list_users({})

-- Named accounts
app.integrations.okta.production.list_users({})
app.integrations.okta.staging.list_users({})

All functions are identical across accounts — only the credentials differ.

Raw agent markdown

# Okta — Lua API Reference

## okta_list_users

List users in the Okta organization.

### Parameters

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `limit` | integer | no | Maximum number of users to return (1–200, default: 200) |
| `q` | string | no | Search query to filter users by first name, last name, or email |

### Example

```lua
-- List all users
local result = app.integrations.okta.list_users({})

for _, user in ipairs(result) do
  print(user.profile.login .. " — " .. user.profile.firstName .. " " .. user.profile.lastName .. " (" .. user.status .. ")")
end

-- Search for a user
local result = app.integrations.okta.list_users({ q = "john" })
```

---

## okta_get_user

Get details for a specific Okta user.

### Parameters

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `id` | string | yes | Okta user ID or login email address |

### Example

```lua
local user = app.integrations.okta.get_user({ id = "00u1a2b3c4d5e6f7g8h9" })
print(user.profile.login)
print(user.profile.email)
print(user.status)
```

---

## okta_get_current_user

Get the profile of the currently authenticated API token owner.

### Parameters

None.

### Example

```lua
local me = app.integrations.okta.get_current_user({})
print("Connected as: " .. me.profile.login)
```

---

## okta_create_user

Create a new user in Okta.

### Parameters

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `profile` | object | yes | User profile. Required: `firstName`, `lastName`, `email`, `login` |
| `credentials` | object | no | User credentials, e.g. `{ password = { value = "TempPass123!" } }` |
| `activate` | boolean | no | Activate immediately (default: `true`) |

### Profile Fields

| Field | Type | Description |
|-------|------|-------------|
| `firstName` | string | **Required.** First name |
| `lastName` | string | **Required.** Last name |
| `email` | string | **Required.** Primary email |
| `login` | string | **Required.** Login username (often same as email) |
| `mobilePhone` | string | Mobile phone number |
| `secondEmail` | string | Backup email |
| `title` | string | Job title |
| `department` | string | Department name |
| `organization` | string | Organization name |

### Example

```lua
local user = app.integrations.okta.create_user({
  profile = {
    firstName = "Jane",
    lastName = "Doe",
    email = "jane.doe@example.com",
    login = "jane.doe@example.com",
    title = "Software Engineer",
    department = "Engineering"
  },
  activate = true
})

print("Created user: " .. user.id)
```

### With password

```lua
local user = app.integrations.okta.create_user({
  profile = {
    firstName = "Jane",
    lastName = "Doe",
    email = "jane.doe@example.com",
    login = "jane.doe@example.com"
  },
  credentials = {
    password = { value = "TempPass123!" }
  },
  activate = true
})
```

---

## okta_update_user

Update an existing Okta user profile.

### Parameters

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `id` | string | yes | Okta user ID or login email |
| `profile` | object | yes | Fields to update (only include what you want to change) |
| `credentials` | object | no | Updated credentials |

### Example

```lua
local user = app.integrations.okta.update_user({
  id = "00u1a2b3c4d5e6f7g8h9",
  profile = {
    title = "Senior Engineer",
    department = "Platform"
  }
})
```

---

## okta_deactivate_user

Deactivate an Okta user. The user cannot sign in but data is retained.

### Parameters

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `id` | string | yes | Okta user ID or login email |

### Example

```lua
app.integrations.okta.deactivate_user({ id = "00u1a2b3c4d5e6f7g8h9" })
print("User deactivated")
```

---

## okta_list_groups

List groups in the Okta organization.

### Parameters

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `q` | string | no | Search query to filter groups by name |

### Example

```lua
-- List all groups
local groups = app.integrations.okta.list_groups({})
for _, group in ipairs(groups) do
  print(group.id .. ": " .. group.profile.name)
end

-- Search for a group
local groups = app.integrations.okta.list_groups({ q = "Engineering" })
```

---

## okta_get_group

Get details for a specific Okta group.

### Parameters

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `id` | string | yes | Okta group ID |

### Example

```lua
local group = app.integrations.okta.get_group({ id = "00g1a2b3c4d5e6f7g8h9" })
print(group.profile.name)
print(group.profile.description or "(no description)")
```

---

## okta_add_user_to_group

Add a user to an Okta group.

### Parameters

| Name | Type | Required | Description |
|------|------|----------|-------------|
| `groupId` | string | yes | Okta group ID |
| `userId` | string | yes | Okta user ID |

### Example

```lua
app.integrations.okta.add_user_to_group({
  groupId = "00g1a2b3c4d5e6f7g8h9",
  userId = "00u1a2b3c4d5e6f7g8h9"
})
print("User added to group")
```

---

## okta_list_applications

List applications in the Okta organization.

### Parameters

None.

### Example

```lua
local apps = app.integrations.okta.list_applications({})
for _, app in ipairs(apps) do
  print(app.id .. ": " .. app.label .. " (" .. app.status .. ")")
end
```

---

## Multi-Account Usage

If you have multiple Okta organizations configured, use account-specific namespaces:

```lua
-- Default account (always works)
app.integrations.okta.list_users({})

-- Explicit default (portable across setups)
app.integrations.okta.default.list_users({})

-- Named accounts
app.integrations.okta.production.list_users({})
app.integrations.okta.staging.list_users({})
```

All functions are identical across accounts — only the credentials differ.

Metadata-derived Lua example

local result = app.integrations.okta.list_users({limit = 1, q = "example_q"})
print(result)

Functions

list_users Read

List users in the Okta organization. Returns user profiles with IDs, names, emails, and status. Supports search filtering by name or email.

Lua path: app.integrations.okta.list_users
Full name: okta.okta_list_users

Parameter	Type	Required	Description
`limit`	integer	no	Maximum number of users to return (1–200, default: 200).
`q`	string	no	Search query to filter users by first name, last name, or email.

get_user Read

Get details for a specific Okta user by ID or login email. Returns the full user profile including status, group memberships, and assigned applications.

Lua path: app.integrations.okta.get_user
Full name: okta.okta_get_user

Parameter	Type	Required	Description
`id`	string	yes	The Okta user ID or login email address.

get_current_user Read

Get the profile of the currently authenticated Okta API token owner. Useful for verifying the integration connection and identifying which service account is in use.

Lua path: app.integrations.okta.get_current_user
Full name: okta.okta_get_current_user

Parameter	Type	Required	Description
No parameters.

create_user Write

Create a new user in Okta. Requires a profile with at least firstName, lastName, email, and login. Optionally provide credentials (password) and control activation.

Lua path: app.integrations.okta.create_user
Full name: okta.okta_create_user

Parameter	Type	Required	Description
`profile`	object	yes	User profile object. Required fields: firstName, lastName, email, login. Optional: mobilePhone, secondEmail, title, department, organization, etc.
`credentials`	object	no	User credentials. Example: {"password": {"value": "TempPass123!"}}. Omit to let Okta send an activation email.
`activate`	boolean	no	Whether to activate the user immediately (default: true). If false, the user is created in STAGED status.

update_user Write

Update an existing Okta user profile. Provide only the profile fields you want to change — other fields remain unchanged.

Lua path: app.integrations.okta.update_user
Full name: okta.okta_update_user

Parameter	Type	Required	Description
`id`	string	yes	The Okta user ID or login email to update.
`profile`	object	yes	Updated profile fields. Only include fields you want to change (e.g., firstName, lastName, email, title, department, etc.).
`credentials`	object	no	Updated credentials (e.g., new password). Optional.

deactivate_user Write

Deactivate an Okta user. The user will be unable to sign in but their data is retained. This action can be reversed by reactivating the user in the Okta admin console.

Lua path: app.integrations.okta.deactivate_user
Full name: okta.okta_deactivate_user

Parameter	Type	Required	Description
`id`	string	yes	The Okta user ID or login email to deactivate.

list_groups Read

List groups in the Okta organization. Returns group names and IDs. Supports search filtering by group name.

Lua path: app.integrations.okta.list_groups
Full name: okta.okta_list_groups

Parameter	Type	Required	Description
`q`	string	no	Search query to filter groups by name.

get_group Read

Get details for a specific Okta group by ID. Returns the group name, description, and type.

Lua path: app.integrations.okta.get_group
Full name: okta.okta_get_group

Parameter	Type	Required	Description
`id`	string	yes	The Okta group ID.

add_user_group Write

Add a user to an Okta group. The user will inherit the group's assigned applications and permissions.

Lua path: app.integrations.okta.add_user_group
Full name: okta.okta_add_user_to_group

Parameter	Type	Required	Description
`groupId`	string	yes	The Okta group ID.
`userId`	string	yes	The Okta user ID.

list_applications Read

List applications in the Okta organization. Returns application names, IDs, statuses, and types.

Lua path: app.integrations.okta.list_applications
Full name: okta.okta_list_applications

Parameter	Type	Required	Description
No parameters.