MCP tool catalog
This is the list of tools @prysmid/mcp exposes today. When the MCP connects to your client (Claude Code, Antigravity, Cursor, etc.), it sends this catalog as JSON-Schema — the LLM receives it in its context window and picks which one to call based on user intent. You don’t paste schemas; the agent discovers them automatically.
Curated (high-level — what an agent naturally reaches for)
Section titled “Curated (high-level — what an agent naturally reaches for)”| Tool | What it does |
|---|---|
setup_prysmid_workspace | Creates a new workspace and waits until provisioning completes (Zitadel + DNS + SMTP). Returns a live auth_domain ready to integrate. |
enable_google_login | Configures Google as an IdP on a workspace and flips allow_external_idp=true in the login policy. Idempotent — if Google is already configured, returns the existing IdP. |
prysmid_setup_check | Runs a readiness checklist on a workspace (state=active, ≥1 OIDC app, users_can_sign_in, branding configured, auth_strength reasonable). Returns verdict: ready / incomplete with per-item detail. |
Workspaces
Section titled “Workspaces”| Tool | What it does |
|---|---|
list_workspaces | Lists workspaces accessible to your account. |
get_workspace | Workspace detail by slug or id. |
create_workspace | Creates a workspace. Args: slug, display_name, plan (free/pro). |
update_workspace | Edits display_name, plan, etc. |
delete_workspace | Deletes the workspace. Requires human confirmation. |
retry_provisioning | Re-runs provisioning if the workspace is stuck in provisioning_failed. |
OIDC apps
Section titled “OIDC apps”| Tool | What it does |
|---|---|
list_apps | Lists OIDC apps registered in the workspace. Returns {items, total}. |
create_oidc_app | Registers an app. Args: name, redirect_uris[], app_type (web/spa/native), dev_mode (true for http://localhost). Returns client_id + client_secret (the latter shown once). |
delete_oidc_app | Deletes an app. Requires human confirmation. |
Identity Providers (IdPs)
Section titled “Identity Providers (IdPs)”| Tool | What it does |
|---|---|
list_idps | Lists IdPs configured in the workspace. |
add_idp | Registers a generic IdP. Args: type (google/github/microsoft/oidc), name, client_id, client_secret, optional issuer (oidc), tenant_id (microsoft), scopes[]. Idempotent on type. |
delete_idp | Removes an IdP. Existing sessions stay valid until expiry. |
Login policy
Section titled “Login policy”| Tool | What it does |
|---|---|
get_login_policy | Reads the workspace’s current policy (allow_username_password, allow_register, allow_external_idp, force_mfa, etc.). |
update_login_policy | Edits the policy. Auto-promotes to a per-org override if it was still inheriting the instance default. |
Branding
Section titled “Branding”| Tool | What it does |
|---|---|
get_branding | Reads current branding (logo URL, primary_color, etc.). |
update_branding | Sets logo, colors, dark mode, custom CSS. |
delete_logo | Removes the logo and reverts to the default. |
| Tool | What it does |
|---|---|
list_users | Lists workspace users. |
invite_user | Invites a user by email. Args: email, role, preferred_language. |
delete_user | Deletes a user. Requires human confirmation. |
| Tool | What it does |
|---|---|
get_smtp | Reads the workspace’s current SMTP config (managed default vs. custom). |
set_custom_smtp | Override with your own SMTP (host, port, user, password, from_address). |
revert_to_platform_default | Goes back to the Prysm:ID-managed SMTP. |
Billing
Section titled “Billing”| Tool | What it does |
|---|---|
get_billing | Current plan + spending cap + period usage. |
set_spending_cap | Sets/removes the overage cap. null for “unlimited”. |
start_billing_checkout | Returns a Stripe Checkout URL for an upgrade. Human action required to confirm payment. |
start_billing_portal | Returns a Stripe Customer Portal URL to manage payment method / invoices / cancellations. |
Conventions
Section titled “Conventions”- Naming:
verb_noun(snake_case). The verb signals intent (list,get,create,update,delete,add,enable,revert…). Consistent with the REST API. - Errors: come with a machine-readable
codeand a human-readablemessage. 4xx surfaces to the agent so it can decide (retry, escalate, abort). 5xx appears as a generic error. - Human confirmation: destructive tools (
delete_*) require explicit human approval before each call. The agent doesn’t auto-confirm — the handoff prompt makes that explicit. - Idempotency: curated tools (
setup_prysmid_workspace,enable_google_login,add_idpwith an existingtype) are idempotent by design — re-running them converges to the same state instead of creating duplicates.
Roadmap
Section titled “Roadmap”If you’re missing an operation the REST API already supports but the MCP doesn’t expose, open an issue at PrysmID/mcp-server. The generator that produces “raw” tools from the OpenAPI spec ships with every platform release — the lag closes fast.