auth.is
auth.isThe MCP-first identity provider

Talk your identity provider into existence.

auth.is gives every team a hosted OpenID Connect issuer on a *.auth.is subdomain — created, configured, themed, and operated by connecting an MCP server and describing what you want.

How it works

No console to click through. You describe the identity provider you want, and the MCP builds it against a real issuer.

01

Connect the MCP

Add mcp.auth.is as a connector in Claude, Claude Code, or any MCP-capable tool. The first tool call runs an OAuth sign-in against login.auth.is — connecting the MCP is the sign-up. Your tool never sees your credentials.

02

Talk your IdP into existence

"Create a team for acme.com, add a public client for our SPA, and enable Google sign-in." The tools provision a real, standards-compliant issuer at acme.auth.is — discovery, JWKS, and the authorize/token/userinfo endpoints, live.

03

Point your app at the issuer

Your applications speak plain OIDC to your issuer — no lock-in, no SDK. If your stack already talks to any OpenID Connect provider, it already talks to auth.is.

You say

Plain language to your AI tool — the MCP does the rest.

Create an auth.is team "Acme" with issuer
slug "acme". Register a public client for
our SPA at https://app.acme.com, and brand
the login page indigo.

You get

A live issuer, discoverable the instant it returns.

$ curl https://acme.auth.is/.well-known/\
    openid-configuration

{
  "issuer": "https://acme.auth.is",
  "authorization_endpoint": ".../oidc/auth",
  "token_endpoint": ".../oidc/token",
  "jwks_uri": ".../oidc/jwks"
}

A real OIDC provider, without operating one

Standards-compliant, multi-tenant, and managed conversationally.

Per-team issuers

Every team gets a dedicated issuer at https://{team}.auth.is with its own signing keys and its own user pool. Full OIDC discovery on a subdomain — not a shared tenant behind a path.

Federation

Add "Continue with Google, Microsoft, or Kenni" per issuer with one tool call. Standard OIDC upstreams, linked to your issuer's users under verified-email rules.

Passkeys

Turn on WebAuthn passkeys as opt-in second-factor per client. RP-scoped to the issuer host, so credentials never cross tenants.

Themes from one color

Give an accent color; get contrast-checked light and dark palettes plus a matching gradient, generated in OKLCH and injected into your login pages before hydration.

Refresh tokens & key rotation

Offline access with refresh tokens, and zero-downtime signing-key rotation — keys published in JWKS before activation and retired only after the last token expires.

MCP-native, no console

There is no admin dashboard to learn. The whole management surface is MCP tools your AI tools already know how to call. Dynamic client registration lets them self-connect.

Connect the MCP

Add this server to Claude, Claude Code, or any MCP-capable tool. The first tool call signs you in and creates your account — no separate console, no credentials handed to the tool.

https://mcp.auth-is.dev
auth.is