How it works
No console to click through. You describe the identity provider you want, and the MCP builds it against a real issuer.
Connect the MCP
Add mcp.auth.is as a connector in Claude, Claude Code, or any MCP-capable tool. The first tool call runs an OAuth sign-in against login.auth.is — connecting the MCP is the sign-up. Your tool never sees your credentials.
Talk your IdP into existence
"Create a team for acme.com, add a public client for our SPA, and enable Google sign-in." The tools provision a real, standards-compliant issuer at acme.auth.is — discovery, JWKS, and the authorize/token/userinfo endpoints, live.
Point your app at the issuer
Your applications speak plain OIDC to your issuer — no lock-in, no SDK. If your stack already talks to any OpenID Connect provider, it already talks to auth.is.
You say
Plain language to your AI tool — the MCP does the rest.
Create an auth.is team "Acme" with issuer
slug "acme". Register a public client for
our SPA at https://app.acme.com, and brand
the login page indigo.You get
A live issuer, discoverable the instant it returns.
$ curl https://acme.auth.is/.well-known/\
openid-configuration
{
"issuer": "https://acme.auth.is",
"authorization_endpoint": ".../oidc/auth",
"token_endpoint": ".../oidc/token",
"jwks_uri": ".../oidc/jwks"
}A real OIDC provider, without operating one
Standards-compliant, multi-tenant, and managed conversationally.
Per-team issuers
Every team gets a dedicated issuer at https://{team}.auth.is with its own signing keys and its own user pool. Full OIDC discovery on a subdomain — not a shared tenant behind a path.
Federation
Add "Continue with Google, Microsoft, or Kenni" per issuer with one tool call. Standard OIDC upstreams, linked to your issuer's users under verified-email rules.
Passkeys
Turn on WebAuthn passkeys as opt-in second-factor per client. RP-scoped to the issuer host, so credentials never cross tenants.
Themes from one color
Give an accent color; get contrast-checked light and dark palettes plus a matching gradient, generated in OKLCH and injected into your login pages before hydration.
Refresh tokens & key rotation
Offline access with refresh tokens, and zero-downtime signing-key rotation — keys published in JWKS before activation and retired only after the last token expires.
MCP-native, no console
There is no admin dashboard to learn. The whole management surface is MCP tools your AI tools already know how to call. Dynamic client registration lets them self-connect.