Skip to content

JIT MCP for Agentic AI

Generate temporary cloud and SaaS tokens programmatically via an MCP server, under the same JIT policy engine.

Overview

The JIT MCP Server is a Model Context Protocol (MCP) endpoint that allows AI agents — such as Claude Desktop, Cursor, Windsurf, and other MCP-compatible clients — to programmatically request, manage, and retrieve temporary cloud credentials through the JIT Access Platform.

Instead of navigating the Portal UI, developers can ask their AI assistant to create a JIT request, and the agent handles the entire flow: discovering available configurations, selecting the right permissions, submitting the request, and retrieving the credentials once approved.

MCP Server Setup

Server URL

The MCP server is available at:

https://jit.app.entro.security/mcp

Authentication

The MCP server uses OAuth for authentication. Upon trying to authenticate you will be redirected to a SailPoint Entro login page where you will be able to log in with your SailPoint Entro platform credentials.

General Instructions

SailPoint Entro's JIT Portal MCP is located https://jit.app.entro.security/mcp

Refer to your AI agent's MCP configuration to connect. The agent will discover all available tools automatically via the MCP protocol.

Agentic Access

Cursor

Go to Settings > Cursor Settings > Tools & MCP > New MCP Server.

After adding the server click on the Connect button as can be seen below.

OpenAI Codex

Select Settings in the bottom left corner and follow these steps. Authentication is required as well.

Google Gemini

gemini mcp add -t http jit-portal https://jit.app.entro.security/mcp # Add Entro JIT MCP
gemini # Open the Gemini Agent
/mcp auth jit-portal # Authenticate to the JIT Portal

Note

Google's Gemini has many open tracked issues and therefore the MCP might not work with it

OpenCode

opencode mcp add # Will guide you through the mcp installation process
opencode mcp auth <name> # To authenticate

Claude Code

Claude Code MCP Setup and Usage Example

To add the SailPoint Entro JIT MCP you can simply run the following command -

claude mcp add jit-portal --transport http https://jit.app.entro.security/mcp # Add Entro JIT
claude # Start Claude Code agent
/mcp # in claude to access and authenticate the Entro JIT

As shown above, you can authenticate to the JIT MCP server with your SailPoint Entro credentials.

After MCP setup and authentication, you can create new JIT requests with your Claude CLI:

Claude Desktop

Add the following to your Claude Desktop MCP configuration (claude_desktop_config.json):

{
  "mcpServers": {
    "jit-platform": {
      "url": "https://jit.app.entro.security/mcp"
    }
  }
}

Claude Desktop will handle the OAuth authentication flow automatically - you'll be prompted to log in on first use.

Available Tools (19 Total)

JIT Requests (8 tools)

**list_jit_requests**

List all JIT access requests. Can filter by status.

Parameters:

  • status (optional) — pending, approved, rejected, revoked, expired, or all

  • limit (optional) — Max results, 1-100 (default: 50)

**get_jit_request_details**

Get detailed information about a specific JIT access request.

Parameters:

  • requestId (required) — UUID of the JIT request

**get_approved_request_credentials**

Retrieve credentials from vault for an approved request. Supports Azure Key Vault and AWS Secrets Manager. GitHub tokens cannot be retrieved (they are write-only GitHub Actions secrets). Only the request initiator or a tenant admin can call this.

Parameters:

  • requestId (required) — UUID of the approved JIT request

**get_jit_statistics**

Get statistics about JIT requests — counts by status, breakdown by integration type, and recent activity.

Parameters: None

**search_jit_requests**

Advanced search with filters and pagination.

Parameters:

  • search (optional) — Text to match against token name, description, or owner

  • status (optional) — pending, approved, rejected, revoked

  • integrationType (optional) — aws, azure, or GitHub

  • expiringSoon (optional) — Only show requests expiring within 7 days

  • page (optional) — Page number (default: 1)

  • limit (optional) — Results per page, 1-100 (default: 20)

  • sortBy (optional) — created_at, expires_at, token_name

  • sortOrder (optional) — asc or desc (default: desc)

**create_jit_request**

Create a new JIT access request for temporary Azure, AWS, or GitHub credentials. Automation policies (auto-approve / auto-decline) are evaluated automatically on creation.

Parameters:

  • tokenName (required) — Descriptive name for this access token

  • nhiType (required) — app-registration, service-principal, managed-identity, iam-user, iam-role, or github-app-token

  • description (optional) — Why this access is needed

  • integrationType (optional) — azure, aws, or GitHub (default: azure)

  • azureTenantKey (optional) — Label of the Azure tenant configuration

  • awsConfigKey (optional) — Label of the AWS account configuration

  • githubConfigKey (optional) — Label of the GitHub App configuration

  • githubRepo (optional) — Target repository in owner/repo format

  • githubPermissions (optional) — Permission scopes, e.g. { "contents": "write", "issues": "read" }

  • azurePermissions (optional) — Object with rbacRole, customRbacRole, and/or graphScopes

  • awsPermissions (optional) — Object with managedPolicy or customPolicy

  • expiryDays (optional) — Days until expiry, 1-30 (default: 7). IAM Role sessions max 12 hours. GitHub tokens always 1 hour.

  • storageType (optional) — aws-secrets-manager, azure-key-vault, or github-secrets

  • azureKeyVaultUri (optional) — Azure Key Vault URI

  • awsRegion (optional) — AWS region for Secrets Manager

  • secretPrefix (optional) — Prefix for secret name in vault

**rotate_jit_credentials**

Rotate credentials for an approved request. Creates new credentials and stores them as a new vault version (old version preserved). GitHub tokens cannot be rotated.

Parameters:

  • requestId (required) — UUID of the approved JIT request

**retry_azure_consent**

Retry granting admin consent for Microsoft Graph API permissions on an approved Azure app registration. Use when consent could not be granted at approval time.

Parameters:

  • requestId (required) — UUID of the approved Azure JIT request

Discovery (6 tools)

**list_azure_roles**

List available Azure built-in roles for a tenant configuration. Use to find the role name to pass as rbacRole when creating a request.

Parameters:

  • azureTenantKey (required) — Label of the Azure tenant configuration

  • search (optional) — Filter roles by name or description

**list_azure_key_vaults**

List Azure Key Vaults accessible for a tenant configuration.

Parameters:

  • azureTenantKey (required) — Label of the Azure tenant configuration

**list_aws_iam_policies**

List AWS managed IAM policies for an account configuration. Use to find the policy ARN to pass as managedPolicy when creating a request.

Parameters:

  • awsConfigKey (required) — Label of the AWS account configuration

  • search (optional) — Filter policies by name

**list_github_repositories**

List repositories accessible to a GitHub App installation. Returns repos in owner/repo format.

Parameters:

  • githubConfigKey (required) — Label of the GitHub App configuration

  • search (optional) — Filter repositories by name

**list_github_permissions**

List permission scopes granted to a GitHub App installation. Returns key-value pairs like { "contents": "write", "issues": "read" }.

Parameters:

  • githubConfigKey (required) — Label of the GitHub App configuration

**list_storage_options**

List available vault/storage options — supported storage types, AWS regions, and Azure Key Vaults per tenant.

Parameters: None

Cloud Configs (2 tools)

**list_cloud_configs**

List all configured cloud provider accounts (Azure tenants, AWS accounts, GitHub Apps) available for JIT requests.

Parameters: None

**list_azure_tenants**

Backward-compatible alias for list_cloud_configs.

Parameters: None

Automation (1 tool)

**list_automation_policies**

List all JIT automation policies — both auto-approve and auto-decline rules, with their conditions and priorities.

Parameters: None

User (2 tools)

**get_current_user**

Get information about the currently authenticated user.

Parameters: None

**get_tenant_info**

Get information about the current tenant. Admins also receive the list of tenant users.

Parameters: None

Example Request Flows

Azure: Create an App Registration with Contributor Role

Step 1 — Discover available Azure tenants:

list_cloud_configs
Returns: [{ label: "contoso-prod", provider: "azure" }, ...]

Step 2 — Find the right RBAC role:

list_azure_roles { azureTenantKey: "contoso-prod", search: "Contributor" }
Returns: [{ roleName: "Contributor", roleId: "b24988ac-..." }, ...]

Step 3 — Find a Key Vault for storage:

list_azure_key_vaults { azureTenantKey: "contoso-prod" }
Returns: [{ name: "my-vault", uri: "https://my-vault.vault.azure.net" }]

Step 4 — Create the request:

create_jit_request {
  tokenName: "deploy-pipeline",
  description: "CI/CD deployment access",
  integrationType: "azure",
  nhiType: "app-registration",
  azureTenantKey: "contoso-prod",
  azurePermissions: { rbacRole: "Contributor" },
  expiryDays: 7,
  storageType: "azure-key-vault",
  azureKeyVaultUri: "https://my-vault.vault.azure.net"
}
Returns: { id: "abc-123", status: "approved" } if auto-approved, or { status: "pending" } if awaiting manual approval

Step 5 — Retrieve credentials (once approved):

get_approved_request_credentials { requestId: "abc-123" }
Returns: { clientId: "...", clientSecret: "...", tenantId: "..." }

AWS: Create an IAM Role with Read-Only S3 Access

Step 1 — Discover available AWS accounts:

list_cloud_configs
Returns: [{ label: "aws-staging", provider: "aws" }, ...]

Step 2 — Find the right IAM policy:

list_aws_iam_policies { awsConfigKey: "aws-staging", search: "S3ReadOnly" }
Returns: [{ policyName: "AmazonS3ReadOnlyAccess", arn: "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" }]

Step 3 — Create the request:

create_jit_request {
  tokenName: "s3-data-reader",
  description: "Read access to S3 for data pipeline",
  integrationType: "aws",
  nhiType: "iam-role",
  awsConfigKey: "aws-staging",
  awsPermissions: { managedPolicy: "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" },
  expiryDays: 1,
  storageType: "aws-secrets-manager",
  awsRegion: "us-east-1"
}
Returns: { id: "def-456", status: "approved" }

Step 4 — Retrieve credentials:

get_approved_request_credentials { requestId: "def-456" }
Returns: { awsAccessKeyId: "AKIA...", awsSecretAccessKey: "...", awsSessionToken: "...", expiryDate: "..." }

GitHub: Create a Token with Write Access to a Repository

Step 1 — Discover available GitHub Apps:

list_cloud_configs
Returns: [{ label: "github-org-app", provider: "github" }, ...]

Step 2 — Find the target repository:

list_github_repositories { githubConfigKey: "github-org-app", search: "backend" }
Returns: [{ fullName: "my-org/backend-service" }, ...]

Step 3 — Check available permissions:

list_github_permissions { githubConfigKey: "github-org-app" }
Returns: { "contents": "write", "issues": "write", "pull_requests": "write", "actions": "read" }

Step 4 — Create the request:

create_jit_request {
  tokenName: "release-bot",
  description: "Push release tags",
  integrationType: "github",
  nhiType: "github-app-token",
  githubConfigKey: "github-org-app",
  githubRepo: "my-org/backend-service",
  githubPermissions: { "contents": "write" }
}
Returns: { id: "ghi-789", status: "approved" }

Note

GitHub tokens are stored as GitHub Actions secrets in the target repository. They cannot be retrieved via the API — they are write-only.

Monitoring and Management

Search for expiring requests:

search_jit_requests { expiringSoon: true }

Rotate credentials before expiry:

rotate_jit_credentials { requestId: "abc-123" }

Get platform statistics:

get_jit_statistics

View automation policies:

list_automation_policies

Notes and Limitations

  • GitHub tokens are write-only: After creation, GitHub installation tokens are stored as GitHub Actions secrets and cannot be retrieved via the API. Use them directly in GitHub Actions workflows.

  • GitHub tokens cannot be rotated: GitHub installation tokens have a fixed ~1 hour lifetime. Create a new JIT request instead.

  • IAM Role sessions max 12 hours: AWS STS AssumeRole has a maximum session duration of 12 hours. The expiryDays parameter will be capped accordingly.

  • Credentials shown once: When a request is auto-approved via MCP, the credentials are returned to the caller in the response. For manually-approved requests, poll get_jit_request_details until status is "approved", then call get_approved_request_credentials.

  • All tools require authentication: The MCP server uses Descope OAuth — your AI agent must complete the authentication flow before calling any tools.