Ping Identity has an open-source MCP server that brings PingOne tenant management into your AI-powered IDE — and its security model is worth paying attention to.
Released in March 2026, the PingOne MCP Server exposes 14 tools across four capability areas — Applications, Environments, Populations, and Directory — allowing any MCP-compatible agent (Claude Desktop, VS Code Copilot, Cursor, Gemini CLI) to manage a PingOne tenant through natural language. The repo is Apache 2.0 licensed and available on GitHub.
What makes the security model sensible
The agent acts as the authenticated user — there is no separate service account or service token embedded in the server. Every API call inherits the roles assigned to the admin who authenticated, is scoped to what that user can do, and lands in PingOne’s audit log with session and transaction IDs for full traceability.
Three additional guardrails ship by default:
- Read-only by default — Write tools are disabled at startup unless you explicitly pass
--disable-read-only. No accidental mutations. - Production write protection — Even with write tools enabled, actions against production environments are blocked by default.
- OS keychain token storage — Tokens are cached in macOS Keychain, Windows Credential Manager, or Linux Secret Service, not in plaintext files.
Two auth paths, one clear recommendation
The worker application you create in PingOne acts as the OAuth client. Two grant types are supported:
- Authorization Code + PKCE (recommended) — Browser-based interactive login. Best for local development and service desk workflows. Requires redirect URI
http://127.0.0.1:7464/callback, PKCE enforcement set toS256_REQUIRED, and Token Endpoint Auth Method set toNone. - Device Authorization Grant — Headless flow for containerized or CI/CD environments. The user receives a device code and authenticates via a separate browser session.
In both cases: capture your Environment ID and Client ID from the PingOne console — those two values are all your MCP client configuration needs.
Installation
On macOS or Linux: brew tap pingidentity/tap && brew install pingone-mcp-server. On Windows, a pre-built executable is available from the project releases page. First tool call triggers a browser-based admin login; the token is then cached and reused automatically.
This is preview software — APIs and behavior may change. For IAM architects evaluating the MCP ecosystem across vendors, this sits alongside the Okta and SailPoint MCP servers as a third production-oriented option, each with a distinct security model worth comparing before committing to an integration pattern.
📌 Sources: Ping Identity Developer Blog & GitHub Setup Guide

