A command line tool for working with OIDC
-
Download a released binary: https://github.com/ctron/oidc-cli/releases
-
From source with
cargo:cargo install oidc-cli
-
A binary with
cargo-binstall:cargo binstall oidc-cli
-
On Windows, you can use
winget:winget install ctron.oidc -
With
brewto you can:brew tap ctron/tap brew install ctron/tap/oidc
-
With
snapyou can:snap install oidc
Creating a new (confidential) client:
oidc create confidential my-client --issuer https://example.com/realm --client-id foo --client-secret barCreating a new (public) client:
oidc create public my-client --issuer https://example.com/realm --client-id fooThen, get an access token:
oidc token my-clientOr combine it with e.g., HTTPie:
http example.com/api "Authorization:$(oidc token my-client --bearer)"Or even shorter:
http example.com/api $(oidc token -H my-client)This also works with curl:
curl http://example.com/api -H $(oidc token -H my-client)oidc-cli includes a built-in MCP server that lets AI assistants retrieve OIDC
tokens for configured clients. This is useful when you want AI-powered tools to make authenticated API calls on your
behalf.
First, set up your OIDC clients as usual (see above). Then start the MCP server:
oidc mcpThe server communicates over stdio and exposes two tools:
list_clients— lists all configured OIDC clients with their issuer URL and token statusget_token— retrieves a valid token for a named client, automatically refreshing if expired
To register the MCP server with Claude Code:
claude mcp add oidc -- oidc mcpCreate a public client from an initial refresh token. This can be useful if you have a frontend application, but no means of performing the authorization code flow with a local server. In case you have access to the refresh token, e.g via the browsers developer console, you can initialize the public client with that:
oidc create public my-client --issuer https://example.com/realm --client-id foo --refresh-token <refresh-token>