Introducing the DaVinci MCP Server
Introducing the DaVinci MCP Server: Connect AI assistants to your PingOne DaVinci environment for faster flow exploration, validation, and troubleshooting.
As the market moved toward AI assistants and agent-based workflows, I kept coming back to one question:
What does this mean for identity orchestration platforms?
More specifically, what should identity orchestration look like when AI assistants become part of the developer workflow?
Identity journeys are not just pieces of code. They represent onboarding, authentication, MFA, recovery, fraud checks, and access decisions. They are the product of decisions made by architects, developers, product managers, and security teams, often over many months, sometimes by people who have since moved on. If AI assistants are going to help teams build and operate software, they also need a better way to understand the identity journeys behind those experiences.
That realization came to me through a very ordinary scenario.
Life Before AI-Assisted Orchestration
When a Simple Support Ticket Becomes an Identity Investigation
Silvia is a support agent at ACME Corp. She has received several tickets from users who cannot register their FIDO2 device during account creation. She knows that MFA device onboarding runs through DaVinci, but she does not know which flow is involved, where the failure is happening, or who to ask first.
Traditionally, her path forward looks like this: escalate to the flow development team, wait for someone to pick up the ticket, have them identify which application and flow policy is in scope, inspect the connector configuration, review execution logs, and determine whether the failure is in the flow logic, the MFA connector, a policy decision, the user’s device, or something upstream in PingOne.
The customer issue is simple to describe. The investigation is not.
Silvia does not need to become a DaVinci expert. But she does need a faster way to ask operational questions: Which flow handles this onboarding journey? Where does FIDO registration happen? Which connector is used? What did the last ten failed executions look like? What should I check first?
Right now, those questions require a specialist. They do not have to.
Need of the Hour
These are situations where the need for an MCP server becomes imminent, as a practical way to make DaVinci administration and troubleshooting easier.
If an AI assistant can securely access the structure of a DaVinci environment, it can help people like Silvia understand flows faster, identify dependencies, validate configuration, and troubleshoot failures without starting from scratch every time.
A Quick Word on MCP
Before we go further, MCP, or the Model Context Protocol, is an open standard introduced by Anthropic that allows AI assistants to connect to external tools and data sources through a common interface. Instead of fragmented, custom integrations between AI tools and every system a team uses, MCP provides a standard protocol for connecting AI assistants to the systems where context actually lives.
For identity orchestration, that context lives in flows, applications, connectors, variables, forms, flow versions, validation results, and execution history.
MCP is the bridge. The DaVinci MCP Server is what sits on the other side of it.
For a deeper look at MCP’s architecture, workflow, and security model, see the Ping Identity MCP documentation.
The DaVinci MCP Server
Today we are introducing the DaVinci MCP Server, an open-source MCP server that gives MCP-compatible AI assistants secure, structured access to your DaVinci environment.
This is our first step toward making DaVinci context available to AI. The current release focuses entirely on read access; exploration, inspection, validation, and execution monitoring. The goal for this first release is to help teams understand their DaVinci environments faster, and then gradually move towards automating changes to DaVinci resources.
The MCP server includes tools organized into two collections:
-
davinci_admin: Core administrative tools for exploring your environment:
- List and inspect flows, flow versions, and full flow definitions including node graphs
- List applications and application flow policies
- Discover available connectors and deployed connector instances
- Get details on variables and forms
-
davinci_flow_troubleshooting: Specialized tools for validation and debugging flow configurations and troubleshooting flow executions
Life After AI-Assisted Orchestration
The first time this becomes useful is not some dramatic moment where an AI agent fixes an entire identity journey by itself.
It is a moment where support agents like Silvia can directly ask, “Where are users failing during FIDO registration?” and getting a place to start instead of an escalation queue.
It is an architect asking, “Is this flow ready to deploy?” and seeing validation errors and warnings explained in plain language, not buried in a UI they have to navigate manually.
The exact time savings will vary by environment, flow complexity, and familiarity with DaVinci. But the difference in the starting point is consistent. With the DaVinci MCP Server, an AI assistant can surface the relevant flows, dependencies, validation results, and execution details at the start of the conversation, not at the end of a multi-hour investigation.
| Persona | Situation | Without DaVinci MCP Server | With DaVinci MCP Server |
|---|---|---|---|
| New developer / architect | Inherited an onboarding journey, needs to improve drop-off rates | Days to weeks: learn DaVinci concepts, inspect flows and identify dependencies manually. | Hours: ask the assistant to explain the flow, identify dependencies in business terms |
| Support / operations team | Production issue reported, team does not know which flow or node is responsible | Hours or days of back-and-forth between support and identity admins, starting with no context | Faster first response: provide user and approximate timelines and get details on point of failure |
| Identity architect | Review whether a flow is production-ready | Hours of manual review across the flow ecosystem, and known best practices | Minutes: the assistant validates the flow configs and highlights blockers |
| Developer | Make changes to a flow | Hours of manual inspection of the flow and its references | Minutes: the assistant generates a flow dependency summary before the developer touches anything |
| Product manager / business owner | Onboarding conversion dropped, wants to understand why | Days or weeks: Wait for technical teams to manually explain flows and correlate behavior | Hours: Get understanding of the onboarding journey in business terms and ask more focused follow-up questions |
Once teams see how much time is spent on context discovery and first-triage work, the natural next question becomes: which of these workflows can we automate? The read-only tools in this release are the foundation, but once you understand what your AI assistant can see and reason about, you start seeing which repetitive, manual, and rule-based investigation tasks are candidates for automation.
The key takeaways are:
- start with simple things,
- build confidence in how AI interacts with your DaVinci environment,
- and progressively hand off more of the first-response and review work to AI-assisted or fully automated workflows.
Getting Started
The DaVinci MCP Server runs locally on your machine. Before you begin, make sure you have:
Local Prerequisites
- Node.js v22.0.0 or higher (Download & Install)
- An MCP-compatible AI client such as Claude Code, VS Code with Cline, Cursor, Gemini CLI, or Claude Desktop
PingOne Prerequisites
- A PingOne subscription (licensed or free trial)
- DaVinci enabled on your PingOne environment (Admin Console → Environments → Services → DaVinci)
- A PingOne Worker Application configured with:
- Authorization Code + PKCE
- redirect URI
http://127.0.0.1:7474/callback - Token Endpoint Authentication Method set to None
- A PingOne user with at least DaVinci Admin Read Only role assigned
Configuration Values You’ll Need from PingOne Admin Console
| Variable | Where to find it |
|---|---|
| DAVINCI_MCP_ENVIRONMENT_ID | Settings → Environment Properties |
| AUTHORIZATION_CODE_CLIENT_ID | Applications → your Worker App → Overview |
| ROOT_DOMAIN | pingone.com (NA), pingone.eu (EU), pingone.asia/pingone.au (APAC), or your custom domain |
Add the Server to Your AI Client
For Claude Code CLI:
claude mcp add --transport stdio davinci \
--env DAVINCI_MCP_ENVIRONMENT_ID="your-environment-id" \
--env AUTHORIZATION_CODE_CLIENT_ID="your-client-id" \
--env ROOT_DOMAIN="pingone.com" \
-- npx -y @ping-identity/davinci-mcp-server startFor other clients (Claude Desktop, Cursor, VS Code Cline, Gemini CLI), add the equivalent JSON block to your MCP client configuration:
{
"mcpServers": {
"davinci": {
"command": "npx",
"args": ["-y", "@ping-identity/davinci-mcp-server", "start"],
"env": {
"DAVINCI_MCP_ENVIRONMENT_ID": "your-environment-id",
"AUTHORIZATION_CODE_CLIENT_ID": "your-client-id",
"ROOT_DOMAIN": "pingone.com"
}
}
}
}VS Code and Cursor users can also use the one-click install deeplinks in the GitHub repository. For advanced configuration, filtering which tools or collections are exposed to the AI assistant, see the full setup guide.
Security
OAuth 2.0 with PKCE Every tool call is authenticated using OAuth 2.0 Authorization Code flow with PKCE. Your password is never stored. The resulting access token is saved in your OS-native keychain, the same place your browser stores credentials.
Read-only operations The current release is entirely read-only. No flow mutations, no deployments, no configuration changes are possible through these tools. There is nothing to audit because nothing is written.
Least privilege The agent has the same permissions as your authenticated PingOne user. Use the DaVinci Admin Read Only role. Do not authenticate with an account that has write or admin-level access unless you have a specific reason and have reviewed the implications.
Trust your client Only run this server with AI clients you trust. Review agent prompts and tool calls before deploying AI-assisted workflows to production.
What to Do Next
Try it in a real scenario. Think about something you or a teammate spent too long on recently, understanding a flow, diagnosing a failure, preparing for a review. Try it again with the MCP server connected to an AI assistant.
Think about your workflows. Where does your team spend time rediscovering context? Where are the first-triage steps that are repetitive and rule-based? Those are the candidates for AI-assisted or eventually automated workflows.
Share what you find. The Ping Identity developer community is where use cases get refined. What worked, what did not, what you wish the server could do, that feedback shapes the roadmap.
Raise issues on the repository. If you hit a bug, a gap, or if you have an enhancement request open an issue. We are listening.