Try it out
Connect the DaVinci MCP Server to your MCP client.
Prerequisites
Before you start, make sure you have:
-
A licensed or trial PingOne subscription
-
DaVinci enabled in your environment: in the PingOne admin console, go to Environments > Your Environment > Services and ensure DaVinci is listed and active.
-
An MCP-compatible client, such as:
-
CLIs: Claude Code, Gemini CLI
-
Desktop apps: Claude Desktop
Setup
1. Create a PingOne worker application
The DaVinci MCP Server requires a worker application to authenticate with the PingOne APIs.
-
In the PingOne admin console, select the environment where DaVinci is enabled.
-
Click Applications > Applications in the left navigation menu.
-
Click + Add Application and select Worker.
-
Enter the following:
-
Name: For example,
DaVinci MCP Server. -
Description: Optional.
-
-
Click Save.
-
Enable the application using the toggle at the top right of the details panel.
-
-
On the Configuration tab, click the Edit icon and set:
-
Grant Types:
Authorization Code -
Response Type:
Code -
PKCE Enforcement:
S256_REQUIRED -
Redirect URIs:
http://127.0.0.1:7474/callback -
Token Endpoint Authentication Method:
None(Public Client)
-
-
Click Save.
-
Copy the Client ID from the Configuration tab.
You’ll need this for AUTHORIZATION_CODE_CLIENT_ID. This identifies the PingOne worker application your MCP client uses during OAuth authentication. -
Copy the Environment ID from the URL or environment settings.
You’ll need this for DAVINCI_MCP_ENVIRONMENT_ID. This is the UUID of the target PingOne environment that contains the DaVinci resources the server should access.
2. Assign a role to the authenticating user
-
In the PingOne admin console, click Directory > Users.
-
Create a new user or select an existing one.
-
Navigate to the user’s Roles tab and click Grant Roles.
-
Search for and select DaVinci Admin Read Only. Click Save.
3. Configure environment variables
The server reads the following environment variables. You can set these in your MCP client configuration:
| Variable | Description | Example |
|---|---|---|
|
The UUID of the PingOne environment that contains your DaVinci resources. The server uses this to target API requests to the correct environment. |
|
|
The client ID of your PingOne worker application. |
|
|
The regional PingOne domain. Refer to Regional and custom domain support. |
|
|
(Optional) Your custom PingOne domain. Refer to Regional and custom domain support. |
|
Install
Quick install
Use the one-click install links for the fastest setup:
When prompted for an environment ID, enter the target PingOne environment UUID, not your worker application client ID.
Manual install (NPX)
Add the following to your MCP client configuration, replacing the placeholder values with your actual credentials.
Set DAVINCI_MCP_ENVIRONMENT_ID to the UUID of the PingOne environment you want the server to query:
{
"mcpServers": {
"davinci": {
"command": "npx",
"args": ["-y", "@ping-identity/davinci-mcp-server", "start"],
"env": {
"DAVINCI_MCP_ENVIRONMENT_ID": "your-environment-id",
"AUTHORIZATION_CODE_CLIENT_ID": "your-client-id",
"ROOT_DOMAIN": "pingone.com"
}
}
}
}For client-specific configuration formats, CLI flags, and advanced examples, refer to Client configuration.
Start using the DaVinci MCP Server
-
Restart your MCP client after adding the configuration.
-
Run a read tool such as
list_flows,list_applications, orlist_connectorsto trigger authentication. Your browser opens automatically. -
Log in with the PingOne user you assigned the DaVinci Admin Read Only role.
-
After authenticating, your MCP client can interact with your DaVinci environment.
Try prompts like:
-
"List all DaVinci flows in my environment"
-
"Show me the details of the Login flow"
-
"What connectors are available?"
-
"List all DaVinci applications"