Lumos Admin MCP

This guide explains how to connect an MCP-compatible AI client to the Lumos Admin MCP server, choose the toolsets you need, and run your first admin request.

Connect to the Lumos Admin MCP Server

The Lumos Admin MCP server connects your AI client to the tools IT admins use to configure and run Lumos using the Model Context Protocol (MCP), the open standard for letting AI tools call external services. The Admin MCP Server will help you triage approvals, manage knowledge entries, audit approval policies, setup apps in the appstore, and much more in plain language, without leaving the tool you already use.

Unlike the user server, the admin server groups its tools into toolsets that you select when you connect, so your client loads only the tools you need.

πŸ‘€

Looking for help with access requests?

If you just want to search the AppStore and request access for yourself, use the Lumos User MCP Server. This page is for admins and privileged users who manage Lumos.

Before you begin

You need:

  • A Lumos account with a privileged role. The specific tools you can run depend on your Lumos permissions, for example, a Task Center action only succeeds if your role allows it, the same as in the Lumos web app.
  • An MCP-compatible client that supports remote (HTTP) MCP servers and browser-based OAuth. Supported clients include Claude Code, Claude, Codex, Gemini CLI, and OpenCode.
  • Network access to the Lumos MCP endpoint.

The admin server endpoint is:

https://api.lumos.com/mcp/admin

You select toolsets by adding a toolsets query parameter to that URL, for example https://api.lumos.com/mcp/admin?toolsets=task-center. See Choose your toolsets below.

How it works

By default, you connect over OAuth in your browser. Your client opens a Lumos sign-in page in your browser. You sign in and approve a consent screen that shows what the client can do, with the permissions grouped by toolset. Lumos then gives the client a token scoped to only the permissions you approved.

You authorize each client the first time it connects. Lumos remembers your approval, so you won't sign in or approve again unless your access is revoked or the client requests new permissions.

Choose your toolsets

The admin server groups its tools into toolsets which are named bundles you select per connection so you load only the tools you need and save valuable context window space. To use a toolset, add a toolsets query parameter to the endpoint URL when you connect.

The toolset value you pass is the complete set of tools your client sees. It replaces the default rather than adding to it. List every toolset you want, comma-separated:

  • Retrieve only the core tools (the default when toolsets is not specified):

    https://api.lumos.com/mcp/admin
  • Retrieve only Task Center tools:

    https://api.lumos.com/mcp/admin?toolsets=task-center
  • Retrieve the default core tools plus the AppStore tools:

    https://api.lumos.com/mcp/admin?toolsets=core,appstore
  • Retrieve every toolset with the reserved all keyword:

    https://api.lumos.com/mcp/admin?toolsets=all
πŸ’‘

all grows your tool list.

It sends every tool definition to your client, which uses more context window and can make tool selection less precise. It works best with clients that support tool filtering, such as Claude Code. If you only need one area, name that toolset instead.

πŸ”’

Toolsets are not a permission boundary.

They control which tools your client can see and call, not what those tools are allowed to do. Every tool still enforces your Lumos role and the OAuth scopes you granted. Selecting the appstore toolset doesn't give you AppStore admin rights, your Lumos account still needs them.

Toolset catalog

ToolsetWhat it's forRead toolsWrite tools
core (default)Read-only starter set spanning the Task Center and Knowledge Hublist_task_center_tasks, get_task_center_task, list_knowledge, get_knowledgeβ€”
task-centerView and act on Task Center tasks across your domainlist_task_center_tasks, get_task_center_taskact_on_task_center_task
knowledge-hubView and manage Knowledge Hub entries across your domainlist_knowledge, get_knowledgecreate_knowledge, update_knowledge, delete_knowledge
appstoreView and manage AppStore approval configurationlist_apps, get_approval_config, list_assigneesupdate_approval_config

The sections below describe each toolset's tools and show example prompts.

core (default)

The default toolset when you omit the toolsets parameter. It's a curated, read-only set that lets an agent look around your Task Center and Knowledge Hub without any write access. It contains list_task_center_tasks, get_task_center_task, list_knowledge, and get_knowledge β€” described under their respective toolsets below. To take actions, connect with the task-center, knowledge-hub, or appstore toolset.

task-center

View and act on manual tasks in the Lumos Task Center β€” approval, provisioning, deprovisioning, and error tasks β€” across your own queue or the whole domain.

ToolAccessPurpose
list_task_center_tasksreadList manual tasks β€” your own queue by default, or the whole domain for admins.
get_task_center_taskreadFetch one task with full context: linked access request, assignees, action history, and the actions you can take.
act_on_task_center_taskwriteTake an action on a task: approve, deny, override, reassign, confirm/deny provisioning, confirm deprovisioning, or resolve an error task.

Example prompts:

  • "What tasks are waiting on me in Lumos?"
  • "Show all open provisioning tasks across the company."
  • "Show me the details of task 4711 β€” who requested what, and who can approve it?"
  • "Approve Maria's Salesforce access request."
  • "Reassign the Okta provisioning task to [email protected]."
  • "Retry error task 99, the integration is back up."

knowledge-hub

List, inspect, create, update, and archive Knowledge Hub entries for your domain.

ToolAccessPurpose
list_knowledgereadList knowledge entries with optional title and product-scope filters.
get_knowledgereadFetch a single knowledge entry by ID.
create_knowledgewriteCreate a new knowledge entry, optionally with a file attachment.
update_knowledgewritePatch an existing entry β€” only the fields you supply change.
delete_knowledgewriteArchive (soft-delete) a knowledge entry.

Example prompts:

  • "List our Knowledge Hub articles tagged for the AppStore."
  • "Show me the full text of the 'VPN Access Policy' knowledge entry."
  • "Create a knowledge article documenting our contractor offboarding steps."
  • "Update the 'Onboarding checklist' entry with the new IT ticket link."
  • "Archive the outdated 'Legacy VPN setup' knowledge entry."

appstore

Inspect and configure the approval workflows behind your AppStore apps β€” who reviews access requests and under what conditions.

ToolAccessPurpose
list_appsreadList AppStore apps visible to you, to find an app's ID by name.
get_approval_configreadRetrieve an app's approval workflow β€” the stages, branches, and approvers.
list_assigneesreadList users, groups, and custom attributes that can serve as approvers.
update_approval_configwriteSet or replace an app's approval template (a full replacement).

Example prompts:

  • "Find the app ID for Notion in our AppStore."
  • "Who approves access requests for Salesforce?"
  • "Who can I set as an approver for app requests?"
  • "Set up a two-stage approval for Figma, the requester's manager, then the IT group."

Connect your client

Pick your client below. Every client uses the same endpoint, https://api.lumos.com/mcp/admin, with the toolsets you want appended as a query parameter. The examples use ?toolsets=all; swap in the toolsets you need (comma-separated), or omit the parameter for the default core set.

You can run this server and the user server at the same time β€” just give each a distinct name in your client (the examples use lumos-admin) so the two don't collide.

Add the server with HTTP transport:

claude mcp add --transport http lumos-admin "https://api.lumos.com/mcp/admin?toolsets=all"

Or add it as JSON:

{
  "mcpServers": {
    "lumos-admin": {
      "type": "http",
      "url": "https://api.lumos.com/mcp/admin?toolsets=all"
    }
  }
}

Authenticate and approve access

When your client connects, Lumos opens a browser-based OAuth flow.

On the consent screen, Lumos:

  • Confirms you're signed in, or asks you to sign in.
  • Shows which client is requesting access (for example, Claude).
  • Lists the permissions it's requesting, grouped by toolset.
  • Lets you approve or deny the connection.

Review the permissions and select Authorize to connect.

The admin server requests permissions per toolset, each with a read and a write scope:

ToolsetScopeWhat you'll see on the consent screen
Task Centerlumos:admin:task-center:readView Task Center tasks across your domain.
Task Centerlumos:admin:task-center:writeAct on Task Center tasks (approve, deny, reassign) on your behalf.
Knowledge Hublumos:admin:knowledge-hub:readView Knowledge Hub entries across your domain.
Knowledge Hublumos:admin:knowledge-hub:writeCreate, update, and archive Knowledge Hub entries on your behalf.
AppStorelumos:admin:appstore:readView AppStore configurations.
AppStorelumos:admin:appstore:writeCreate and update AppStore configurations on your behalf.

Lumos grants you only the scopes your role allows, so your token may end up with fewer scopes than the client requested. And a granted scope is a delegation ceiling, not a grant of authority: even with the scope, a tool only succeeds if your role permits the specific action β€” for example, administering that particular app, or being assigned to that task.

Lumos remembers your approval for the same user, client, and scopes. You'll approve again only if the client requests new scopes, your access is revoked, or the client asks for a fresh consent prompt.

Verify your tools

After you sign in, check that the Lumos admin tools appear in your client. Most clients list them in a Tools or MCP panel. Command-line clients may show them with a status or diagnostic command.

Which tools you see is the intersection of two things: the toolsets you selected and the scopes your token holds. A tool appears only when it belongs to one of your selected toolsets and your token carries its scope. Because Lumos grants a scope only when your role allows it, a write tool can stay hidden even when you've selected its toolset β€” if your role is read-only for that area, or your client hasn't yet requested the write scope. Connect with the default core set and you'll see its four read tools. See the Toolset catalog for the full list.

Seeing a tool isn't the same as being able to run it: a listed tool can still be denied at call time if your Lumos role doesn't permit the action (see Troubleshooting).

Run your first request

Once the tools are connected, tell your agent what you need in plain language. It picks the right admin tool, asks for anything it's missing, and walks you through the action.

What approval tasks are waiting on me in Lumos?

Troubleshooting

A tool is "not in the enabled toolset(s)"

You asked your agent to use a tool that belongs to a toolset you didn't connect with. Reconnect with that toolset added to the ?toolsets= parameter. The error names the toolset(s) that contain the tool.

You get an "unknown toolset" error

Check the spelling and casing of the toolsets value. Names are lowercase and kebab-case (for example knowledge-hub), and the all keyword must be lowercase too (all, not ALL). The error lists every valid toolset name plus all.

A write tool is missing, or a call fails with a missing-scope error

A write tool shows up only if your token holds the toolset's write scope, and Lumos grants that scope only when your Lumos role includes the matching permission. So a write tool is hidden (and a direct call is rejected with a missing-scope error) for one of two reasons:

  • Your role doesn't include that write permission. Ask an org admin to grant it, then reconnect.
  • Your client connected before it requested the write scope. Re-authorize so it requests the scope again β€” see Changing your toolsets or granted scopes.

Changing your toolsets or granted scopes

Both are fixed at connection time, so changing either means reconnecting:

  • Toolsets live in the server's URL. Edit the toolsets value in your client's MCP config, then restart or reload the client.
  • Scopes live in your saved authorization. A normal reconnect won't re-prompt you, because Lumos remembers your approval β€” you have to trigger a fresh authorization. For CLI clients, re-run the login (for example, codex mcp login lumos-admin); for other clients, remove the server from your config and add it back. Your client then re-requests scopes, and Lumos grants those your role allows.

A tool is denied even though you approved the scope

OAuth scopes are a ceiling, not a grant. The tool also checks your Lumos role. If your role doesn't permit the action (for example, acting on another team's tasks), the tool is denied even with the scope approved. Ask an org admin to adjust your role.

The client can't discover the server

Check that the MCP URL is correct and uses the /mcp/admin path (not /mcp/user or the Lumos web app URL). The ?toolsets= query parameter must be part of that same URL.

The browser login flow doesn't open

Confirm your client supports remote MCP authentication. Older clients may need an update to complete browser-based OAuth.

You're asked to sign in again

Access tokens are short-lived. If your refresh token expires or is revoked, sign in again to reconnect.