Skip to main content
Alta’s MCP server uses OAuth 2.1 for authentication. Most MCP clients (Cursor, Claude, VS Code) handle this automatically — you just sign in when prompted.

How it works

1

Discovery

Your MCP client discovers Alta’s OAuth metadata at /.well-known/oauth-authorization-server and /.well-known/oauth-protected-resource/mcp.
2

Client registration

The client registers itself via POST /register. Alta returns its pre-configured client credentials.
3

Authorization

The client redirects you to Alta’s consent screen. You sign in with your existing Alta account and click Allow.
4

Token exchange

After authorization, the client exchanges the authorization code for an access token using PKCE (Proof Key for Code Exchange).
5

Authenticated requests

The client sends MCP requests to POST /mcp with the access token in the Authorization: Bearer header.

Account resolution

After authentication, the MCP server resolves your identity from the access token and connects to your first accessible Alta account. All tool calls operate within that account’s data and permissions.
If you have access to multiple Alta accounts, the MCP server uses the first one. Multi-account selection is not currently supported via MCP.

Permissions

MCP tools respect the same role-based access control (RBAC) as the Alta web app. For example:
  • Reading a campaign requires Campaign.ReadCampaign permission
  • Pausing or resuming a campaign requires Campaign.EditCampaign permission
  • Email access respects your inbox permissions
If a tool call fails with a permission error, check that your Alta user role has the required access.

Token lifecycle

  • Access tokens are JWTs issued by Alta’s identity provider
  • Tokens are validated on every request using the provider’s public key set (JWKS)
  • Token refresh is handled automatically by your MCP client
  • You can revoke access via the /revoke endpoint (handled by your client on disconnect)

Supported clients

Alta’s MCP server includes pre-configured redirect URIs for:
ClientRedirect URI
Claudehttps://claude.ai/api/mcp/auth_callback
Cursorcursor://anysphere.cursor-mcp/oauth/callback
Other MCP clients that support OAuth 2.1 with PKCE should work out of the box via dynamic client registration.