How it works
Discovery
Your MCP client discovers Alta’s OAuth metadata at
/.well-known/oauth-authorization-server and /.well-known/oauth-protected-resource/mcp.Client registration
The client registers itself via
POST /register. Alta returns its pre-configured client credentials.Authorization
The client redirects you to Alta’s consent screen. You sign in with your existing Alta account and click Allow.
Token exchange
After authorization, the client exchanges the authorization code for an access token using PKCE (Proof Key for Code Exchange).
Account resolution
After authentication, the MCP server resolves your identity from the access token and connects to your first accessible Alta account. All tool calls operate within that account’s data and permissions.If you have access to multiple Alta accounts, the MCP server uses the first one. Multi-account selection is not currently supported via MCP.
Permissions
MCP tools respect the same role-based access control (RBAC) as the Alta web app. For example:- Reading a campaign requires
Campaign.ReadCampaignpermission - Pausing or resuming a campaign requires
Campaign.EditCampaignpermission - Email access respects your inbox permissions
Token lifecycle
- Access tokens are JWTs issued by Alta’s identity provider
- Tokens are validated on every request using the provider’s public key set (JWKS)
- Token refresh is handled automatically by your MCP client
- You can revoke access via the
/revokeendpoint (handled by your client on disconnect)
Supported clients
Alta’s MCP server includes pre-configured redirect URIs for:| Client | Redirect URI |
|---|---|
| Claude | https://claude.ai/api/mcp/auth_callback |
| Cursor | cursor://anysphere.cursor-mcp/oauth/callback |