> ## Documentation Index
> Fetch the complete documentation index at: https://docs.altahq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How MCP authentication works with Alta

Alta's MCP server uses **OAuth 2.1** for authentication. Most MCP clients (Cursor, Claude, VS Code) handle this automatically — you just sign in when prompted.

## How it works

<Steps>
  <Step title="Discovery">
    Your MCP client discovers Alta's OAuth metadata at `/.well-known/oauth-authorization-server` and `/.well-known/oauth-protected-resource/mcp`.
  </Step>

  <Step title="Client registration">
    The client registers itself via `POST /register`. Alta returns its pre-configured client credentials.
  </Step>

  <Step title="Authorization">
    The client redirects you to Alta's consent screen. You sign in with your existing Alta account and click **Allow**.
  </Step>

  <Step title="Token exchange">
    After authorization, the client exchanges the authorization code for an access token using PKCE (Proof Key for Code Exchange).
  </Step>

  <Step title="Authenticated requests">
    The client sends MCP requests to `POST /mcp` with the access token in the `Authorization: Bearer` header.
  </Step>
</Steps>

## Account resolution

After authentication, the MCP server resolves your identity from the access token and connects to your **first accessible Alta account**. All tool calls operate within that account's data and permissions.

<Note>
  If you have access to multiple Alta accounts, the MCP server uses the first one. Multi-account selection is not currently supported via MCP.
</Note>

## Permissions

MCP tools respect the same role-based access control (RBAC) as the Alta web app. For example:

* Reading a campaign requires `Campaign.ReadCampaign` permission
* Pausing or resuming a campaign requires `Campaign.EditCampaign` permission
* Email access respects your inbox permissions

If a tool call fails with a permission error, check that your Alta user role has the required access.

## Token lifecycle

* Access tokens are JWTs issued by Alta's identity provider
* Tokens are validated on every request using the provider's public key set (JWKS)
* Token refresh is handled automatically by your MCP client
* You can revoke access via the `/revoke` endpoint (handled by your client on disconnect)

## Supported clients

Alta's MCP server includes pre-configured redirect URIs for:

| Client | Redirect URI                                   |
| ------ | ---------------------------------------------- |
| Claude | `https://claude.ai/api/mcp/auth_callback`      |
| Cursor | `cursor://anysphere.cursor-mcp/oauth/callback` |

Other MCP clients that support OAuth 2.1 with PKCE should work out of the box via dynamic client registration.
