Authentication
Altertable's MCP server uses streamable HTTP for transport and OAuth 2.0 for authentication and authorization.
Endpoint
The public MCP endpoint is:
https://mcp.altertable.ai/v1
This is the endpoint MCP clients connect to for initialization, tool discovery, and tool execution. For a higher-level setup guide, see Connecting Clients.
Transport Model
Altertable mounts its MCP server over HTTP using the streamable HTTP transport.
In practice this means:
- MCP clients connect to a hosted URL instead of launching a local subprocess
- initialization happens over HTTP
- subsequent MCP method calls continue over the same hosted server interface
- bearer tokens are used for authenticated tool calls
The initial MCP handshake can happen before a token is present. Authenticated operations, such as tool listing and tool execution, require OAuth-backed bearer tokens.
OAuth Discovery
Altertable exposes OAuth metadata so compatible clients can discover the authorization flow automatically.
The implementation supports the common MCP authorization patterns:
- authorization server discovery
- protected resource metadata
- dynamic client registration
For most users, this discovery is automatic. You usually do not need to paste extra OAuth URLs into your client.
When a client attempts an authenticated MCP method without a valid token, Altertable may respond with a standard WWW-Authenticate: Bearer ... challenge that points the client toward the protected resource metadata. Clients can then continue discovery from the challenge or from the well-known metadata endpoints below.
Discovery Endpoints
In production, the relevant discovery endpoints are:
Purpose | URL |
|---|---|
MCP server endpoint | https://mcp.altertable.ai/v1 |
Protected resource metadata | https://mcp.altertable.ai/.well-known/oauth-protected-resource |
Authorization server metadata | https://app.altertable.ai/.well-known/oauth-authorization-server |
Authorization Flow
The connection flow is:
- The client connects to
https://mcp.altertable.ai/v1 - The client performs MCP initialization without needing a token first
- Altertable requires OAuth for authenticated methods
- The client discovers Altertable's OAuth metadata, either from the auth challenge or from the well-known metadata endpoints
- The user signs in to Altertable in the browser
- The user selects the organization and environment to authorize
- Altertable issues a bearer token scoped to that environment
- The client uses that token for subsequent MCP requests
Environment-Scoped Access
Access is not granted globally across an account.
During authorization, the user explicitly chooses an environment. That environment is then attached to the MCP session and used by MCP tools as their execution context.
That is why an agent can answer questions like:
- which organization this session belongs to
- which environment it's using
- which connections, events, models, and saved assets are available in that environment
Those saved assets include insights, dashboards, and memories.
Read and Write Capabilities
Altertable's MCP server supports both read and write operations.
Examples of read-oriented capabilities:
- listing connections and semantic models
- querying the lakehouse
- validating and explaining SQL
- viewing insights, dashboards, discoveries, and documentation
Examples of write-oriented capabilities:
- creating insights
- creating memories
- creating notifications
At the OAuth layer, Altertable advertises read and write scopes.
Altertable's authorization server metadata is intentionally shaped around a modern hosted OAuth flow:
issueris the Altertable app URLresponse_types_supportedadvertisescodegrant_types_supportedadvertisesauthorization_codeandclient_credentialscode_challenge_methods_supportedadvertisesS256
API Keys vs OAuth
For MCP usage, users should think in terms of OAuth authorization, not manual API key provisioning.
You do not normally need to create a separate MCP API key by hand. The MCP client can:
- discover Altertable's OAuth configuration
- register itself dynamically when needed
- redirect the user through authorization
- obtain the token it needs for MCP calls
Related Reading
- Connecting Clients: User-facing setup guide
- AI Agents: Understand the agent model behind MCP sessions
- Analytical Database: Learn more about the data layer queried by MCP tools
- MCP Official Documentation
- MCP Specification