View as Markdown

MCP server

The Model Context Protocol (MCP) server lets any compatible AI tool — Claude, Cursor, VS Code agents, custom clients — read your Aleta portfolios, holdings, and analytics in natural-language sessions. Authorization is per-user, read-only, and managed from /settings/connections.

Aleta's MCP server follows the authenticated remote MCP spec, so the server is centrally hosted. Clients with native remote-MCP support connect directly; older clients use the mcp-remote shim.

General

Aleta's MCP server supports Streamable HTTP transport with OAuth 2.1 and dynamic client registration:

MCP server URL

https://app.aleta.io/mcp

For setup in specific clients, read on.

Claude

Claude Desktop and claude.ai

Open Settings → Connectors and add a custom connector pointing at https://app.aleta.io/mcp. The OAuth window opens automatically on first use; sign in with the same email you use for app.aleta.io.

Claude Code

claude mcp add --transport http aleta https://app.aleta.io/mcp

Then run /mcp inside a Claude Code session to step through the OAuth flow.

Cursor

Open Cursor Settings (⌘⇧J / Ctrl+Shift+J) → MCPAdd new global MCP server, and add this entry to your mcp.json:

{
  "mcpServers": {
    "aleta": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://app.aleta.io/mcp"]
    }
  }
}

Save and restart Cursor. The first time the agent calls Aleta, a browser window opens for OAuth sign-in.

Codex

The setup is the same whether you use the Codex CLI or the IDE extension — they share configuration.

codex mcp add aleta --url https://app.aleta.io/mcp

Codex prompts you to sign in. If this is the first MCP you've added to Codex, enable the rmcp feature in ~/.codex/config.toml:

[features]
experimental_use_rmcp_client = true

Visual Studio Code

Open VS Code with Ctrl+Shift+P / ⌘⇧P, search for MCP: Add Server, and pick Command (stdio). When prompted, enter:

npx -y mcp-remote https://app.aleta.io/mcp

Name the server Aleta, then activate via MCP: List Servers → Aleta → Start Server.

The OAuth window opens automatically on first activation.

Windsurf

Open Windsurf Settings (⌘, / Ctrl+,) and scroll to Cascade → MCP servers. Click Add custom server and paste:

{
  "mcpServers": {
    "aleta": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://app.aleta.io/mcp"]
    }
  }
}

Zed

Open Zed Settings (⌘,) and add an entry under context_servers:

{
  "context_servers": {
    "aleta": {
      "source": "custom",
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://app.aleta.io/mcp"],
      "env": {}
    }
  }
}

Other clients

Most other MCP-capable tools accept a stdio-style entry that proxies via mcp-remote. Use:

  • Name
    Command
    Description

    npx

  • Name
    Arguments
    Description

    -y mcp-remote https://app.aleta.io/mcp

  • Name
    Environment
    Description

    None

If your client supports native remote MCP, point it directly at https://app.aleta.io/mcp and skip mcp-remote.

What Aleta exposes

All access is read-only and scoped to the signed-in user's lens grants. The connected client can never see more than the user can see by logging into app.aleta.io directly.

  • Name
    Portfolios
    Description

    Portfolios, entities, accounts, and the firm tree.

  • Name
    Holdings
    Description

    Daily snapshots and lot-level detail.

  • Name
    Analytics
    Description

    NAV, TWR, IRR, exposure, risk metrics — the full Fabric measure catalog. See the analytics contracts for the available measure ids.

  • Name
    Transactions
    Description

    Read-only access to settled and unsettled transactions.

  • Name
    Limits
    Description

    Active limit checks and recent breaches.

The MCP server does not expose write operations, audit logs, other users' data, or anything outside the user's lens scope.

Revoking access

Open app.aleta.io/settings/connections, find the client in the MCP apps list, and click Revoke. The next call from the client returns 401 and the agent prompts to re-authorize. Revocation takes effect immediately — there is no offline cache.

FAQ

  • Name
    The OAuth window says 'not configured'
    Description

    Your tenant administrator hasn't enabled the Microsoft connector yet. Ask them to set the MICROSOFT_CLIENT_ID and MICROSOFT_CLIENT_SECRET environment variables on the Aleta deployment.

  • Name
    Numbers don't match the dashboard
    Description

    The MCP server inherits your lens scope. If your client sees fewer portfolios than you expect, your lens grants are narrower than the dashboard view. Contact your tenant administrator.

  • Name
    'mcp-remote' fails with EACCES / network error
    Description

    npx -y needs network access on first invocation. Behind a corporate proxy, set npm config set proxy <url> or install globally with npm install -g mcp-remote and replace the npx command in your config.

  • Name
    The client reports 'unauthorized' after working previously
    Description

    The token has expired or been revoked. Re-trigger OAuth by re-adding the connector or running the client's "Sign in" command.

  • Name
    Can I authenticate with an API key instead of OAuth?
    Description

    Planned. The MCP server will accept Authorization: Bearer <token> headers in addition to the interactive OAuth flow — useful for headless integrations and restricted API keys. Track the rollout for availability.

Building your own client

Any client that speaks MCP 1.0 over Streamable HTTP can connect — we don't gate on specific apps. For protocol details, see the MCP specification. For the data shape the server returns, see the Aleta API reference.