App Integration
Client APIs + SDKs
CLI
MCP Server

Oso MCP Server (Beta)

Integrate your local LLM setup with Oso Cloud APIs via our MCP server.

Use our tools to:

  • develop a better understanding of your policy
  • use natural language to ask authorization-related questions
  • debug why an authorization decision does not match what you expect

Connect

Claude Desktop

Don't have the CLI installed or don't want to manually add the configuration? No worries - download the following DXT file and double-click to automatically install the Oso MCP Server into Claude Desktop (opens in a new tab) or other AI clients that accept DXTs (opens in a new tab).


curl -O https://d2nl1ljmg8n1q8.cloudfront.net/latest/oso-cloud-mcp.dxt

Verify the SHA256 checksum:

MacOS:


curl -sL https://d2nl1ljmg8n1q8.cloudfront.net/latest/oso-cloud-mcp.dxt.sha256 | shasum -a 256 -c

Linux:


curl -sL https://d2nl1ljmg8n1q8.cloudfront.net/latest/oso-cloud-mcp.dxt.sha256 | sha256sum -c

You may also specify the CLI version (DXT releases for each CLI version):


curl -O https://d2nl1ljmg8n1q8.cloudfront.net/0.33.2/oso-cloud-mcp.dxt

Note: There are no DXT versions <0.33.0

‼️

The following installation methods assume you have already installed and set up the CLI (version >=0.33.0).

Cursor

Install MCP Server

Manual

In your LLM client of choice, add the following to your MCP config file to run it against a local dev server:


{
"mcpServers": {
"oso": {
"command": "oso-cloud",
"args": ["experimental", "mcp"],
"env": {
"OSO_URL": "http://localhost:8080",
"OSO_AUTH": "e_0123456789_12345_osotesttoken01xiIn"
}
}
}
}

  • You may optionally omit the OSO_URL environment variable or set it to https://cloud.osohq.com if you want to run it against a live production server.
  • The provided OSO_AUTH token is for the local dev server. You can obtain your live server OSO_AUTH token from the Oso Cloud UI (opens in a new tab).

Where can I find my MCP config file?

Here are guides for some common clients:

Usage

⚠️

This server is primarily intended for use with dev servers to aid in development. Please use extra caution when using against a live environment.

Once you have your MCP server up and running, you can ask your LLM any authorization-related questions and watch it use the tools available. Currently, we expose read tools to:

  • Get your policy
  • Get all facts
  • Run an authorize query
  • Query your facts with pattern matching
  • Run policy tests

We also expose the following write tools, restricted for use only with local dev servers:

  • Update your policy
  • Add facts
  • Delete facts
  • Clear all data

Try sending any of the following messages:

  • Draw a mermaid diagram of my authorization policy
  • What permissions does <actor> have on <resource>?
    • e.g. "What permissions does Alice have on Project XYZ?"
  • Why doesn't <actor> have permission to <action> <resource>?

Feedback

We are actively iterating on developer experience and would appreciate all feedback on the Oso MCP Server and the broader development experience with Oso Cloud. Please do not hesitate to reach out on Slack (opens in a new tab)!

Windows