Skip to main content
Deeto connects to AI applications so they can help you work with your customer-reference and advocacy data — finding references, summarizing content, answering questions about campaigns, and more. Connecting uses a secure sign-in and approval step (OAuth). You decide what each application is allowed to do, you sign in yourself to approve it, and you can disconnect it at any time. By default the connection is read-only, and access is always limited to your own account.
Need programmatic, token-based access instead (for scripts, backend services, or custom integrations)? See API Keys — the advanced path for direct calls without a browser sign-in.

What the AI application can access

You approve a set of permissions when you connect. There are two:
Permissions are enforced per action. An application can only use what you granted — if a connection has Read only, create/update actions aren’t available to it. Access is also limited to what your own Deeto role already allows; an application can never see or do more than you can.

The two ways to sign in

Every connection follows the same shape: point your AI application at Deeto, then sign in and approve. When you sign in, Deeto offers up to two options:
  • Continue with Deeto — sign in with your Deeto email and password.
  • Continue with Okta — sign in through your company’s Okta (only shown if your company has Okta set up with Deeto).
And there are two kinds of connection you can use:
  • A supported application (Claude, ChatGPT, Cursor) — Deeto already provides a shared connection; nothing to set up in Deeto first.
  • Your own / custom application — a Deeto administrator registers it once under Settings → OAuth clients.

Step 1: Get your connection details (URL, ID & secret)

Using a supported application (Claude / ChatGPT / Cursor) Open Settings → OAuth clients in Deeto. Under Deeto clients you’ll find shared, Deeto-managed connections for these applications — copy the MCP server URL, Client ID, and Client secret shown there. Registering a custom application (admin only)
1

Open the custom clients screen

Open Settings → OAuth clients → Clients tab → Custom clients → Add client.
2

Name the client

Enter a Client name (e.g. “Claude Desktop”).
3

Set the redirect URI

Enter the Redirect URI your application expects — for Claude this is https://claude.ai/api/mcp/auth_callback.
4

Grant permissions

Tick the permissions to grant (at least one), then click Save.
5

Copy your credentials

Copy the generated Client ID and Client secret (use the show/copy buttons). Keep the secret private.
Deeto MCP URL: https://api.deeto.ai/v2/mcp

Step 2: Add Deeto in your AI application

In your application, add Deeto as a custom connector using the Deeto MCP address and the Client ID / secret from Step 1. Example for Claude:
1

Open connector settings

In Claude, go to Settings → Connectors → Add custom connector.
2

Enter the URL

URL = your Deeto MCP address. Note: in Claude’s form this field is literally labeled “URL” — not “Server URL” or “Endpoint.”
3

Add credentials

Under Advanced, paste the Client ID and Client secret.
4

Connect

Click Add, then Connect — this opens the Deeto approval screen.
To install this connector at the organization level in Claude — so it’s available to your whole team, not just you — you need the Owner role in Claude’s own Organization Settings. Once an Owner has installed it org-wide, every team member connects individually from their own Settings → Connectors tab.

Step 3: Sign in & approve

Deeto shows an Authorize access screen so you stay in control:
1

Choose how to sign in

Choose Continue with Deeto or Continue with Okta (Okta only appears if your company has it configured).
2

Sign in

Sign in with your Deeto email/password, or your Okta login.
3

Confirm your account

Confirm the account you’re connecting as (your company and email).
4

Choose permissions

Under “Choose what to allow the application to do,” tick the permissions to grant (Read and/or Write).
5

Approve

Click Approve to connect (or Deny to cancel). You’re returned to your application, now connected.
At least one permission must be selected. You can grant fewer permissions than the application requested.

Setting up Okta sign-in (OIDC)

This is a one-time setup so your team can approve connections using your company’s Okta instead of a Deeto password. It has two parts. Part 1 — In Okta (your Okta admin)
1

Create the app integration

Okta Admin → ApplicationsCreate App IntegrationOIDC – OpenID ConnectWeb Application.
2

Enable grant types

Grant types: enable Authorization Code and Refresh Token.
3

Add the redirect URI

Add the Sign-in redirect URI for your environment (must match exactly — see the reference box below).
4

Set client credentials

Under Client Credentials, set Client authentication = Client secret and enable Require PKCE as additional verification.
5

Assign users

Assign your test/real users to the app.
6

Note your credentials

Note the Client ID, Client secret, and your Issuer (your Okta org URL, e.g. https://your-org.okta.com). Scopes: openid profile email.
Okta sign-in redirect URI: https://api.deeto.ai/oauth/okta/callbackIt must match character-for-character and PKCE must be ON, or Okta returns 400 invalid_request.
Part 2 — In Deeto (Deeto team) Your Deeto team enters the details from Part 1 against your company (Issuer, Client ID, Client secret, scopes openid profile email). Once saved, the Continue with Okta button appears on the approval screen for your connections.
Important: Okta doesn’t create Deeto accounts. The Okta user’s email must already match an active Deeto user in your company — otherwise sign-in is rejected with “No Deeto user matches this Okta identity.”

Managing & disconnecting

Everything is managed under Settings → OAuth clients:
  • Clients tab — view your custom clients and Deeto’s shared clients. Edit a custom client’s name or address, or Revoke it.
  • Active connections tab — see every application currently connected, how it signed in (via Deeto or via Okta), which permissions it has, and since when. Click Revoke to cut off access immediately.

If something goes wrong

  • You clicked Deny — you’re returned to your application with no connection made.
  • “No Deeto user matches this Okta identity” — the Okta user’s email isn’t an active Deeto user in your company. Add/activate that user first.
  • Account lacks permissions — connecting requires a vendor account; personal/other accounts see a message to contact your administrator.
  • Connection expired — reconnect from your application; approvals refresh automatically while in use.
  • Okta error — the sign-in error is shown as a message on the approval screen; you can retry or use Continue with Deeto.
  • Org-level Claude connector option missing / install fails — confirm the person setting it up has Owner (not Admin) in Claude’s Organization Settings.

Security & privacy at a glance

  • You approve every connection. No application connects without a signed-in Deeto user approving it.
  • Read-only by default. Creating or changing data requires the separate Write permission.
  • Scoped to you. A connection reaches only your company’s data, and only what your Deeto role allows.
  • Works with your SSO. Sign in through Okta when your company uses it; no new passwords, no auto-created accounts.
  • Revocable & expiring. Cut off any connection instantly from Active connections; approvals expire and refresh automatically.

Next steps

API Keys (Advanced)

Prefer token-based, programmatic access? Generate an API key instead of using OAuth.

Tools Reference

Complete reference for all tools, parameters, filters, and response shapes.

Examples

Real-world usage patterns for common queries and workflows.

Security

Compliance certifications, architecture, key management, and data handling.