> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.deeto.com/llms.txt
> Use this file to discover all available pages before exploring further.

# MCP Server — Getting Started

> Connect Claude, ChatGPT, Cursor, or your own application to Deeto with a secure, user-approved OAuth sign-in.

Deeto connects to AI applications so they can help you work with your customer-reference and advocacy data — finding references, summarizing content, answering questions about campaigns, and more.

Connecting uses a secure sign-in and approval step (OAuth). You decide what each application is allowed to do, you sign in yourself to approve it, and you can disconnect it at any time. By default the connection is **read-only**, and access is always limited to your own account.

<Tip>
  Need programmatic, token-based access instead (for scripts, backend services, or custom integrations)? See [API Keys](/integrations/mcp-server-api-keys) — the advanced path for direct calls without a browser sign-in.
</Tip>

***

## What the AI application can access

You approve a set of permissions when you connect. There are two:

| Permission         | What it allows                                                                                                                                                                                    |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Read** (default) | Read your data — references and contacts, companies, customer content (quotes, reviews, video testimonials, case studies, transcripts), campaign analytics, prospect pipeline, and overall stats. |
| **Write**          | Create and update data — for example, add a company or a reference contact.                                                                                                                       |

<Note>
  Permissions are enforced per action. An application can only use what you granted — if a connection has Read only, create/update actions aren't available to it. Access is also limited to what your own Deeto role already allows; an application can never see or do more than you can.
</Note>

***

## The two ways to sign in

Every connection follows the same shape: point your AI application at Deeto, then sign in and approve. When you sign in, Deeto offers up to two options:

* **Continue with Deeto** — sign in with your Deeto email and password.
* **Continue with Okta** — sign in through your company's Okta (only shown if your company has Okta set up with Deeto).

And there are two kinds of connection you can use:

* **A supported application** (Claude, ChatGPT, Cursor) — Deeto already provides a shared connection; nothing to set up in Deeto first.
* **Your own / custom application** — a Deeto administrator registers it once under **Settings → OAuth clients**.

***

## Step 1: Get your connection details (URL, ID & secret)

**Using a supported application (Claude / ChatGPT / Cursor)**

Open **Settings → OAuth clients** in Deeto. Under **Deeto clients** you'll find shared, Deeto-managed connections for these applications — copy the **MCP server URL**, **Client ID**, and **Client secret** shown there.

**Registering a custom application** (admin only)

<Steps>
  <Step title="Open the custom clients screen">
    Open **Settings → OAuth clients → Clients tab → Custom clients → Add client**.
  </Step>

  <Step title="Name the client">
    Enter a **Client name** (e.g. "Claude Desktop").
  </Step>

  <Step title="Set the redirect URI">
    Enter the **Redirect URI** your application expects — for Claude this is `https://claude.ai/api/mcp/auth_callback`.
  </Step>

  <Step title="Grant permissions">
    Tick the permissions to grant (at least one), then click **Save**.
  </Step>

  <Step title="Copy your credentials">
    Copy the generated **Client ID** and **Client secret** (use the show/copy buttons). Keep the secret private.
  </Step>
</Steps>

<Note>
  Deeto MCP URL: `https://api.deeto.ai/v2/mcp`
</Note>

***

## Step 2: Add Deeto in your AI application

In your application, add Deeto as a custom connector using the Deeto MCP address and the Client ID / secret from Step 1. Example for Claude:

<Steps>
  <Step title="Open connector settings">
    In Claude, go to **Settings → Connectors → Add custom connector**.
  </Step>

  <Step title="Enter the URL">
    URL = your Deeto MCP address. Note: in Claude's form this field is literally labeled "URL" — not "Server URL" or "Endpoint."
  </Step>

  <Step title="Add credentials">
    Under **Advanced**, paste the **Client ID** and **Client secret**.
  </Step>

  <Step title="Connect">
    Click **Add**, then **Connect** — this opens the Deeto approval screen.
  </Step>
</Steps>

<Note>
  To install this connector at the **organization level** in Claude — so it's available to your whole team, not just you — you need the **Owner** role in Claude's own Organization Settings. Once an Owner has installed it org-wide, every team member connects individually from their own **Settings → Connectors** tab.
</Note>

***

## Step 3: Sign in & approve

Deeto shows an **Authorize access** screen so you stay in control:

<Steps>
  <Step title="Choose how to sign in">
    Choose **Continue with Deeto** or **Continue with Okta** (Okta only appears if your company has it configured).
  </Step>

  <Step title="Sign in">
    Sign in with your Deeto email/password, or your Okta login.
  </Step>

  <Step title="Confirm your account">
    Confirm the account you're connecting as (your company and email).
  </Step>

  <Step title="Choose permissions">
    Under "Choose what to allow the application to do," tick the permissions to grant (Read and/or Write).
  </Step>

  <Step title="Approve">
    Click **Approve** to connect (or **Deny** to cancel). You're returned to your application, now connected.
  </Step>
</Steps>

<Note>
  At least one permission must be selected. You can grant fewer permissions than the application requested.
</Note>

***

## Setting up Okta sign-in (OIDC)

This is a one-time setup so your team can approve connections using your company's Okta instead of a Deeto password. It has two parts.

**Part 1 — In Okta** (your Okta admin)

<Steps>
  <Step title="Create the app integration">
    Okta Admin → **Applications** → **Create App Integration** → **OIDC – OpenID Connect** → **Web Application**.
  </Step>

  <Step title="Enable grant types">
    Grant types: enable **Authorization Code** and **Refresh Token**.
  </Step>

  <Step title="Add the redirect URI">
    Add the **Sign-in redirect URI** for your environment (must match exactly — see the reference box below).
  </Step>

  <Step title="Set client credentials">
    Under **Client Credentials**, set **Client authentication = Client secret** and enable **Require PKCE** as additional verification.
  </Step>

  <Step title="Assign users">
    Assign your test/real users to the app.
  </Step>

  <Step title="Note your credentials">
    Note the **Client ID**, **Client secret**, and your **Issuer** (your Okta org URL, e.g. `https://your-org.okta.com`). Scopes: `openid profile email`.
  </Step>
</Steps>

<Note>
  **Okta sign-in redirect URI:** `https://api.deeto.ai/oauth/okta/callback`

  It must match character-for-character and PKCE must be ON, or Okta returns `400 invalid_request`.
</Note>

**Part 2 — In Deeto** (Deeto team)

Your Deeto team enters the details from Part 1 against your company (Issuer, Client ID, Client secret, scopes `openid profile email`). Once saved, the **Continue with Okta** button appears on the approval screen for your connections.

<Warning>
  **Important:** Okta doesn't create Deeto accounts. The Okta user's email must already match an active Deeto user in your company — otherwise sign-in is rejected with "No Deeto user matches this Okta identity."
</Warning>

***

## Managing & disconnecting

Everything is managed under **Settings → OAuth clients**:

* **Clients tab** — view your custom clients and Deeto's shared clients. Edit a custom client's name or address, or Revoke it.
* **Active connections tab** — see every application currently connected, how it signed in (via Deeto or via Okta), which permissions it has, and since when. Click **Revoke** to cut off access immediately.

***

## If something goes wrong

* **You clicked Deny** — you're returned to your application with no connection made.
* **"No Deeto user matches this Okta identity"** — the Okta user's email isn't an active Deeto user in your company. Add/activate that user first.
* **Account lacks permissions** — connecting requires a vendor account; personal/other accounts see a message to contact your administrator.
* **Connection expired** — reconnect from your application; approvals refresh automatically while in use.
* **Okta error** — the sign-in error is shown as a message on the approval screen; you can retry or use Continue with Deeto.
* **Org-level Claude connector option missing / install fails** — confirm the person setting it up has **Owner** (not Admin) in Claude's Organization Settings.

***

## Security & privacy at a glance

* **You approve every connection.** No application connects without a signed-in Deeto user approving it.
* **Read-only by default.** Creating or changing data requires the separate Write permission.
* **Scoped to you.** A connection reaches only your company's data, and only what your Deeto role allows.
* **Works with your SSO.** Sign in through Okta when your company uses it; no new passwords, no auto-created accounts.
* **Revocable & expiring.** Cut off any connection instantly from Active connections; approvals expire and refresh automatically.

***

## Next steps

<CardGroup cols={2}>
  <Card title="API Keys (Advanced)" icon="key" href="/integrations/mcp-server-api-keys">
    Prefer token-based, programmatic access? Generate an API key instead of using OAuth.
  </Card>

  <Card title="Tools Reference" icon="wrench" href="/integrations/mcp-server-tools">
    Complete reference for all tools, parameters, filters, and response shapes.
  </Card>

  <Card title="Examples" icon="code" href="/integrations/mcp-server-examples">
    Real-world usage patterns for common queries and workflows.
  </Card>

  <Card title="Security" icon="lock" href="/integrations/mcp-server-security">
    Compliance certifications, architecture, key management, and data handling.
  </Card>
</CardGroup>
