MCP (Model Context Protocol)
Connect AI assistants to AUDIGYD via the built-in MCP server: tools, scopes, authentication, and audit logging.
MCP (Model Context Protocol)
AUDIGYD ships an [MCP](https://modelcontextprotocol.io) server so AI assistants — Claude Desktop, Cursor, in-house copilots — can read your compliance data through a standard protocol instead of bespoke API calls.
What it exposes
The server exposes a set of tools scoped to one tenant. There are no resource or prompt endpoints today — every interaction goes through a tool call. All calls are read-only.
| Tool | Purpose | Required scope |
|---|---|---|
get_overview | High-level posture: assessment counts by status, open findings by severity, last 10 finalized scores | assessments:read |
list_assessments | Search assessments by status / updated-after, with limit | assessments:read |
get_assessment | Full detail for one assessment, including score breakdown and findings summary | assessments:read |
get_assessment_responses | Per-question responses for one assessment, filterable by domain or pass/fail | assessments:read |
list_findings | Filter findings by severity, status, or assessment | findings:read |
get_score_trend | Chronological score history across finalized assessments | assessments:read |
list_reports | Finalized assessment reports with metadata | assessments:read |
The server identifies itself as audigyd version 1.0.0 and advertises tool capability only.
Authentication & scopes
The MCP transport is SSE at /mcp-server/sse. Every connection authenticates with an API key:
- •Header:
Authorization: Bearer - •Query parameter:
?api_key=(use only when the client cannot set headers)
API keys are minted per tenant and carry a list of scopes. Valid scopes are:
- •
assessments:read - •
findings:read - •
reports:read - •
templates:read - •
webhooks:write
When a tool runs, the server checks the key's scopes and returns an error like "Missing required scope: findings:read" if the scope is absent.
Creating an API key
settings:manage_settings permission — Owner by default)aug_live_ and are only shown once.You can revoke a key at any time from the same page; revocation takes effect immediately.
Connecting a client
Use any MCP-compatible client. For Claude Desktop, add an entry to claude_desktop_config.json:
{
"mcpServers": {
"audigyd": {
"transport": "sse",
"url": "https://audigyd.com/mcp-server/sse",
"headers": { "Authorization": "Bearer aug_live_..." }
}
}
}
For clients that don't support custom headers, append ?api_key=aug_live_... to the URL.
Tenant scoping
An API key is bound to one tenant. Every tool call is automatically filtered to that tenant — there is no way for an MCP session to read data from a different workspace.
Roles & MCP-initiated actions
Today the MCP server enforces access through API-key scopes: every tool checks the key's scope list and refuses the call if the required scope is missing. All current tools are read-only, so there is no path that mutates data. For mutating operations, use the REST API with the same API key where applicable.
When MCP write tools are added in a future release, the plan is to layer the same workspace role-based permission checks the web UI uses on top of scope checks — but that role-based enforcement is not part of the current MCP surface, since no MCP tool currently writes data.
Audit logging
Every MCP event is recorded in the tenant audit log:
- •
mcp_connected— a new SSE session opens - •
mcp_disconnected— a session closes - •
mcp_tool_call— a tool is invoked (with the tool name)
Browse audit logs from Activity Log in the tenant sidebar to monitor MCP usage.
Tips
- •Grant the smallest scope set that lets the assistant do its job.
assessments:readalone is enough for most "show me my posture" use cases. - •Rotate API keys when the team or assistant deployment changes.
- •If an assistant returns "Missing required scope: ...", edit the key (or create a new one) with the listed scope rather than granting blanket access.