ALTR MCP Server

ALTR provides tag-based data masking, access governance, and classification for Snowflake, Databricks, and OLTP databases. This MCP server enables AI assistants (Claude, Cursor, and other MCP clients) to manage data security on the ALTR platform — 99 tools across 10 domains covering database connections, tag masking, policies, classification, access management, audits, telemetry, and sidecar configuration.

New to ALTR? See the ALTR documentation for an overview of the platform, concepts, and supported data sources.

All tools return structured {success, data, error} responses and can run over stdio, SSE, or streamable-http transports.

Table of Contents

• Quick Start

• Getting Credentials

• Configuration

  • Restricting Tools

• Setup

  • Claude Desktop

  • Claude Code (CLI)

  • Cursor

  • VS Code (GitHub Copilot)

  • Windsurf

  • Running from Local Source

• CLI

• Tools

• Data Source Support

• Troubleshooting

• Development

• License

Quick Start

1. Install from PyPI:

   pip install altr-mcp

   Or run directly with uvx (no install required):

   uvx altr-mcp

   uvx is part of the uv Python package manager. Install it with pip install uv or see the uv installation guide.

2. Set the three required environment variables (see Getting Credentials for where to find each in the ALTR console):

   export ORG_ID=your-org-id
   export MAPI_KEY=your-api-key
   export MAPI_SECRET=your-api-secret

3. Wire it into your AI client — see Setup for Claude Desktop, Claude Code, Cursor, VS Code, and Windsurf. The same three env vars go into the client's env block.

4. Verify by asking your AI assistant to run a read-only tool:

   • "List my ALTR databases" → calls get_databases

   • "Show me the tags connected to ALTR" → calls get_tags

   • "List the ALTR roles in my org" → calls get_roles

   If these return data, your setup is working.

Getting Credentials

You need three values from the ALTR platform to configure this server. See Manage API keys for the full reference.

Configuration

Set the following environment variables before starting the server:

Restricting Tools

Use RESTRICTED_TOOLS to hide specific tools from MCP clients. Restricted tools are removed from the tool list and blocked if called directly.

For example, to give a team read-only access without any destructive operations:

RESTRICTED_TOOLS=delete_database,delete_policy,delete_rule,delete_tag,delete_tag_by_details,delete_classifier,delete_collection,delete_sc_repo,delete_sc_sidecar

Or in the Claude Desktop config:

{
  "mcpServers": {
    "altr": {
      "command": "uvx",
      "args": ["altr-mcp"],
      "env": {
        "ORG_ID": "your-org-id",
        "MAPI_KEY": "your-api-key",
        "MAPI_SECRET": "your-api-secret",
        "RESTRICTED_TOOLS": "delete_database,delete_policy,delete_rule,delete_tag"
      }
    }
  }
}

This is an operator-level safety net — it prevents accidental or unwanted tool usage but is not a substitute for proper API key permissions.

Setup

Claude Desktop

Add the following to your claude_desktop_config.json (Settings > Developer > Edit Config):

{
  "mcpServers": {
    "altr": {
      "command": "uvx",
      "args": ["altr-mcp"],
      "env": {
        "ORG_ID": "your-org-id",
        "MAPI_KEY": "your-api-key",
        "MAPI_SECRET": "your-api-secret"
      }
    }
  }
}

Claude Code (CLI)

claude mcp add altr -e ORG_ID=your-org-id -e MAPI_KEY=your-api-key -e MAPI_SECRET=your-api-secret -- uvx altr-mcp

This writes the config to .mcp.json which can be committed to share with your team.

Cursor

Add to ~/.cursor/mcp.json (global) or .cursor/mcp.json (project-scoped):

{
  "mcpServers": {
    "altr": {
      "command": "uvx",
      "args": ["altr-mcp"],
      "env": {
        "ORG_ID": "your-org-id",
        "MAPI_KEY": "your-api-key",
        "MAPI_SECRET": "your-api-secret"
      }
    }
  }
}

VS Code (GitHub Copilot)

Open User Settings JSON (Ctrl+Shift+P → "Preferences: Open User Settings (JSON)") and add:

{
  "mcp": {
    "servers": {
      "altr": {
        "command": "uvx",
        "args": ["altr-mcp"],
        "env": {
          "ORG_ID": "your-org-id",
          "MAPI_KEY": "your-api-key",
          "MAPI_SECRET": "your-api-secret"
        }
      }
    }
  }
}

Windsurf

Add to ~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "altr": {
      "command": "uvx",
      "args": ["altr-mcp"],
      "env": {
        "ORG_ID": "your-org-id",
        "MAPI_KEY": "your-api-key",
        "MAPI_SECRET": "your-api-secret"
      }
    }
  }
}

Running from Local Source

To run from a local clone instead of the published PyPI package:

Claude Code:

claude mcp add altr \
  -e ORG_ID=your-org-id \
  -e MAPI_KEY=your-api-key \
  -e MAPI_SECRET=your-api-secret \
  -- uv run --directory /path/to/altr-mcp altr-mcp

Claude Desktop:

{
  "mcpServers": {
    "altr": {
      "command": "uv",
      "args": ["run", "--directory", "/path/to/altr-mcp", "altr-mcp"],
      "env": {
        "ORG_ID": "your-org-id",
        "MAPI_KEY": "your-api-key",
        "MAPI_SECRET": "your-api-secret"
      }
    }
  }
}

CLI (Optional)

This section is for building a standalone CLI binary from the MCP server. If you just want to use the server with Claude Desktop or Claude Code, skip to Tools.

A standalone CLI lets you call ALTR tools directly from the terminal without an MCP client. It's built with mcporter, an open-source tool that compiles MCP servers into native CLI binaries. See the mcporter docs for the full set of options.

Prerequisites

• uv (Python package manager)

• Node.js (for npx to fetch and run mcporter)

mcporter itself does not need to be installed separately — npx downloads and runs it on demand.

Building

From the repo root:

npx mcporter generate-cli --command "uv run --directory . altr-mcp" --name altr-cli --compile ./altr-cli

This generates a compiled binary at ./altr-cli.

Usage

Set your credentials as environment variables, then run any tool:

export ORG_ID=your-org-id
export MAPI_KEY=your-api-key
export MAPI_SECRET=your-api-secret

# List databases
./altr-cli get-databases

# Get a specific database ID
./altr-cli get-database-id --database-name "my_database"

# Create a masking policy
./altr-cli create-policy --tag "STOPLIGHT"

# Add rules (pass JSON string for complex params)
./altr-cli add-rules --policy-id "TAG#abc123" --rules '[{"masking_policy": 10001, "role": "PUBLIC", "tag_value": "red"}]'

# Search query audits
./altr-cli search-query-audits --limit 10

# JSON output
./altr-cli get-databases --output json

# See all available commands
./altr-cli --help

The CLI runs the MCP server locally via uv run and requires the repo to be present at the working directory. All environment variables from the Configuration section apply.

Tools

99 tools across 10 domains. For a full breakdown of every tool with parameters, behavior, and examples, see docs/index.md.

Critical callouts

A few things are easy to miss and worth surfacing here:

Snowflake tags vs Databricks tags. A Snowflake tag is a first-class ALTR object — you register it with connect_tag, it gets a tag_group_id, and shows up in get_tags, get_tag_details*, update_tag, and delete_tag*. A Databricks tag is the opposite: not an ALTR object at all, just a raw string you pass into create_policy (with policy_type="PUSHDOWN" and database_ids=[…]). Databricks tags never appear in get_tags and do not have a tag_group_id. None of the Tags tools apply to Databricks.

Databricks create_policy requirements. When creating a masking policy for a Databricks metastore, you must pass database_ids as a list — even for a single database (e.g. database_ids=[2167]) — and set policy_type="PUSHDOWN". Omitting database_ids or using policy_type="TAG" will be rejected by the API. Snowflake policies do the opposite: omit database_ids and let policy_type default to TAG.

Data Source Support

Platform setup guides on the ALTR docs site:

• Snowflake

• OLTP databases (PostgreSQL, MySQL, Oracle, SQL Server)

• Databricks

Legend: ✅ Supported   ⚠️ Partial   ❌ Not supported   — Not applicable

Classification mode coverage:

Databricks classification — Partial: GDLP only via create_databricks_job; no in-house or ALTR Native classifiers, no classifier or collection selection.

Access management policies (Databricks): This MCP server does not currently expose Databricks grant or access management APIs. For Databricks access control, use the Databricks UI or REST API directly.

OLTP refers to relational databases (PostgreSQL, MySQL, Oracle, SQL Server) accessed through a customer-managed ALTR sidecar proxy.

Troubleshooting

uvx: command not found

Install uv: pip install uv or via the official installer.

Server not appearing in your AI client

Restart your AI client after editing the config file — changes are not picked up automatically.

ERROR: Missing required environment variables

Verify ORG_ID, MAPI_KEY, and MAPI_SECRET are set in the env block of your client config. Variable names are case-sensitive.

Tools returning {"success": false, ...}

A tool is missing from the tool list

Check whether the tool name appears in the RESTRICTED_TOOLS env var in your client config. Restricted tools are hidden from the tool list entirely.

Timeouts on large result sets

Use pagination parameters (limit, offset, or cursor) available on audit, telemetry, and classification tools to reduce response size.

Development

Running Tests

# Install dependencies
uv sync --extra dev

# Run all tests
uv run pytest

# Run with verbose output
uv run pytest -v

# Run a specific test file
uv run pytest tests/integration/test_database.py

# Run a specific test
uv run pytest tests/integration/test_database.py::test_create_database_with_service_user

# Run with coverage report (terminal)
uv run pytest --cov=altr_mcp --cov-report=term-missing

# Run with coverage and generate an HTML report at htmlcov/index.html
uv run pytest --cov=altr_mcp --cov-report=html

Project Structure

altr_mcp/
  server.py          # MCP server entrypoint and tool registration
  settings.py        # Pydantic settings (env vars)
  instructions.md    # System prompt for LLM tool guidance
  tools/             # Tool definitions (one file per domain)
  utils/             # API client functions (one file per API)
tests/
  unit/              # Unit tests (settings, models, annotations)
  integration/       # Integration tests (httpx mocks per domain)

Learn More

Platform setup

• ALTR documentation home

• Snowflake data source

• OLTP data source

• Databricks data source

• Manage API keys

Data access controls

• Tag-based access policy — Snowflake

• Tag-based access policy — Databricks

• Column-based access policy — Snowflake

• Masking policies (10000–10009 types)

• Access management policy — Snowflake

• Access management policy — OLTP

• Manage access requests

Discovery and observability

• Data Classification

• Audit Logging

Protocol

• Model Context Protocol specification

License

GNU General Public License v3.0 or later. See LICENSE.md for the full text.