ALTR MCP Server
Enables AI assistants to manage data security on the ALTR platform for Snowflake, Databricks, and OLTP databases, offering 99 tools across 10 domains including tag masking, policies, classification, and access governance.
README
ALTR MCP Server
ALTR provides tag-based data masking, access governance, and classification for Snowflake, Databricks, and OLTP databases. This MCP server enables AI assistants (Claude, Cursor, and other MCP clients) to manage data security on the ALTR platform — 99 tools across 10 domains covering database connections, tag masking, policies, classification, access management, audits, telemetry, and sidecar configuration.
New to ALTR? See the ALTR documentation for an overview of the platform, concepts, and supported data sources.
All tools return structured {success, data, error} responses and can run over stdio, SSE, or streamable-http transports.
Table of Contents
- Quick Start
- Getting Credentials
- Configuration
- Setup
- CLI
- Tools
- Data Source Support
- Troubleshooting
- Development
- License
Quick Start
-
Install from PyPI:
pip install altr-mcpOr run directly with uvx (no install required):
uvx altr-mcpuvxis part of the uv Python package manager. Install it withpip install uvor see the uv installation guide. -
Set the three required environment variables (see Getting Credentials for where to find each in the ALTR console):
export ORG_ID=your-org-id export MAPI_KEY=your-api-key export MAPI_SECRET=your-api-secret -
Wire it into your AI client — see Setup for Claude Desktop, Claude Code, Cursor, VS Code, and Windsurf. The same three env vars go into the client's
envblock. -
Verify by asking your AI assistant to run a read-only tool:
- "List my ALTR databases" → calls
get_databases - "Show me the tags connected to ALTR" → calls
get_tags - "List the ALTR roles in my org" → calls
get_roles
If these return data, your setup is working.
- "List my ALTR databases" → calls
Getting Credentials
You need three values from the ALTR platform to configure this server. See Manage API keys for the full reference.
| Credential | Where to find it |
|---|---|
ORG_ID |
In the ALTR console: Settings > Preferences > Organization — copy the value from "ALTR Organization ID" |
MAPI_KEY |
In the ALTR console: Settings > Preferences > API > Add New — give it a description, then copy the key |
MAPI_SECRET |
Shown once when you create the API key above — copy and store it securely |
Configuration
Set the following environment variables before starting the server:
| Variable | Required | Description |
|---|---|---|
ORG_ID |
Yes | ALTR organization ID |
MAPI_KEY |
Yes | ALTR management API key |
MAPI_SECRET |
Yes | ALTR management API secret |
MCP_TRANSPORT |
No | Transport protocol: stdio (default), sse, or streamable-http |
MCP_HOST |
No | Bind address for HTTP transports (default: 0.0.0.0) |
MCP_PORT |
No | Port for HTTP transports (default: 8000) |
RESTRICTED_TOOLS |
No | Comma-separated tool names to hide from clients |
LOG_FORMAT |
No | Log output format: console (default) or json |
LOG_LEVEL |
No | Log level (default: INFO) |
Restricting Tools
Use RESTRICTED_TOOLS to hide specific tools from MCP clients. Restricted tools are removed from the tool list and blocked if called directly.
For example, to give a team read-only access without any destructive operations:
RESTRICTED_TOOLS=delete_database,delete_policy,delete_rule,delete_tag,delete_tag_by_details,delete_classifier,delete_collection,delete_sc_repo,delete_sc_sidecar
Or in the Claude Desktop config:
{
"mcpServers": {
"altr": {
"command": "uvx",
"args": ["altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret",
"RESTRICTED_TOOLS": "delete_database,delete_policy,delete_rule,delete_tag"
}
}
}
}
This is an operator-level safety net — it prevents accidental or unwanted tool usage but is not a substitute for proper API key permissions.
Setup
Claude Desktop
Add the following to your claude_desktop_config.json (Settings > Developer > Edit Config):
{
"mcpServers": {
"altr": {
"command": "uvx",
"args": ["altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret"
}
}
}
}
Claude Code (CLI)
claude mcp add altr -e ORG_ID=your-org-id -e MAPI_KEY=your-api-key -e MAPI_SECRET=your-api-secret -- uvx altr-mcp
This writes the config to .mcp.json which can be committed to share with your team.
Cursor
Add to ~/.cursor/mcp.json (global) or .cursor/mcp.json (project-scoped):
{
"mcpServers": {
"altr": {
"command": "uvx",
"args": ["altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret"
}
}
}
}
VS Code (GitHub Copilot)
Open User Settings JSON (Ctrl+Shift+P → "Preferences: Open User Settings (JSON)") and add:
{
"mcp": {
"servers": {
"altr": {
"command": "uvx",
"args": ["altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret"
}
}
}
}
}
Windsurf
Add to ~/.codeium/windsurf/mcp_config.json:
{
"mcpServers": {
"altr": {
"command": "uvx",
"args": ["altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret"
}
}
}
}
Running from Local Source
To run from a local clone instead of the published PyPI package:
Claude Code:
claude mcp add altr \
-e ORG_ID=your-org-id \
-e MAPI_KEY=your-api-key \
-e MAPI_SECRET=your-api-secret \
-- uv run --directory /path/to/altr-mcp altr-mcp
Claude Desktop:
{
"mcpServers": {
"altr": {
"command": "uv",
"args": ["run", "--directory", "/path/to/altr-mcp", "altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret"
}
}
}
}
CLI (Optional)
This section is for building a standalone CLI binary from the MCP server. If you just want to use the server with Claude Desktop or Claude Code, skip to Tools.
A standalone CLI lets you call ALTR tools directly from the terminal without an MCP client. It's built with mcporter, an open-source tool that compiles MCP servers into native CLI binaries. See the mcporter docs for the full set of options.
Prerequisites
mcporter itself does not need to be installed separately — npx downloads and runs it on demand.
Building
From the repo root:
npx mcporter generate-cli --command "uv run --directory . altr-mcp" --name altr-cli --compile ./altr-cli
This generates a compiled binary at ./altr-cli.
Usage
Set your credentials as environment variables, then run any tool:
export ORG_ID=your-org-id
export MAPI_KEY=your-api-key
export MAPI_SECRET=your-api-secret
# List databases
./altr-cli get-databases
# Get a specific database ID
./altr-cli get-database-id --database-name "my_database"
# Create a masking policy
./altr-cli create-policy --tag "STOPLIGHT"
# Add rules (pass JSON string for complex params)
./altr-cli add-rules --policy-id "TAG#abc123" --rules '[{"masking_policy": 10001, "role": "PUBLIC", "tag_value": "red"}]'
# Search query audits
./altr-cli search-query-audits --limit 10
# JSON output
./altr-cli get-databases --output json
# See all available commands
./altr-cli --help
The CLI runs the MCP server locally via uv run and requires the repo to be present at the working directory. All environment variables from the Configuration section apply.
Tools
99 tools across 10 domains. For a full breakdown of every tool with parameters, behavior, and examples, see docs/index.md.
| Domain | Tools | What it does |
|---|---|---|
| Databases | 8 | Connect Snowflake, OLTP, and Databricks data sources. Setup per platform: Snowflake, OLTP, Databricks. |
| Roles | 1 | get_roles — list all ALTR roles (called user groups in the ALTR console). |
| Tags | 8 | Manage Snowflake tag connections to ALTR. See Snowflake tag-based access policy. |
| Policies & Rules | 7 | Create masking policies and per-role rules. Tag-based (Snowflake, Databricks) and column-based (Snowflake only). Masking levels 10000–10009. |
| Classification | 13 | Run automated data classification scans. Snowflake (in-house + ALTR Native + GDLP), OLTP (ALTR Native + GDLP), Databricks (GDLP only). |
| Access Management | 4 | Access management policies for Snowflake and OLTP. Databricks access control is not exposed through this server. |
| Access Requests | 6 | Submit, review, and resolve Snowflake data access requests. |
| Audits | 6 | Search sidecar, Snowflake query, and platform system audits. |
| Telemetry | 9 | Monitor ALTR sidecar proxy agent and sidecar instance health. |
| Sidecar Configuration | 37 | Configure the ALTR sidecar proxy — agents, repos, repo users, service users, sidecars, listeners, and bindings. |
Critical callouts
A few things are easy to miss and worth surfacing here:
Snowflake tags vs Databricks tags. A Snowflake tag is a first-class ALTR object — you register it with connect_tag, it gets a tag_group_id, and shows up in get_tags, get_tag_details*, update_tag, and delete_tag*. A Databricks tag is the opposite: not an ALTR object at all, just a raw string you pass into create_policy (with policy_type="PUSHDOWN" and database_ids=[…]). Databricks tags never appear in get_tags and do not have a tag_group_id. None of the Tags tools apply to Databricks.
Databricks create_policy requirements. When creating a masking policy for a Databricks metastore, you must pass database_ids as a list — even for a single database (e.g. database_ids=[2167]) — and set policy_type="PUSHDOWN". Omitting database_ids or using policy_type="TAG" will be rejected by the API. Snowflake policies do the opposite: omit database_ids and let policy_type default to TAG.
Data Source Support
Platform setup guides on the ALTR docs site:
- Snowflake
- OLTP databases (PostgreSQL, MySQL, Oracle, SQL Server)
- Databricks
| Feature | Snowflake | OLTP (via sidecar) | Databricks |
|---|---|---|---|
| Database connections | ✅ | — | ✅ |
| Masking policies | ✅ | ❌ | ✅ |
| Classification | ✅ | ✅ | ⚠️ Partial |
| Access management policies | ✅ | ✅ | ❌ |
| Access requests | ✅ | ❌ | ❌ |
| Query audit logging | ✅ | ✅ | ❌ |
| System audit logging | ✅ | ✅ | ❌ |
| Sidecar configuration | — | ✅ | — |
| Telemetry & monitoring | — | ✅ | — |
Legend: ✅ Supported ⚠️ Partial ❌ Not supported — Not applicable
Classification mode coverage:
| Mode | Snowflake | OLTP | Databricks |
|---|---|---|---|
| In-house (ALTR pattern matching) | ✅ | ❌ | ❌ |
| ALTR Native classifiers | ✅ | ✅ | ❌ |
| GDLP (Google Cloud DLP) | ✅ | ✅ | ✅ |
Databricks classification — Partial: GDLP only via create_databricks_job; no in-house or ALTR Native classifiers, no classifier or collection selection.
Access management policies (Databricks): This MCP server does not currently expose Databricks grant or access management APIs. For Databricks access control, use the Databricks UI or REST API directly.
OLTP refers to relational databases (PostgreSQL, MySQL, Oracle, SQL Server) accessed through a customer-managed ALTR sidecar proxy.
Troubleshooting
uvx: command not found
Install uv: pip install uv or via the official installer.
Server not appearing in your AI client
Restart your AI client after editing the config file — changes are not picked up automatically.
ERROR: Missing required environment variables
Verify ORG_ID, MAPI_KEY, and MAPI_SECRET are set in the env block of your client config. Variable names are case-sensitive.
Tools returning {"success": false, ...}
| HTTP status | Likely cause | Fix |
|---|---|---|
401 |
Invalid credentials | Verify MAPI_KEY / MAPI_SECRET in the ALTR console under Settings > Preferences > API |
403 |
Feature not enabled for this organization | The endpoint exists but is gated by an ALTR feature flag your org doesn't have turned on. Contact ALTR support to confirm the feature is enabled for your account. |
404 |
Resource not found | Confirm the ID exists in your organization |
429 |
Rate limited | The server retries automatically up to 3× with backoff; if persistent, reduce request frequency |
A tool is missing from the tool list
Check whether the tool name appears in the RESTRICTED_TOOLS env var in your client config. Restricted tools are hidden from the tool list entirely.
Timeouts on large result sets
Use pagination parameters (limit, offset, or cursor) available on audit, telemetry, and classification tools to reduce response size.
Development
Running Tests
# Install dependencies
uv sync --extra dev
# Run all tests
uv run pytest
# Run with verbose output
uv run pytest -v
# Run a specific test file
uv run pytest tests/integration/test_database.py
# Run a specific test
uv run pytest tests/integration/test_database.py::test_create_database_with_service_user
# Run with coverage report (terminal)
uv run pytest --cov=altr_mcp --cov-report=term-missing
# Run with coverage and generate an HTML report at htmlcov/index.html
uv run pytest --cov=altr_mcp --cov-report=html
Project Structure
altr_mcp/
server.py # MCP server entrypoint and tool registration
settings.py # Pydantic settings (env vars)
instructions.md # System prompt for LLM tool guidance
tools/ # Tool definitions (one file per domain)
utils/ # API client functions (one file per API)
tests/
unit/ # Unit tests (settings, models, annotations)
integration/ # Integration tests (httpx mocks per domain)
Learn More
Platform setup
- ALTR documentation home
- Snowflake data source
- OLTP data source
- Databricks data source
- Manage API keys
Data access controls
- Tag-based access policy — Snowflake
- Tag-based access policy — Databricks
- Column-based access policy — Snowflake
- Masking policies (10000–10009 types)
- Access management policy — Snowflake
- Access management policy — OLTP
- Manage access requests
Discovery and observability
Protocol
License
GNU General Public License v3.0 or later. See LICENSE.md for the full text.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.