Oso Cloud MCP Server

Coding agents are everywhere. See what yours are doing →

Local Development

Oso MCP Server

Use the MCP Server to:

• develop a better understanding of your policy
• use natural language to ask authorization-related questions
• debug why an authorization decision does not match what you expect

This guide assumes you have already installed and set up the CLI.

​

Connect

​

Claude Desktop (DXT)

Don’t have the CLI installed or don’t want to manually add the configuration? No worries - download the following DXT file and double-click to automatically install the Oso MCP Server into Claude Desktop or other AI clients that accept DXTs.

curl -O https://d2nl1ljmg8n1q8.cloudfront.net/latest/oso-cloud-mcp.dxt

Verify the SHA256 checksum: MacOS:

curl -sL https://d2nl1ljmg8n1q8.cloudfront.net/latest/oso-cloud-mcp.dxt.sha256 | shasum -a 256 -c

Linux:

curl -sL https://d2nl1ljmg8n1q8.cloudfront.net/latest/oso-cloud-mcp.dxt.sha256 | sha256sum -c

You may also specify the DXT version:

curl -O https://d2nl1ljmg8n1q8.cloudfront.net/0.33.2/oso-cloud-mcp.dxt

Note: There are no DXT versions <0.33.0 The following installation methods assume you have already installed and set up the CLI (version >=0.33.0).

​

Cursor

​

Manual

In your LLM client of choice, add the following to your MCP config file to run it against a local dev server:

{
  "mcpServers": {
    "oso": {
      "command": "oso-cloud",
      "args": ["experimental", "mcp"],
      "env": {
        "OSO_URL": "http://localhost:8080",
        "OSO_AUTH": "e_0123456789_12345_osotesttoken01xiIn"
      }
    }
  }
}

• You may optionally omit the OSO_URL environment variable or set it to https://cloud.osohq.com if you want to run it against a live production server.
• The provided OSO_AUTH token is for the local dev server. You can obtain your live server OSO_AUTH token from the Oso Cloud UI.

​

Where can I find my MCP config file?

Here are guides for some common clients:

• Claude Desktop
• Cursor
• VS Code Copilot
• Kiro

​

Usage

This server is primarily intended for use with dev servers to aid in development. Please use extra caution when using against a live environment.

Once you have your MCP server up and running, you can ask your LLM any authorization related questions and watch it use the tools available. Currently, we expose read tools to:

• Get your policy
• Get all facts
• Run an authorize query
• Query your facts with pattern matching
• Run policy tests We also expose the following write tools, restricted for use only with local dev servers:
• Update your policy
• Add facts
• Delete facts
• Clear all data Try sending any of the following messages:
• Draw a mermaid diagram of my authorization policy
• What permissions does <actor> have on <resource>?
  • e.g. “What permissions does Alice have on Project XYZ?”
• Why doesn’t <actor> have permission to <action> <resource>?

​

Feedback

We are actively iterating on developer experience and would appreciate all feedback on the Oso MCP Server and the broader development experience with Oso Cloud. Please do not hesitate to reach out on Slack!

Was this page helpful?

YesNo

Oso Migrate (Beta)

Overview of Polar Language and Syntax