Server data from the Official MCP Registry
MCP server for ALTR data security: databases, tags, policies, classification, access, audits
MCP server for ALTR data security: databases, tags, policies, classification, access, audits
This is a well-structured MCP server for the ALTR data security platform with appropriate authentication, reasonable permissions, and clean code practices. The server requires API credentials (ORG_ID, MAPI_KEY, MAPI_SECRET) stored via environment variables, implements proper tool authorization annotations, and includes a safety mechanism for restricting sensitive operations. No critical vulnerabilities or malicious patterns were identified. Supply chain analysis found 5 known vulnerabilities in dependencies (1 critical, 2 high severity). Package verification found 1 issue.
3 files analyzed · 10 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: ORG_ID
Environment variable: MAPI_KEY
Environment variable: MAPI_SECRET
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-altrsoftware-altr-mcp-server": {
"env": {
"ORG_ID": "your-org-id-here",
"MAPI_KEY": "your-mapi-key-here",
"MAPI_SECRET": "your-mapi-secret-here"
},
"args": [
"altr-mcp"
],
"command": "uvx"
}
}
}From the project's GitHub README.
ALTR provides tag-based data masking, access governance, and classification for Snowflake, Databricks, and OLTP databases. This MCP server enables AI assistants (Claude, Cursor, and other MCP clients) to manage data security on the ALTR platform — 156 tools across 13 domains covering database connections, tag masking, policies, classification, access management, audits, telemetry, and sidecar configuration.
New to ALTR? See the ALTR documentation for an overview of the platform, concepts, and supported data sources.
All tools return structured {success, data, error} responses and can run over stdio, SSE, or streamable-http transports.
Install from PyPI:
pip install altr-mcp
Or run directly with uvx (no install required):
uvx altr-mcp
uvxis part of the uv Python package manager. Install it withpip install uvor see the uv installation guide.
Set the three required environment variables (see Getting Credentials for where to find each in the ALTR console):
export ORG_ID=your-org-id
export MAPI_KEY=your-api-key
export MAPI_SECRET=your-api-secret
Wire it into your AI client — see Setup for Claude Desktop, Claude Code, Cursor, VS Code, and Windsurf. The same three env vars go into the client's env block.
Verify by asking your AI assistant to run a read-only tool:
get_databasesget_tagsget_rolesIf these return data, your setup is working.
You need three values from the ALTR platform to configure this server. See Manage API keys for the full reference.
| Credential | Where to find it |
|---|---|
ORG_ID | In the ALTR console: Settings > Preferences > Organization — copy the value from "ALTR Organization ID" |
MAPI_KEY | In the ALTR console: Settings > Preferences > API > Add New — give it a description, then copy the key |
MAPI_SECRET | Shown once when you create the API key above — copy and store it securely |
Set the following environment variables before starting the server:
| Variable | Required | Description |
|---|---|---|
ORG_ID | Yes | ALTR organization ID |
MAPI_KEY | Yes | ALTR management API key |
MAPI_SECRET | Yes | ALTR management API secret |
MCP_TRANSPORT | No | Transport protocol: stdio (default), sse, or streamable-http |
MCP_HOST | No | Bind address for HTTP transports (default: 0.0.0.0) |
MCP_PORT | No | Port for HTTP transports (default: 8000) |
RESTRICTED_TOOLS | No | Comma-separated tool names to hide from clients |
LOG_FORMAT | No | Log output format: console (default) or json |
LOG_LEVEL | No | Log level (default: INFO) |
Use RESTRICTED_TOOLS to hide specific tools from MCP clients. Restricted tools are removed from the tool list and blocked if called directly.
For example, to give a team read-only access without any destructive operations:
RESTRICTED_TOOLS=disconnect_database,delete_policy,delete_rule,disconnect_tag,disconnect_tag_by_details,delete_classifier,delete_collection,disconnect_sc_repo,disconnect_sc_sidecar
Or in the Claude Desktop config:
{
"mcpServers": {
"altr": {
"command": "uvx",
"args": ["altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret",
"RESTRICTED_TOOLS": "disconnect_database,delete_policy,delete_rule,disconnect_tag"
}
}
}
}
This is an operator-level safety net — it prevents accidental or unwanted tool usage but is not a substitute for proper API key permissions.
Add the following to your claude_desktop_config.json (Settings > Developer > Edit Config):
{
"mcpServers": {
"altr": {
"command": "uvx",
"args": ["altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret"
}
}
}
}
claude mcp add altr -e ORG_ID=your-org-id -e MAPI_KEY=your-api-key -e MAPI_SECRET=your-api-secret -- uvx altr-mcp
This writes the config to .mcp.json which can be committed to share with your team.
Add to ~/.cursor/mcp.json (global) or .cursor/mcp.json (project-scoped):
{
"mcpServers": {
"altr": {
"command": "uvx",
"args": ["altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret"
}
}
}
}
Open User Settings JSON (Ctrl+Shift+P → "Preferences: Open User Settings (JSON)") and add:
{
"mcp": {
"servers": {
"altr": {
"command": "uvx",
"args": ["altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret"
}
}
}
}
}
Add to ~/.codeium/windsurf/mcp_config.json:
{
"mcpServers": {
"altr": {
"command": "uvx",
"args": ["altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret"
}
}
}
}
To run from a local clone instead of the published PyPI package:
Claude Code:
claude mcp add altr \
-e ORG_ID=your-org-id \
-e MAPI_KEY=your-api-key \
-e MAPI_SECRET=your-api-secret \
-- uv run --directory /path/to/altr-mcp altr-mcp
Claude Desktop:
{
"mcpServers": {
"altr": {
"command": "uv",
"args": ["run", "--directory", "/path/to/altr-mcp", "altr-mcp"],
"env": {
"ORG_ID": "your-org-id",
"MAPI_KEY": "your-api-key",
"MAPI_SECRET": "your-api-secret"
}
}
}
}
This section is for building a standalone CLI binary from the MCP server. If you just want to use the server with Claude Desktop or Claude Code, skip to Tools.
A standalone CLI lets you call ALTR tools directly from the terminal without an MCP client. It's built with mcporter, an open-source tool that compiles MCP servers into native CLI binaries. See the mcporter docs for the full set of options.
mcporter itself does not need to be installed separately — npx downloads and runs it on demand.
From the repo root:
npx mcporter generate-cli --command "uv run --directory . altr-mcp" --name altr-cli --compile ./altr-cli
This generates a compiled binary at ./altr-cli.
Set your credentials as environment variables, then run any tool:
export ORG_ID=your-org-id
export MAPI_KEY=your-api-key
export MAPI_SECRET=your-api-secret
# List databases
./altr-cli get-databases
# Get a specific database ID
./altr-cli get-database-id --database-name "my_database"
# Create a masking policy
./altr-cli create-policy --tag "STOPLIGHT"
# Add rules (pass JSON string for complex params)
./altr-cli add-rules --policy-id "TAG#abc123" --rules '[{"masking_policy": 10001, "role": "PUBLIC", "tag_value": "red"}]'
# Search query audits
./altr-cli search-query-audits --limit 10
# JSON output
./altr-cli get-databases --output json
# See all available commands
./altr-cli --help
The CLI runs the MCP server locally via uv run and requires the repo to be present at the working directory. All environment variables from the Configuration section apply.
156 tools across 13 domains. For a full breakdown of every tool with parameters, behavior, and examples, see docs/index.md.
| Domain | Tools | What it does |
|---|---|---|
| Databases | 8 | Connect Snowflake, OLTP, and Databricks data sources. Setup per platform: Snowflake, OLTP, Databricks. |
| Roles | 1 | get_roles — list all ALTR roles (called user groups in the ALTR console). |
| Tags | 8 | Manage Snowflake tag connections to ALTR. See Snowflake tag-based access policy. |
| Policies & Rules | 7 | Create masking policies and per-role rules. Tag-based (Snowflake, Databricks) and column-based (Snowflake only). Masking levels 10000–10009. |
| Classification | 13 | Run automated data classification scans. Snowflake (in-house + ALTR Native + GDLP), OLTP (ALTR Native + GDLP), Databricks (GDLP only). |
| Access Management | 4 | Access management policies for Snowflake and OLTP. Databricks access control is not exposed through this server. |
| Access Requests | 6 | Submit, review, and resolve Snowflake data access requests. |
| Audits | 6 | Search sidecar, Snowflake query, and platform system audits. |
| Telemetry | 9 | Monitor ALTR sidecar proxy agent and sidecar instance health. |
| Sidecar Configuration | 37 | Configure the ALTR sidecar proxy — agents, repos, repo users, service users, sidecars, listeners, and bindings. |
A few things are easy to miss and worth surfacing here:
Snowflake tags vs Databricks tags. A Snowflake tag is a first-class ALTR object — you register it with connect_tag, it gets a tag_group_id, and shows up in get_tags, get_tag_details*, update_tag, and disconnect_tag*. A Databricks tag is the opposite: not an ALTR object at all, just a raw string you pass into create_policy (with policy_type="PUSHDOWN" and database_ids=[…]). Databricks tags never appear in get_tags and do not have a tag_group_id. None of the Tags tools apply to Databricks.
Databricks create_policy requirements. When creating a masking policy for a Databricks metastore, you must pass database_ids as a list — even for a single database (e.g. database_ids=[2167]) — and set policy_type="PUSHDOWN". Omitting database_ids or using policy_type="TAG" will be rejected by the API. Snowflake policies do the opposite: omit database_ids and let policy_type default to TAG.
Platform setup guides on the ALTR docs site:
| Feature | Snowflake | OLTP (via sidecar) | Databricks |
|---|---|---|---|
| Database connections | ✅ | — | ✅ |
| Masking policies | ✅ | ❌ | ✅ |
| Classification | ✅ | ✅ | ⚠️ Partial |
| Access management policies | ✅ | ✅ | ❌ |
| Access requests | ✅ | ❌ | ❌ |
| Query audit logging | ✅ | ✅ | ❌ |
| System audit logging | ✅ | ✅ | ❌ |
| Sidecar configuration | — | ✅ | — |
| Telemetry & monitoring | — | ✅ | — |
Legend: ✅ Supported ⚠️ Partial ❌ Not supported — Not applicable
Classification mode coverage:
| Mode | Snowflake | OLTP | Databricks |
|---|---|---|---|
| In-house (ALTR pattern matching) | ✅ | ❌ | ❌ |
| ALTR Native classifiers | ✅ | ✅ | ❌ |
| GDLP (Google Cloud DLP) | ✅ | ✅ | ✅ |
Databricks classification — Partial: GDLP only via create_databricks_job; no in-house or ALTR Native classifiers. A collection_name may optionally be passed to scope the scan to a specific ALTR collection's classifiers (subject to condition_types); when omitted, all default Google DLP infoTypes are used.
Access management policies (Databricks): This MCP server does not currently expose Databricks grant or access management APIs. For Databricks access control, use the Databricks UI or REST API directly.
OLTP refers to relational databases (PostgreSQL, MySQL, Oracle, SQL Server) accessed through a customer-managed ALTR sidecar proxy.
uvx: command not foundInstall uv: pip install uv or via the official installer.
Restart your AI client after editing the config file — changes are not picked up automatically.
ERROR: Missing required environment variablesVerify ORG_ID, MAPI_KEY, and MAPI_SECRET are set in the env block of your client config. Variable names are case-sensitive.
{"success": false, ...}| HTTP status | Likely cause | Fix |
|---|---|---|
401 | Invalid credentials | Verify MAPI_KEY / MAPI_SECRET in the ALTR console under Settings > Preferences > API |
403 | Feature not enabled for this organization | The endpoint exists but is gated by an ALTR feature flag your org doesn't have turned on. Contact ALTR support to confirm the feature is enabled for your account. |
404 | Resource not found | Confirm the ID exists in your organization |
429 | Rate limited | The server retries automatically up to 3× with backoff; if persistent, reduce request frequency |
Check whether the tool name appears in the RESTRICTED_TOOLS env var in your client config. Restricted tools are hidden from the tool list entirely.
Use pagination parameters (limit, offset, or cursor) available on audit, telemetry, and classification tools to reduce response size.
# Install dependencies
uv sync --extra dev
# Run all tests
uv run pytest
# Run with verbose output
uv run pytest -v
# Run a specific test file
uv run pytest tests/integration/test_database.py
# Run a specific test
uv run pytest tests/integration/test_database.py::test_create_database_with_service_user
# Run with coverage report (terminal)
uv run pytest --cov=altr_mcp --cov-report=term-missing
# Run with coverage and generate an HTML report at htmlcov/index.html
uv run pytest --cov=altr_mcp --cov-report=html
altr_mcp/
server.py # MCP server entrypoint and tool registration
settings.py # Pydantic settings (env vars)
instructions.md # System prompt for LLM tool guidance
tools/ # Tool definitions (one file per domain)
utils/ # API client functions (one file per API)
tests/
unit/ # Unit tests (settings, models, annotations)
integration/ # Integration tests (httpx mocks per domain)
Platform setup
Data access controls
Discovery and observability
Protocol
GNU General Public License v3.0 or later. See LICENSE.md for the full text.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.