Connecting with OAuth

Some AI platforms — including Claude.ai, ChatGPT, and others — connect to MCP Servers using OAuth authentication. Instead of manually copying an API token, you log in through the platform's interface and are redirected to CARTO to authorize access.

This is an alternative to the API Access Token method. OAuth is well suited for web-based AI platforms that handle the authentication flow natively, while API Access Tokens work better for CLI-based agents like Gemini CLI.

Simple sign-in with CIMD

Claude.ai and Claude Code use Client Identifier Metadata Document (CIMD) registration, so CARTO recognizes them automatically. No OAuth client setup is required: paste the MCP Server URL into the client and log in with your CARTO account when redirected.

The rest of this page covers the manual OAuth client setup required by other platforms, including ChatGPT, MCP Inspector, and MCP Jam.

Prerequisites

• A CARTO organization with access to the Developers section.

• At least one Workflow exposed as an MCP Tool. See Workflows as MCP Tools for setup instructions.

Step 1: Create a SPA OAuth Client

Navigate to Developers > Credentials in CARTO Workspace. Switch to the SPA OAuth Clients tab and click Create new > SPA OAuth Client.

1. Enter a descriptive Name (e.g. "Claude.ai MCP Connection").

2. Uncheck "Use default logout/callback URLs and origins".

3. In Allowed Callback URLs, enter the URL that matches your AI platform (see table below).

4. Click Save changes.

5. Copy the Client ID and Client Secret — you will need them in Step 2.

For more details on SPA OAuth Client configuration, see SPA OAuth Clients.

Callback URLs by platform

Step 2: Connect from your AI platform

Use the MCP Server URL (from the overview page), Client ID, and Client Secret to set up the connection. The exact steps vary by platform — refer to each platform's own documentation for detailed instructions:

• Claude.ai — How to connect remote MCP integrations

• ChatGPT — Using remote MCP servers

• MCP Inspector on GitHub

In general, the process is:

1. Open the MCP or connectors settings in your AI platform.

2. Add a new MCP connection and enter the MCP Server URL.

3. Enter the Client ID and Client Secret from Step 1.

4. Complete the OAuth authorization when redirected to CARTO.

5. After authorization, your CARTO MCP Tools will be available in conversations.

What you authorize

During the authorization step, you grant the AI platform permission to use the CARTO MCP Server on your behalf — listing and running your published Workflows, browsing your data warehouse connections, locating your saved Builder maps, and rendering interactive visualizations.

The OAuth token inherits the rest of your CARTO permissions — the connections, datasets, and maps your user account has access to. You can revoke the connection at any time from your CARTO Workspace under Developers > Credentials > SPA OAuth Clients, or from your AI platform's connector settings.

Troubleshooting

• Authentication fails or redirects to the wrong URL: Verify that the Allowed Callback URL in your SPA OAuth Client matches the platform exactly. See the callback URL table above.

• No tools appear after connecting: Ensure your Workflows are published as MCP Tools and have been synced. See Workflows as MCP Tools.

• Permission errors after authenticating: The OAuth token inherits the permissions of the CARTO user who authenticated. Ensure that user has access to the relevant Workflows and data connections.