MCP Server
The Tissue MCP server lets AI tools — Claude Code, Claude Desktop, Claude.ai, Cursor, Windsurf, Devin, and any other Model Context Protocol client — manage your Tissue account directly: deploy Cells, query c3 databases, read and write g7 objects, manage vault secrets, and more.
MCP endpoint: https://tissue.systems/mcp
The server holds no credentials of its own. Every request is performed against the REST API using the token you supply, so the tools an agent can see and call are always limited to what your token allows.
Two ways to authenticate
| Method | Best for | What you do |
|---|---|---|
| Browser login (OAuth) | Interactive use — Claude Code, Claude Desktop, Claude.ai | Give the tool the URL; sign in once in your browser |
| API token | CI, scripts, headless agents, any tool that takes static headers | Create a tok_… token, paste it into the config |
Both use the same endpoint. Browser login is the zero-friction path; the token method works everywhere, including clients that don't support OAuth.
Option A — Browser login (OAuth)
You only ever give your tool the server URL https://tissue.systems/mcp. Everything else is automatic:
- The tool connects and receives a
401whoseWWW-Authenticateheader points at the server's protected-resource metadata. - That metadata names the authorization server (
auth.tissue.systems); the tool reads its metadata and registers itself automatically (Dynamic Client Registration). - The tool opens your browser to sign in. You authenticate once; the tool stores the token and reconnects.
No token strings to copy. A browser-login session grants the agent full access to your account (the same as a logged-in dashboard session). For least-privilege access, use a scoped API token (Option B).
Claude Code
claude mcp add --transport http tissue https://tissue.systems/mcp
On first use Claude Code opens your browser to sign in, then stores the token. Confirm with claude mcp list — tissue should show as connected.
Claude Desktop
Open Settings → Developer → Edit Config (or ~/Library/Application Support/Claude/claude_desktop_config.json on macOS / %APPDATA%\Claude\claude_desktop_config.json on Windows) and add:
{
"mcpServers": {
"tissue": {
"url": "https://tissue.systems/mcp"
}
}
}
Save and restart Claude Desktop. On the next launch it detects that the server needs authentication and opens your browser to sign in. A hammer icon (🔨) in the chat input confirms the tools are active.
Claude.ai (web)
Go to Settings → Connectors → Add custom connector, enter https://tissue.systems/mcp as the URL, and complete the sign-in when redirected.
Cursor / Windsurf / other OAuth clients
Add a remote (HTTP/streamable) MCP server with the URL https://tissue.systems/mcp and no headers. The client runs the same browser-login flow on first connect.
Option B — API token
Use this for CI, headless agents, or any client without OAuth support.
1. Create a token
Dashboard: Account Settings → API Tokens → New Token → pick scopes → copy the value.
ribo CLI:
# Full access (personal use)
ribo token create "Claude" \
--scope cells:read --scope cells:write --scope cells:delete \
--scope databases:read --scope databases:write --scope databases:delete \
--scope buckets:read --scope buckets:write --scope buckets:delete \
--scope vault:read --scope vault:write
# Read-only data analyst
ribo token create "Analyst" --scope databases:read --scope buckets:read --scope cells:read
The token is shown once — it looks like tok_<64 hex>. See Tools & Scopes for the full scope list and presets.
2. Verify it
curl -s -H "Authorization: Bearer tok_YOUR_TOKEN" https://api.tissue.systems/v1/me
A 200 with your account and scopes confirms it works.
3. Configure your tool
{
"mcpServers": {
"tissue": {
"url": "https://tissue.systems/mcp",
"headers": { "Authorization": "Bearer tok_YOUR_TOKEN" }
}
}
}
The same url + headers shape works for Cursor (.cursor/mcp.json), Windsurf, and VS Code. For Claude Code:
claude mcp add --transport http tissue https://tissue.systems/mcp \
--header "Authorization: Bearer tok_YOUR_TOKEN"
Troubleshooting
Could not connect. Run curl -si -X POST https://tissue.systems/mcp. A reachable endpoint returns 401 (missing Authorization). A 404 means the URL is wrong — it must be exactly https://tissue.systems/mcp.
A tool is missing (e.g. cell_deploy). Your token lacks the required scope. Run the whoami tool to see the token's effective scopes, then create a new token with the missing scope. Tools you don't have scope for are hidden, not just disabled.
"Invalid or expired token" / 401 with a token set. Verify the token: curl -H "Authorization: Bearer tok_…" https://api.tissue.systems/v1/me. If that returns 401, the token was revoked or truncated when copied.
Browser login opened but nothing happened. Make sure auth.tissue.systems is reachable, then retry. Tokens are revocable any time via ribo token revoke <id> or the dashboard.
See also
- MCP Tools & Scopes — every tool and the scope that gates it
- REST API — the
/v1API the MCP server proxies to - ribo CLI Reference —
ribo tokencommands