Skip to main content
Corsa exposes a Streamable HTTP MCP endpoint at /v1/mcp. This lets any MCP-compatible AI tool — Claude, Cursor, VS Code, or a custom agent — connect to your Corsa platform and query it using natural language via the ask_corsa tool.

Authentication

The MCP endpoint supports two authentication methods.

Option 1: Bearer token (API key)

Use the same Bearer token format as the REST API: 
Authorization: Bearer <API_TOKEN>:<API_SECRET>
Create API keys in the Corsa dashboard under Developers Hub > API Keys. This is the simplest option for server-to-server or development use.

Option 2: OAuth (Authorization Code + PKCE)

For interactive tools like Claude Desktop, Cursor, or Notion AI, Corsa supports standard OAuth 2.0 Authorization Code flow with PKCE (no client secret required). MCP clients that support OAuth will discover and use this flow automatically.

How it works

  1. Your MCP client sends an unauthenticated request to /v1/mcp.
  2. The server responds with 401 and a WWW-Authenticate header pointing to the protected resource metadata: 
    WWW-Authenticate: Bearer resource_metadata="https://api.corsa.finance/.well-known/oauth-protected-resource"
  3. The client fetches the metadata, discovers the authorization server, and initiates Authorization Code + PKCE with the Corsa Auth0 tenant.
  4. After the user authorizes, the client receives an access token and uses it for all subsequent MCP requests.

Discovery endpoints

EndpointRFCPurpose
GET /.well-known/oauth-protected-resourceRFC 9728Lists the authorization server and supported scopes
GET /.well-known/oauth-authorization-serverRFC 8414Returns authorization and token endpoint URLs
POST /oauth/registerRFC 7591Dynamic client registration — returns the public client_id
Most MCP clients handle this discovery automatically. You do not need to call these endpoints manually.

OAuth parameters

ParameterValue
Grant typeauthorization_code
PKCE methodS256
Client typePublic (no client_secret)
Scopesopenid profile email
Token typeBearer (JWT)

Endpoint

POST https://api.corsa.finance/v1/mcp
This is a Streamable HTTP MCP endpoint — the transport layer is handled by your MCP client. You configure your AI tool to connect to it rather than calling it directly with curl.

Configuration

Claude Desktop

Add to claude_desktop_config.json: 
{
  "mcpServers": {
    "corsa": {
      "type": "http",
      "url": "https://api.corsa.finance/v1/mcp",
      "headers": {
        "Authorization": "Bearer ${CORSA_API_TOKEN}:${CORSA_API_SECRET}"
      }
    }
  }
}
For OAuth, omit headers — Claude Desktop will discover and initiate the OAuth flow automatically.

Claude Code

Add to .claude/settings.json (project) or ~/.claude/settings.json (global): 
{
  "mcpServers": {
    "corsa": {
      "type": "http",
      "url": "https://api.corsa.finance/v1/mcp",
      "headers": {
        "Authorization": "Bearer ${CORSA_API_TOKEN}:${CORSA_API_SECRET}"
      }
    }
  }
}

Cursor

Add to .cursor/mcp.json: 
{
  "mcpServers": {
    "corsa": {
      "type": "http",
      "url": "https://api.corsa.finance/v1/mcp",
      "headers": {
        "Authorization": "Bearer ${CORSA_API_TOKEN}:${CORSA_API_SECRET}"
      }
    }
  }
}
For OAuth-capable Cursor versions, omit headers and Cursor will initiate the OAuth flow on first use.

EU region

For EU-hosted platforms, use https://api.eu.corsa.finance/v1/mcp instead.

What you can do

Once connected, your AI tool can use the ask_corsa tool to query your platform in natural language:
  • “Show me the last 10 high-priority alerts”
  • “How many open cases are assigned to me?”
  • “Find clients with a risk score above 80”
  • “What alerts were created in the last 24 hours?”
  • “Summarize the investigation for case CASE-1234”
The tool translates natural language into API calls against your platform and returns structured results.

What’s next

Authentication

Create API keys and understand the Bearer token format.

AI Skills

Install skills into your coding tool for guided API integration.

API Reference

Full OpenAPI spec (requires API credentials).

Webhooks

Receive real-time events from Corsa in your application.