ak_live_ API key pasted into a config file.
Hosted and local MCP expose the same Artifacta tools — this is a different
connection method, not a different product. Prefer the local stdio package for
CI, restricted networks, or when you want explicit control over credentials and
process execution: see Install in Claude Code (stdio).
Prerequisites
- Claude Code installed (
claude --version). - A free Artifacta account. Sign up at app.artifacta.io/signup — you log in with this account during the OAuth step below.
Primary install — one command
Add the hosted server by URL. Claude Code registers itself with Artifacta automatically (OAuth Dynamic Client Registration) and uses PKCE — no client id, no callback port, and no client secret to configure:Artifacta supports OAuth 2.1 Dynamic Client Registration (RFC 7591), so
Claude Code self-registers a one-time public client (PKCE, no secret) the
first time it connects. You do not paste a
clientId or pick a callback port —
Claude Code chooses an ephemeral loopback port for the login redirect itself.Alternative — fixed client (manual / pre-DCR fallback)
If your client does not support Dynamic Client Registration, or you want to pin Artifacta’s registered public OAuth client explicitly, use theadd-json
form with the fixed clientId and callbackPort:
The
clientId above is Artifacta’s registered public OAuth client — a public
identifier, safe to commit, with no client secret. Do not pass
--client-secret; Artifacta uses PKCE. scopes is openid only — Artifacta
tool permissions are chosen on the consent screen, not through the OAuth scope
parameter (see Permissions). Both the one-liner and this fixed
form connect to the same endpoint and work in parallel.Authenticate
Adding the server does not log you in —claude mcp list shows artifacta as
needing authentication until you complete the browser flow once.
Log in and consent
Claude Code opens your browser to Artifacta. Sign in with your account, then
on the consent screen tick the permissions you want to grant this
connection (see Permissions) and click
Authorize.
Done
After Authorize, the browser redirects to a local
http://localhost:<port>/callback (or 127.0.0.1) URL — this is the
loopback listener Claude Code opened to receive the OAuth code, and a brief
“you may close this tab” page or a momentary blank page is expected.
Return to Claude Code; /mcp shows artifacta as connected and the
granted tools appear in the session.During Authenticate, Claude Code opens a one-shot loopback listener
(
http://localhost:<port>/callback) itself to receive the OAuth redirect —
you do not run a server. With the one-liner, the port is chosen
automatically; with the fixed-client add-json form, callbackPort: 8080 pins
it to match Artifacta’s registered redirect URI.claude mcp logout artifacta, then /mcp → artifacta → Authenticate
again.
Permissions
You choose Artifacta’s permissions (read / write / destroy) on the consent screen during authentication — not through the OAuthscope parameter. Each tier is nested:
write includes read, and destroy includes write.
| Grant | Tools exposed | Adds |
|---|---|---|
| Read | 5 — whoami, list_artifacts, get_artifact, get_artifact_download_url, list_sessions (plus all resources) | Browse and download your own artifacts. |
| + Write | 8 | store_artifact, request_upload_url, complete_upload |
| + Destroy | 11 | create_download_link (public share URLs), delete_artifact, seal_session |
“What’s my Artifacta plan?”Claude Code calls the
whoami tool (available at every permission tier) and
reports your tenant, plan, and usage.
Troubleshooting
Consent screen says “Unverified”
Consent screen says “Unverified”
Expected. Artifacta does not pre-verify the application names that
self-registering clients submit, so every OAuth consent screen shows an
Unverified label and the redirect URI for you to check. Confirm the
redirect URI is a local loopback address (
http://localhost:… or
http://127.0.0.1:…) before you Authorize.“does not support dynamic client registration”
“does not support dynamic client registration”
Your client could not self-register. Artifacta does support Dynamic
Client Registration, but if your client or network blocks it, fall back to
the fixed public client: use the
add-json / --client-id form
with clientId d685c6a7-5cb9-4612-ba2b-cab12e38d9e0.“unsupported scope artifacts:*”
“unsupported scope artifacts:*”
The OAuth authorization request must use
"scopes": "openid" only (the
one-liner does this for you). Artifacta’s tool permissions (read / write /
destroy) come from the consent screen, not the OAuth scope parameter —
requesting artifacts:* at authorize time is rejected by the authorization
server. If you set scopes explicitly, set it to openid and re-run.token error mentioning client_secret_basic
token error mentioning client_secret_basic
Artifacta is a public OAuth client and has no client secret. Remove any
--client-secret flag or stored secret — authenticate with PKCE only.No tools appear after authenticating
No tools appear after authenticating
You may have authorized with read only, or granted nothing. Run
claude mcp logout artifacta, then /mcp → artifacta →
Authenticate again and tick the permission tiers you need on the consent
screen.Headless / CI (advanced)
For unattended agents and CI that cannot run an interactive browser login, the hosted endpoint also accepts a rawak_live_ API key as a bearer token. This is
the advanced / CI-only path — interactive users should use OAuth above. See
the stdio + API key install and the hosted
ak_live_ curl smoke in the
@artifacta-mcp/mcp README.
What’s next
- Install in Claude Code (stdio) — the local
package with an
ak_live_API key, for CI, restricted networks, and explicit credential control. - MCP overview — the full tool and resource surface, shared by hosted and local.