Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.rippit.com/llms.txt

Use this file to discover all available pages before exploring further.

How authentication works

The Rippit MCP server is an OAuth 2.1 Protected Resource (RFC 9728). Your client bounces you to app.rippit.com in a browser window, you sign in there, and your client receives a short-lived JWT audience-bound to this MCP server (RFC 8707). You only ever enter your Rippit credentials in the browser. The MCP server and your agent never see them. Supported clients refresh tokens automatically; if a token cannot be refreshed, you will be prompted to sign in again.

Security and access control

Token scope

The MCP server acts as the signed-in user. It can read and write only what that user could read and write directly in app.rippit.com. There is no service account, no admin scope, and no way for the MCP server to bypass Rippit’s existing workspace permissions or role assignments. Revoking a user’s access in Rippit revokes their MCP access on the next token refresh.

Read / write surface

CapabilityEffect
Workbook and worksheet accessRead-only for existing objects. New objects are written through Ask Rippit.
Ask Rippit (start and continue an analysis)Creates an Ask Rippit conversation in the user’s workspace and appends questions to it. These show up in the user’s history at app.rippit.com like any other.

Hostnames

For allowlisting, the client touches three origins:
OriginPurposeDirection
mcp.rippit.comMCP endpoint; all JSON-RPC trafficClient → Rippit (HTTPS)
app.rippit.comOAuth authorization server; user sign-inBrowser → Rippit (HTTPS)
cdn.rippit.comStatic assets loaded by the Ask Rippit cardClient iframe → Rippit (HTTPS)
No client-side traffic goes to third parties.

Card sandbox

Ask Rippit cards render inside your MCP client’s standard sandboxed iframe. The card’s only outbound network capabilities are JSON-RPC calls back to mcp.rippit.com (proxied through the host) and static asset loads from cdn.rippit.com.

Data handling

Rippit retains tool-call telemetry (which user, which tool, when, with what argument shape) for support and abuse prevention. Natural-language questions you submit to Ask Rippit are retained for the same purposes and to improve results. For specifics on retention windows, processing locations, and subprocessors, refer to your Rippit DPA or contact your Rippit point of contact.