1. Astravue MCP Server
Astravue docs
  • Astravue API & MCP
  • Auth
    • Get Access and Refresh Token
      POST
    • Refresh Access Token
      POST
  • Personal Tasks
    • Get task by ID
      GET
    • Update a task
      PUT
    • Delete a task
      DELETE
    • Get all tasks
      GET
    • Create a task
      POST
  • Spaces
    • Get space by ID
      GET
    • Update a space
      PUT
    • Delete a space
      DELETE
    • Get all spaces
      GET
    • Create a new space
      POST
  • Projects
    • Get project details by ID
      GET
    • Update a project
      PUT
    • Delete a project
      DELETE
    • Get all projects in a space
      GET
    • Create a new project
      POST
  • Project Tasks
    • Get a project task by ID
      GET
    • Update a project task
      PUT
    • Delete a project task
      DELETE
    • Get all tasks in a project
      GET
    • Create a project task
      POST
  • Task Timer
    • Get active timers for a user
    • Update a timer
    • Delete a timer entry
    • Stop timer for a task
    • Start timer for a personal task
    • Add a time range entry for a personal task
    • Add manual time entry for a personal task
    • Start timer for a project task
    • Add range timer for a project task
    • Add manual time entry for a project task
    • Get timers for a user in a task
    • Get global timesheet report
    • Get project timesheet
    • Get project timesheet summary
  • Task Comments
    • Get comments for a task
  • Project Subtasks
    • Get all subtasks for a project task
  • Personal Subtasks
    • Get all subtasks for a personal task
  • Tasks Checklist
    • Get all checklists for a subtask
    • Get all checklists for a parent task
  • Astravue MCP Server
    • Overview
    • Get started
    • Supported tools
    • Authentication & Security
    • Integrating your own MCP client
  • Schemas
    • Schemas
      • ApiError
      • TimerData
      • NotificationReadResponseDto
      • FieldError
      • TimerUpdateRequest
      • NotificationDto
      • ApiSuccessResponseListTaskCheckListDto
      • TimeTrackerDto
      • TaskCommentDto
      • TaskCheckListDto
      • TaskListResponse
      • TaskUpdateRequest
      • NotificationDeleteRequestDto
      • ApiSuccessResponseTaskDto
      • TimerRequest
      • NotificationDeleteResponseDto
      • ApiSuccessResponseListTaskCommentDto
      • CustomFieldOptionDto
      • RangeTimerRequest
      • ApiSuccessResponseSubtaskListResponse
      • OrgRoleDto
      • ManualTimerRequest
      • SubtaskListResponse
      • TaskCustomFieldDto
      • TaskTimerResponseDto
      • TaskDependencyDto
      • TaskDto
      • TaskFieldValue
      • TaskPriorityDto
      • TaskResponseDto
      • TaskStatusDto
      • TaskTagDto
      • UserDisplayDto
      • SpaceUpdateRequest
      • ApiSuccessResponseSpaceDto
      • SpaceDto
      • SpaceMemberDto
      • SpaceRoleDto
      • ProjectUpdateRequest
      • AccountLabelDto
      • ApiSuccessResponseProjectDto
      • ContactDto
      • ContactProperties
      • ContactTagDto
      • ProjectDto
      • ProjectHealthDto
      • ProjectMemberDto
      • ProjectPriorityDto
      • ProjectRoleDto
      • ProjectStatusDto
      • ProjectTagDto
      • ProjectTaskUpdateRequest
      • AppDto
      • ResponseFormat
      • OrgMemberDto
      • UserPreference
      • UserPreferenceProperties
      • PasswordUpdateDto
      • UserDetailDto
      • MemberPreferenceDto
      • WidgetProperties
      • TimeMapDto
      • TaskStatusTemplateDto
      • DefaultProjectTaskStatusesTemplateDto
      • EmailContent
      • AttachmentDto
      • ReminderModeDto
      • TaskReminderDto
      • DailyRecurrenceSettings
      • DaysAfterRecurrenceSettings
      • FieldsToInclude
      • MonthlyRecurrenceSettings
      • TaskRecurrenceDto
      • WeeklyRecurrenceSettings
      • YearlyRecurrenceSettings
      • TaskListDto
      • OrganizationDto
      • Address
      • BillingAndAccountInfo
      • Filter
      • FilterList
      • FilterViewDto
      • CalendarEvent
      • EventReminder
      • ContactNotesDto
      • ColumnPreferenceDto
      • ColumnPreferenceProperties
      • AccountDto
      • AccountTagDto
      • ContactLabelDto
      • TaskCreateRequest
      • SpaceCreateRequest
      • ProjectCreateRequest
      • ProjectTaskCreateRequest
      • FileUploadDto
      • GlobalTaskStatusesTemplateDto
      • PasswordResetDto
      • UserDto
      • InviteUserDto
      • UserActivity
      • UserActivityKey
      • ApiSuccessResponseTaskListResponse
      • ApiSuccessResponseProjectListResponse
      • ApiSuccessResponseListSpaceDto
      • ProjectListResponse
      • ApiSuccessResponseObject
      • BackupUserActivity
    • TimesheetReportResponse
    • ProjectTimesheetResponse
  1. Astravue MCP Server

Authentication & Security

Learn how Astravue MCP authenticates your AI client and keeps your workspace secure.

How authentication works#

Astravue MCP uses OAuth 2.0 Authorization Code Flow with PKCE — the same secure standard used by Google, GitHub, and Slack integrations.
1
Your AI client requests access
When you add Astravue MCP to your client, it generates a secure one-time code challenge (PKCE) and redirects you to the Astravue sign-in page in your browser.
2
You sign in and approve
You log in with your Astravue account and click Approve. Astravue issues an authorization code to your AI client.
3
Your client receives a token
Your AI client exchanges the authorization code for an access token and refresh token. All future requests use the access token.
You only need to sign in again if the refresh token expires or access is revoked.
INFO
Your Astravue password is never shared with your AI client.
The AI client only receives a scoped access token issued through OAuth.

Authorization flow#

Token lifecycle#

TokenLifetimePurpose
Access token30 minutesAuthorizes every MCP tool call
Refresh tokenUp to 30 daysIssues a new access token silently
When an access token expires, your AI client automatically uses the refresh token to obtain a new one.
INFO
Astravue uses refresh token rotation.
Each refresh request issues a new refresh token and invalidates the previous one.

What the AI client can access#

Access is determined entirely by your Astravue account permissions.
The AI can only:
Read and modify data your account already has access to
Perform actions allowed by your workspace role (member, admin, owner)
Access projects where you are a member
TIP
To limit what an AI assistant can access, adjust your workspace role or project memberships rather than modifying the MCP connection.

Disconnecting an AI client#

You can remove Astravue MCP from your AI client at any time.
WARNING
Disconnecting removes the stored tokens from your AI client.
The access token remains valid until it expires (up to 30 minutes) but your client can no longer use it.
To disconnect:
1.
Open your AI client settings
2.
Locate the Astravue MCP server connection
3.
Remove or disable the server entry
Your client will no longer be able to execute any MCP tools.

Security best practices#

Use project-scoped connections when sharing config files
Review AI actions before approving in shared workspaces
Revoke access when offboarding team members
Never share access tokens

Data in transit#

Security FeatureDetails
EncryptionTLS 1.2+ encryption for all traffic
Authorization headerAuthorization: Bearer <access_token>
Data storageMCP server does not store workspace content

Single Sign-On (SSO)#

If your organization uses SSO, the Astravue MCP OAuth flow automatically redirects through your identity provider.
No additional configuration is required.
Users simply authenticate with their SSO credentials when connecting their AI client.
For enterprise SSO setup, contact support@astravue.com.

Previous
Supported tools
Next
Integrating your own MCP client
Built with