Appearance
Flowstate in Claude
Flowstate as a tool inside Claude.ai. Install it once at the org level via Claude's connector flow; every authorised user in your tenant can then ask Claude questions about workforce, AI spend, projects, and scenarios — answered against your live Flowstate data.
This is Flowstate exposed as an MCP server. The same server backs the ChatGPT Connectors install.
Prerequisites
Before you start:
- Your org must have the
mcp_external_accessfeature toggle enabled. If you don't see it on, contact Flowstate support — it's gated per-tenant for safety while the surface stabilises. - You need an admin role in Claude.ai capable of installing connectors org-wide.
- You need a Flowstate user account with the permissions you want the connector to inherit (the OAuth flow asks you to approve specific scopes).
Install
The connector URL Flowstate exposes is:
https://{tenant}.flowstate.inc/api/mcpIn Claude.ai's connector settings:
- Add a new MCP server.
- Paste the connector URL above (replacing
{tenant}with your subdomain). - Claude initiates OAuth — Flowstate hosts a consent page asking which scopes to approve.
- Approve. Claude stores the access + refresh tokens.
The OAuth flow uses dynamic client registration (RFC 7591) and PKCE (S256). Access tokens are JWTs valid for 1 hour; refresh tokens are opaque and valid for 30 days. The token endpoint rotates the refresh token on every refresh.
Tool catalogue
Once installed, the connector exposes a curated set of tools. The catalogue splits into read and write.
Read tools (no scenario required)
get_organization_context— org overview. Call this first.search_employees,get_employee_details,rank_employeessearch_teams,get_team_detailssearch_projects,get_project_details,find_projects_with_issuessearch_contractors,search_vacanciesget_geographies,list_job_rolesquery_analytics— slice-and-dice metrics across teams, projects, employees, cost centres, value streams, and effortget_ai_usage_summary,get_ai_spend_by_team,get_ai_spend_by_personlist_scenariosget_project_effort,get_team_effort,get_unattributed_effort
Write tools (require a scenario)
Write tools mutate a specific scenario, never live data. The user must call create_scenario first; subsequent write tool calls scope to that scenario via a planId argument.
create_scenarioadd_team,update_team,delete_teamadd_employee,update_employee,move_employee,terminate_employeesadd_vacancy,update_vacancy,delete_vacancyadd_contractor,update_contractor,delete_contractoradd_project,update_project,delete_projectallocate_employee_to_project,allocate_team_to_project,update_allocationadd_ai_agent,update_ai_agent,delete_ai_agentupdate_budget
Permissions
The MCP server inherits the OAuth user's Flowstate permissions. If the user can't read salary data in the UI, rank_employees (which requires financial permissions) returns a permission error from MCP too. There's no privilege escalation through the connector.
Rate limiting
The MCP protocol endpoint enforces a per-user sliding window: 100 requests per minute. Exceeding it returns JSON-RPC error code -32000 with a "Rate limit exceeded" message. The standard X-RateLimit-Limit and X-RateLimit-Remaining headers are returned on every response.
Audit and SIEM
Every MCP request — and every authentication failure — emits a SIEM event. If your org has SIEM integration wired up, MCP traffic flows there alongside the rest of the platform's audit stream.
Disabling
To disable Flowstate-in-Claude org-wide, ask Flowstate support to flip mcp_external_access off. The connector immediately starts returning 403 mcp_disabled to all callers; existing tokens are not revoked but are unusable until the toggle is re-enabled.
To revoke a single user's access, revoke the OAuth tokens at Settings → API Keys (the OAuth grants land alongside other API keys).
Reference
For the protocol-level details — OAuth endpoints, token schema, transport, full tool catalogue — see API → MCP server.