Skip to main content
Institution-level integration - the MCP server is hosted by DeanDesk and authorized per institution. Once connected, the tools exposed to your AI client can read and write data across the institution and any selected school, subject to the scopes and roles you grant.
DeanDesk runs a Model Context Protocol (MCP) server for AI clients that support remote MCP connections. After authorization, the client can use DeanDesk tools to look up institution details, manage memberships, work with school users and courses, manage course materials and curricula, edit products and pages, read documentation, and store files in the institution Shared Drive.

How authorization works

The MCP server uses OAuth 2.1 with PKCE and supports dynamic client registration. When you add DeanDesk to an MCP client, the client opens a DeanDesk authorization page in your browser. You sign in with an institution Identity, review the requested scopes, choose a school context when school tools are needed, and approve the client. The tools that appear in your AI client depend on four things:
  • The scopes you approve
  • Your institution role
  • Your school role, when a selected school is required
  • The environment, because some migration tools are sandbox-only
Refresh tokens are issued when the client requests offline_access, so long-running clients can stay connected without asking you to sign in again.

How to set it up

Use the MCP endpoint provided by DeanDesk support or your institution administrator. For hosted DeanDesk environments, the endpoint is usually:
1

Add DeanDesk as a remote MCP server

In your MCP client’s settings, create a new server named DeanDesk and enter the DeanDesk MCP endpoint. Some clients call this a remote server URL, connector URL, or streamable HTTP endpoint.
2

Authorize the client

The client opens a browser window to DeanDesk. Sign in with your institution Identity, review the requested scopes, and approve only the access the client needs.
3

Select a school when needed

School-level tools require a selected school context. Choose the school during authorization when you want the client to manage school users, courses, course materials, curricula, rosters, products, assignments, surveys, pages, email drafts, or school settings.
4

Confirm the tools loaded

Return to the MCP client and refresh its tool list if needed. The DeanDesk tools that match your approved scopes and roles should now appear under the DeanDesk server.
Start with read-only scopes when testing a new client. Add write scopes only when the client needs to create, update, delete, or send data.

Available scopes

Scopes control which tools the AI client can call.

Available tools

Your client only sees tools allowed by your approved scopes, role, selected school, and environment.

Institution and memberships

Migration

Shared Drive and documentation

School users, courses, materials, curricula, and rosters

For large course videos or files, use create_course_material_with_upload with a public or signed fileUrl. filePath is only for trusted local MCP deployments where MCP_ENABLE_SERVER_FILE_UPLOADS=true; hosted DeanDesk MCP servers cannot read files from an agent’s local disk.

File library

School settings and pages

Products, discounts, communications, assignments, and surveys

Academic calendar

Time and payroll

Payroll tools require an institution Identity in addition to the selected school: Super Admin identities can read and write, and Admin Read-Only identities can read. School-only sessions do not see these tools. See Time and payroll.
Payroll write tools change staff compensation data. Review the intended change carefully before approving a write.

Best practices

  • Grant the minimum scopes needed for the task.
  • Use a dedicated client name for each MCP client so you can revoke clients independently.
  • Review write actions in your institution audit history.
  • Read existing records before asking the client to update or delete them.
MCP tools that send communications or modify DeanDesk data act on your institution’s behalf. Treat client authorizations like API keys and grant write scopes only to clients you trust.