Carta MCP

CALL ANY TOOL

OAuth-scoped per stakeholder. Every call runs under the authorizing user's Carta permissions.

carta_captable_get

Get cap table

Retrieve the full cap table with share classes, ownership percentages, and fully diluted totals scoped to the authorized company.

Parameters

Name

Type

Required

Description

as_of_date

string

Optional

ISO 8601 date for historical cap table snapshot

include_unvested

boolean

Optional

Include unvested option grants in totals

carta_stakeholders_list

List stakeholders

carta_share_classes_get

Get share classes

carta_documents_list

List documents

carta_valuation_get

Get valuation

Build your Agent

Drop the toolkit in, point it at the authorized stakeholder, and your agent can query Carta cap table data from the first run.

Copied

import { ScalekitClient } from "@scalekit-sdk/node";
import { DynamicStructuredTool } from "@langchain/core/tools";
import { createReactAgent } from "@langchain/langgraph/prebuilt";
import { z } from "zod";

const sk = new ScalekitClient(envUrl, clientId, clientSecret);

const { tools } = await sk.tools.listScopedTools("user_123", {
  filter: { connectionNames: ["cartamcp"], toolNames: ["carta_captable_get", "carta_stakeholders_list", "carta_share_classes_get"] },
  pageSize: 100,
});

const lcTools = tools.map((t) => new DynamicStructuredTool({
  name: t.tool.definition.name,
  description: t.tool.definition.description,
  schema: z.object({}).passthrough(),
  func: async (args) => {
    const { data } = await sk.tools.executeTool({
      toolName: t.tool.definition.name,
      identifier: "user_123",
      params: args,
    });
    return JSON.stringify(data);
  },
}));

const agent = createReactAgent({ llm, tools: lcTools });

Copied

import { ScalekitClient } from "@scalekit-sdk/node";
import OpenAI from "openai";

const sk = new ScalekitClient(envUrl, clientId, clientSecret);
const openai = new OpenAI();

const { tools } = await sk.tools.listScopedTools("user_123", {
  filter: { connectionNames: ["cartamcp"], toolNames: ["carta_captable_get", "carta_stakeholders_list", "carta_share_classes_get"] },
  pageSize: 100,
});

const llmTools = tools.map((t) => ({
  type: "function",
  function: {
    name: t.tool.definition.name,
    description: t.tool.definition.description,
    parameters: t.tool.definition.input_schema,
  },
}));

const resp = await openai.responses.create({
  model: "gpt-4o", input: prompt, tools: llmTools,
});

import { ScalekitClient } from "@scalekit-sdk/node";
import Anthropic from "@anthropic-ai/sdk";

const sk = new ScalekitClient(envUrl, clientId, clientSecret);
const anthropic = new Anthropic();

const { tools } = await sk.tools.listScopedTools("user_123", {
  filter: { connectionNames: ["cartamcp"], toolNames: ["carta_captable_get", "carta_stakeholders_list", "carta_share_classes_get"] },
  pageSize: 100,
});

const llmTools = tools.map((t) => ({
  name: t.tool.definition.name,
  description: t.tool.definition.description,
  input_schema: t.tool.definition.input_schema,
}));

const msg = await anthropic.messages.create({
  model: "claude-sonnet-4-6", max_tokens: 1024,
  tools: llmTools,
  messages: [{ role: "user", content: prompt }],
});

Copied

import { Agent } from "@google/adk/agents";
import {
  MCPToolset, StreamableHTTPConnectionParams,
} from "@google/adk/tools/mcp";

const toolset = new MCPToolset({
  connectionParams: new StreamableHTTPConnectionParams({
    url: "https://mcp.scalekit.com/cartamcp",
    headers: { Authorization: `Bearer ${userScopedToken}` },
  }),
});

const agent = new Agent({
  name: "agent", model: "gemini-2.0-flash",
  tools: await toolset.getTools(),
});

Try these prompts

Paste any prompt into your equity agent to start pulling cap table data from Carta.

Search & recall

Copy the prompt

Copied

Show fully diluted shares by class after the latest financing round.

Copy the prompt

Copied

List all option holders with unvested shares and cliff dates.

Copy the prompt

Copied

Get the current 409A valuation and effective date.

Action & updates

Copy the prompt

Copied

Fetch the latest board consent document.

Copy the prompt

Copied

Show all Series B preferred stakeholders and their liquidation preferences.

Copy the prompt

Copied

List recent equity plan grants for [team or department].

SEE HOW AUTH WORKS

Stakeholders authorize Carta once. Their OAuth token stays vaulted, every call is scoped to their permissions, and every action is logged.

1

Authorize

Your user connects

Carta MCP

once. We tie it to their identity and the meetings they approved — no shared bot account, no org-wide access

Who:

user ‘A’

when:

Once per user

access:

Limited to user

2

Store

Their

Carta MCP

token lives in a vault scoped to them. User A's meetings are never reachable by an agent acting for user B, even on the same connection

vault:

encrypted

scope:

per-user

tokens:

auto-refreshed

3

Resolve

When your agent calls a

Carta MCP

tool, we fetch the right token server-side. It never touches your agent, never appears in the LLM context, never shows up in your logs

speed:

~40ms

check:

before every call

seen by:

nobody

4

Audit

Every

Carta MCP

tool call is logged — who triggered it, which meeting was fetched, what came back. 90 days of history, tied to the user who authorized it

history:

90 days

export:

SIEM-ready

logged:

every call

Test other agents

Same per-user auth pattern across other finance and equity management connectors.

No items found.

Why Scalekit

Secure your agent's access. Connectors ship in minutes

One auth pattern for every connector. Carta today, QuickBooks and Xero tomorrow.

01.

Shared tokens break per-user analytics

A shared token looks fine in a demo. In production every call looks like a service account. Scalekit resolves the real user credential so attribution, audit, and scope stay accurate.

// shared token
 audit → bot_service_account
 user_filter → broken

 // scalekit
 audit → user_abc
 scope → enforced ✓

02.

Authentication is not authorization

03.

Multi-tenancy is architectural

04.

Carta MCP today. Others tomorrow.

“Our agents act across Salesforce, Gong, Google Drive, and more, on behalf of every customer. Scalekit behind the scenes meant we can keep adding tools without ever rebuilding how credentials or tool calling work.”

Venu Madhav Kattagoni

Head of Engineering / Von

FAQs

Frequently Asked Questions

Does the agent access Carta as the user or a shared service account?

As the user. Each stakeholder authorizes once via OAuth and Scalekit resolves their credential at request time. Audit logs attribute every action to that user, not a shared service account.

Where is the Carta OAuth token stored?

In Scalekit's managed AES-256 token vault, namespaced per tenant. Refresh is automatic. Revocation is a single dashboard action. Tokens never appear in prompts, logs, or LLM context.

Can I limit what the agent is allowed to do in Carta?

Yes. Pass a tool name filter to listScopedTools so the equity agent only sees cap table read operations, not share issuance or document signing. Pre-call scope checks block out-of-policy actions before they reach Carta.

What happens when a user revokes Carta access?

The connection is invalidated on the next tool call. Subsequent requests for that user fail closed with a clear error. Other users in the tenant remain unaffected. The event is logged for audit.

Does the agent see confidential board-level data in Carta?

Only what the authorizing user's Carta role permits. Board-confidential documents and investor-side data remain gated by Carta's own permission model. Scalekit enforces but does not expand the user's access.

Tools your equity agent reaches for on Carta, scoped per authorized stakeholder.