Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement
Sign In

sprinklr-mcp

Package Overview
Dependencies
Maintainers
1
Versions
1
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

sprinklr-mcp

Open-source MCP server for Sprinklr API

latest
Source
npmnpm
Version
0.1.0
Version published
Maintainers
1
Created
Source

Sprinklr MCP Server

An open-source MCP server that gives AI assistants read-only access to your Sprinklr data. Works with Claude, ChatGPT, Copilot, Cursor, or any MCP-compatible client.

How it works: You deploy this server with your Sprinklr API credentials. Your AI assistant connects to it via MCP and can query reports, search cases, and call any read-only Sprinklr API endpoint --- using your existing permissions. No new access surface, no data leaves your infrastructure.

Table of Contents

Quick Start

Option A: npm package (fastest)

npm install -g sprinklr-mcp

Create a .env file in your working directory with your Sprinklr credentials (see .env.example for the template), then run:

sprinklr-mcp

Do not pass credentials as inline environment variables. They will be saved in your shell history.

Option B: Clone and configure

git clone https://github.com/daiict218/sprinklr-mcp.git
cd sprinklr-mcp
npm install
cp .env.example .env        # fill in your Sprinklr credentials
npm test                     # verify connectivity
npm start                    # server runs on port 3000

Then connect your AI client:

ClientHow
Claude.aiSettings > Connectors > Add custom connector > https://your-url/sse
Claude DesktopAdd to config: {"mcpServers":{"sprinklr":{"url":"http://localhost:3000/sse"}}}
Cursor / OthersPoint to /sse (SSE) or /mcp (Streamable HTTP)

Need Sprinklr API credentials? See Full Setup Guide below.

What You Can Do

ToolDescription
sprinklr_reportRun any reporting dashboard query via API v2 payload
sprinklr_search_casesSearch CARE tickets by text, case number, or status
sprinklr_raw_apiGET any Sprinklr v2 endpoint (scoped by your token's permissions)
sprinklr_meCheck authenticated user profile / verify connectivity
sprinklr_token_statusCheck connection status and tenant info

Example: Open a Sprinklr dashboard > click three dots on a widget > "Generate API v2 Payload" > copy the JSON > ask your AI assistant: "Pull this reporting data: {paste payload}"

Deployment

Deploy to any Node.js host (Render, Railway, Fly.io, AWS, on-prem). Set all env vars from .env and run npm start.

For Render free tier, set SERVER_URL to your Render URL --- the server self-pings every 14 minutes to prevent spin-down.

Cost model: You deploy, you authenticate, you pay for your own LLM subscription. Zero cost on Sprinklr's side.

Note: This server has no built-in auth --- deploy on a private network or behind a reverse proxy. See Security.

Full Setup Guide

Prerequisites

  • Node.js 18+
  • Sprinklr account with API access
  • Admin or platform-level role to create developer apps

Step 1: Find Your Sprinklr Environment

Each Sprinklr instance runs on a specific environment. Your API keys and tokens are tied to that environment and cannot be used across others.

  • Log into Sprinklr in your browser
  • Open browser DevTools (F12 or right-click > Inspect)
  • Press Ctrl+F (Windows) or Cmd+F (Mac) to search
  • Search for sentry-environment
  • The value (e.g., prod4) is your environment

Common environments: prod, prod2, prod3, prod4, prod8.

Note: The prod environment has no path prefix in API URLs. All others include the environment name in the path.

Step 2: Create a Sprinklr Developer App

  • Open Sprinklr > All Settings > Manage Customer > Developer Apps
  • Click "+ Create App" and fill in the details
  • Set the Callback URL to https://www.google.com (or any URL you control)

Alternatively, use the Developer Portal: register, go to Apps > + New App > fill in the form.

Step 3: Generate API Key and Secret

  • In Developer Apps, find your app > three dots > "Manage API Key/Token"
  • Click "+ API Key"
  • Copy both the API Key and Secret immediately --- the Secret is only shown once

If you lose the Secret, you must generate a new pair.

Step 4: Ensure Required Permissions

The authorizing user needs Generate Token and Generate API v2 Payload permissions. These are managed in All Settings > Platform Setup > Governance Console > Workspace/Global Roles.

Step 5: Generate OAuth Tokens

Step 5a: Get an Authorization Code

Open this URL in your browser (must be logged into Sprinklr):

https://api2.sprinklr.com/{ENV}/oauth/authorize?client_id={YOUR_API_KEY}&response_type=code&redirect_uri=https://www.google.com

For prod, omit {ENV}/. The redirect_uri must exactly match your app's Callback URL.

The browser redirects to https://www.google.com/?code=XXXXX. Copy the code value.

Codes expire in 10 minutes --- proceed immediately.

Step 5b: Exchange the Code for Tokens

curl -s -X POST "https://api2.sprinklr.com/{ENV}/oauth/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id={YOUR_API_KEY}" \
  -d "client_secret={YOUR_API_SECRET}" \
  -d "code={YOUR_CODE}" \
  -d "grant_type=authorization_code" \
  -d "redirect_uri=https://www.google.com"

Returns access_token and refresh_token. Save both.

Alternative: Generate tokens directly from the Sprinklr UI via Developer Apps > Your App > Manage API Key/Token > Generate Token.

Step 6: Clone and Configure

git clone https://github.com/daiict218/sprinklr-mcp.git
cd sprinklr-mcp
npm install
cp .env.example .env

Fill in your .env with values from the previous steps. See .env.example for the template.

Step 7: Test and Start

npm test   # verify Sprinklr connectivity
npm start  # start the server on port 3000

Endpoints:

  • SSE: GET /sse + POST /messages (Claude.ai connectors)
  • Streamable HTTP: POST/GET/DELETE /mcp
  • Health: GET /health

Token Lifecycle

TokenExpiryNotes
Authorization code10 minutesOne-time use
Access token~30 daysTied to environment
Refresh tokenNo expirySingle-use --- each refresh invalidates the old one

The server auto-refreshes on 401, but stores new tokens in memory only. If the server restarts, it re-reads from env vars. Update your env vars after a refresh, or re-run the OAuth flow if tokens go stale.

One token per API key. If multiple instances share an API key, one refreshing will invalidate the others. Use separate API keys per instance.

Security

Architecture

This MCP server is built entirely on top of Sprinklr's existing public REST APIs. It does not create any new access surface, bypass any Sprinklr access controls, or touch internal systems. Every request goes through Sprinklr's standard API gateway with the same authentication, authorization, and rate limiting that applies to any direct API consumer.

Because of this:

  • No Sprinklr security review required. This is equivalent to a customer using Sprinklr APIs directly --- same endpoints, same credentials, same access controls.
  • Customer security teams should review. As with any API integration, the deploying organization should review the connector as part of their standard security process.

Deployment Model

The intended deployment model keeps all sensitive data within the customer's own infrastructure:

  • Customer deploys the server on their own infrastructure (Render, Railway, AWS, on-prem).
  • Customer authenticates with their own Sprinklr credentials. No credentials are shared with or stored by Sprinklr.
  • LLM costs sit with the customer --- they use their own Claude, ChatGPT, or Copilot subscription.

Sprinklr publishes the open-source connector code. Customers deploy, authenticate, and run it themselves. Zero infrastructure or AI cost on Sprinklr's side.

Important: No Built-in Authentication

This server does not authenticate incoming MCP client connections. Anyone who can reach the server URL can invoke all tools using the configured Sprinklr credentials. This is by design for simplicity --- the server is intended to run on private networks, localhost, or behind a reverse proxy with authentication.

Do not expose this server to the public internet without adding an authentication layer (e.g., reverse proxy with OAuth, VPN, or firewall rules).

Protections

  • Read-only enforcement: PUT, DELETE, and PATCH are blocked at the API client level. POST is allowlisted only for /reports/query and /case/search.
  • SSRF prevention: All endpoints must start with / and are validated against protocol injection (://) and path traversal (..). Requests always target the configured Sprinklr API domain.
  • Session expiry: Inactive MCP sessions are cleaned up after 30 minutes.
  • No credentials in code: All secrets are loaded from environment variables. .env is gitignored.
  • Token auto-refresh: On 401 responses, the server refreshes the access token and stores the new refresh token for subsequent rotations.
  • Sanitized errors: Sprinklr API error details are logged server-side only. Clients receive only the HTTP status code, not internal response bodies.
  • sprinklr_raw_api scope: This tool allows GET requests to any Sprinklr v2 endpoint. Access is intentionally broad to support diverse use cases. The Sprinklr token's own permission scope limits what data is accessible.

Token Storage

Tokens are stored in memory only. This is a deliberate design choice --- it avoids writing credentials to disk and keeps the attack surface minimal. The tradeoff: if the server restarts, it falls back to the tokens in your environment variables. Update your env vars after a refresh if needed, or re-run the OAuth flow.

See Token Lifecycle for details on expiry and single-use refresh tokens.

Troubleshooting

ErrorCauseFix
"Invalid APIKey/ClientID" (401)API Key doesn't match environmentVerify key belongs to correct environment bundle
"Unauthorized" (401)Access token expiredServer auto-refreshes, or re-run OAuth flow
"invalid_grant"Auth code expired/used/redirect mismatchGet a fresh code, exchange within 10 minutes
Refresh token failsAlready used (single-use)Re-run full OAuth flow
"Developer Over Rate" (403)Hit 1,000 calls/hour limitWait, or contact Sprinklr Success Manager

Contributing

Contributions are welcome. Please open an issue first to discuss what you'd like to change.

  • Fork the repo
  • Create a branch (git checkout -b feature/your-feature)
  • Make your changes
  • Test locally (npm test && npm start)
  • Open a PR against main

Guidelines:

  • Keep changes focused --- one concern per PR
  • Follow the existing code style (ES modules, arrow functions)
  • All PRs are reviewed before merge
  • All PRs must target main --- direct pushes are blocked

Adding new read-only endpoints: Add the POST path to ALLOWED_POST_ENDPOINTS in server.mjs. GET endpoints work automatically via sprinklr_raw_api.

Links

License

ISC

Keywords

mcp
sprinklr
model-context-protocol
claude
ai
chatgpt

FAQs

Package last updated on 06 Apr 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions

Research

/

Security News

GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions

The trojanized extensions use TinyGo-compiled WebAssembly and Solana transaction memos to resolve command-and-control infrastructure.

By Joseph Edwards  -  Jun 15, 2026