Ramp Managed MCP Server
The Ramp managed MCP server lets an LLM read and act on your company’s Ramp spend data: listing and inspecting transactions, browsing cards, managing spend limits, querying users and departments, looking up vendors, and reviewing reimbursements.
After reading this page, you will be able to:
-
Configure the Ramp managed MCP server with per-user OAuth
-
Pick the right scopes and environment for production vs sandbox
-
List transactions, manage cards, and adjust spend limits from an agent
What this MCP server does
Wraps the Ramp Developer API v1 using per-user OAuth tokens, so each user’s Ramp permissions are enforced automatically and no shared API key is stored.
It is suitable for expense analysis, spend-policy enforcement, and corporate card management workflows. It is not intended for accounting system integrations or bulk data exports; use Ramp’s native accounting sync or data export features for those tasks.
Prerequisites
Before you create the server, make sure you have:
-
A Ramp account with admin access to the Ramp Developer Portal.
-
An OAuth Provider configured in Redpanda ADP for Ramp. See Configure an OAuth Provider.
-
Familiarity with User-delegated OAuth.
Get Ramp credentials
Set up the OAuth app on Ramp and the matching OAuth Provider in ADP:
-
Sign in to the Ramp Developer Portal.
-
Go to Developer Settings > Applications and click Create Application.
-
Set the redirect URI to your AI Gateway OAuth callback (typically
https://aigw.<cluster-id>.clusters.rdpa.co/oauth/v1/callback). -
Note the Client ID and Client Secret.
-
Required scopes:
-
transactions:read -
cards:read -
cards:write -
users:read -
departments:read -
vendors:read -
reimbursements:read -
limits:read -
limits:write
-
-
In ADP, register an OAuth Provider with:
-
Authorization endpoint:
https://app.ramp.com/v1/authorize -
Token endpoint:
https://api.ramp.com/developer/v1/token -
The Client ID and a secret-store reference for the Client Secret
-
Configure
Create a new Ramp MCP server in ADP:
-
Open MCP Servers > Create Server.
-
Pick
Rampfrom the marketplace picker. -
Fill in identity fields (
name,description). -
In the Ramp configuration form:
Field Notes environmentproductionfor the live Ramp API.demofor Ramp’s sandbox environment. Omit (or leave empty) for production.OAuth Provider
The Ramp OAuth Provider you configured.
Required scopes
All the scopes listed above. Drop write scopes (
cards:write,limits:write) if the MCP only needs to read. -
Click Create.
Configure from the CLI
Ramp authenticates per-user through the Ramp OAuth Provider you configured. Reference that provider in the managed config’s userOauth.providerName field. Ramp supports per-user OAuth only, so the userOauth block is required. The --user-oauth-provider and --user-oauth-scopes flags apply to remote (--url) servers only.
rpk ai mcp create --name my-ramp --managed-config '{
"@type": "type.googleapis.com/redpanda.mcps.ramp.v1.RampMCPConfig",
"environment": "production",
"userOauth": {
"providerName": "ramp"
}
}'Set environment to "demo" to target Ramp’s sandbox. userOauth.providerName is the resource name of the Ramp OAuth Provider you registered.
Tools
The Ramp MCP exposes the following tools:
| Tool | Description |
|---|---|
|
List transactions with optional filters. Supports pagination through the |
|
Retrieve a single transaction by ID, including line items, accounting selections, and policy violations. |
|
List corporate cards. Supports pagination. |
|
Issue a new virtual card. Returns a deferred task ID, since Ramp creates cards asynchronously. |
|
Suspend an active card by ID. Returns a deferred task ID. |
|
List Ramp users in your organization. Supports pagination. |
|
List departments. Supports pagination. |
|
List vendors. Supports pagination. |
|
List out-of-pocket reimbursement requests. Supports pagination. |
|
List spend limits. Supports pagination. |
|
Create a new spend limit. Returns a deferred task ID, since Ramp creates limits asynchronously. |
|
Update an existing spend limit’s display name or spending restrictions synchronously. |
Example: List recent transactions
curl -s https://aigw.<cluster-id>.clusters.rdpa.co/mcp/v1/my-ramp \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "list_transactions",
"arguments": {
"page_size": 25
}
}
}'Example: Create a virtual card for a vendor
curl -s https://aigw.<cluster-id>.clusters.rdpa.co/mcp/v1/my-ramp \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/call",
"params": {
"name": "create_card",
"arguments": {
"display_name": "AWS Services",
"user_id": "usr_abc123",
"idempotency_key": "create-aws-card-2026",
"spending_limit_amount": 5000.0,
"spending_limit_interval": "MONTHLY",
"spending_limit_currency": "USD"
}
}
}'Troubleshooting
Common symptoms and fixes:
| Symptom | What to check |
|---|---|
|
First call from a user with no stored token. The user completes Ramp’s OAuth consent flow, the token lands in the vault, and subsequent calls reuse it. |
|
Server’s |
|
These operations are asynchronous on Ramp’s side. The MCP returns a task ID that you can poll against Ramp’s API; the actual card or limit appears once the task completes. |
|
The calling user’s Ramp role doesn’t grant the action. Ramp’s role-based access control runs end-to-end: per-user OAuth means each user only sees what their Ramp account permits. |
Limitations
This page does not cover:
-
Bulk data export: Use Ramp’s native data export.
-
Accounting system integration: Use Ramp’s accounting sync.
-
Receipt management and approvals: Handled in the Ramp web UI.
