Guides

Going to production

Prepare custom MCP clients, remote CLI agents, credentials, and audit expectations.

Moving from sandbox or a local machine to a production deployment introduces a few requirements depending on your channel.

Custom MCP clients and partners

Production MCP for custom clients is gated:

  • Custom apps and third-party gateways (Glean, MintMCP, GoSearch) must submit a support ticket to allowlist their exact redirect URI before launch. Use https://, localhost, or 127.0.0.1; wildcard subdomains aren't supported.
  • Tech partners building a product that connects customers' Ramp accounts should follow Ramp's partner and Developer API review path before launch.

Supported clients such as Cursor, Claude, ChatGPT, and Perplexity handle their own redirect behavior. Custom clients and gateways need the exact redirect URI allowlisted by Ramp.

CLI on a remote host

When an agent runs through the CLI on a remote host, authenticate locally and copy the session config to wherever the agent runs. This is what most production users do today.

Sessions stay alive as long as the agent makes at least one call within the refresh window:

  • Read-only sessions expire one week after last use.
  • Read-write sessions expire 24 hours after last use.

Protect the session config

Treat ~/.config/ramp/config.toml like a credential — never commit it to source control.

Some hosted agent platforms rewrite ~/.config/ramp/config.toml on restart, which destroys the refresh token and logs the agent out on the next start. If your runtime does this, persist the config file outside the rewrite scope or restore it from a backup at startup.

Audit

Every write operation lands in the customer's Ramp audit log automatically — no extra wiring. Actions are attributed to the authenticated user (or the agent acting on their behalf).

Production checklist

  • Use the demo MCP server or Sandbox while building prompts and scripts.
  • Confirm the user or service operator has only the Ramp permissions needed for the workflow.
  • Reconnect MCP clients after changing permissions or after Ramp ships new tools.
  • Protect OAuth tokens, CLI config files, and any MCP gateway credentials as production secrets.
  • Test Agent Card purchases against merchants that do not require unsupported flows like 3DS or card-on-file billing.