"Best analytics tool I've used in 14 years"

DataFast MCP server

The DataFast MCP server lets MCP-compatible clients such as Codex, Claude Code, and Cursor query your analytics and manage your account through natural language. It provides the same functionality, permissions, and safety checks as the REST API and CLI.

Connect DataFast to an MCP client

It uses Streamable HTTP at https://datafa.st/api/mcp.

Step 1 — Create an account token

Open Account Settings → API / MCP, choose which websites and permissions the client can access, then create a token. Copy the dft_ token when it appears—you will use it in the next step, and it is only shown once.

Where to create a DataFast account token

Every MCP request uses the permissions and website access you selected for the token.

Step 2 — Connect your client

Codex

Save the copied token in a DATAFAST_TOKEN environment variable, then add DataFast:
codex mcp add datafast \
  --url https://datafa.st/api/mcp \
  --bearer-token-env-var DATAFAST_TOKEN

Claude Code

claude mcp add --transport http datafast https://datafa.st/api/mcp \
  --header "Authorization: Bearer dft_xxx"

Cursor, Claude Desktop, and other config-based clients

{
  "mcpServers": {
    "datafast": {
      "url": "https://datafa.st/api/mcp",
      "headers": {
        "Authorization": "Bearer dft_xxx"
      }
    }
  }
}

Clients that only support stdio

Bridge with mcp-remote:
{
  "mcpServers": {
    "datafast": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://datafa.st/api/mcp",
        "--header",
        "Authorization: Bearer dft_xxx"
      ]
    }
  }
}

Tools

See the full tool reference — analytics, websites, API keys, team, goals, funnels, visitors, alerts, account, access tokens, and integration status. Tool names follow datafast_<resource>_<action>, e.g. datafast_analytics_overview, datafast_websites_list.

Safety

  • Confirmation gate: irreversible or credential-issuing tools (delete, roll, mint API keys/tokens) require an explicit confirm: true argument. Calling without it returns a preview of what would happen instead of doing it, so an agent can't fire a sensitive action on the first try.
  • No secret exfiltration: listing endpoints for API keys and access tokens never return secret values, only metadata (id, name, prefix, dates) — same as the REST API.
  • Website deletion is dashboard-only: there is no MCP tool to delete a website; deletion can't be automated by design.
  • Payment connect/disconnect is dashboard-only: MCP can report integration status, but connecting or disconnecting payment providers (and handling their credentials) stays in the dashboard.
  • Scoped by token, not by tool: every tool call re-validates permissions against the real route — the transport resolves the bearer once per request, then reuses that result for in-process auth (no elevated MCP-only privilege).

Advanced: Limit MCP to one website

For a more restricted setup, use a df_ website API key instead of an account token. It limits the client to one website and mostly read-only analytics. Create one from that website's Settings → API / MCP page and see authentication and scopes for details.

✍️ Something missing? Suggest features.

🤖 AI agent or LLM? Read this page as markdown