Alpha is the independent verification organization (IVO) for AI governance. This page documents all agent and developer integration paths: the MCP server (recommended for AI agents), OAuth 2.0 with PKCE, API key authentication, scoped permissions, rate limits, and integration guides.
get_regulatory_intelligence tool (region: EU) and the regulatory_readiness_assessment prompt.
https://api.alpha.ac/functions/v1
All API requests target this base URL. The MCP server is the primary integration point for AI agents.
Alpha supports two authentication mechanisms. Selected public-access tools work without any authentication.
Pass your API key as a request header. Both formats are equivalent:
| Header | Format | Example |
|---|---|---|
x-api-key | Raw key value | x-api-key: alpha_k_xxxxxx |
Authorization | Bearer token | Authorization: Bearer alpha_k_xxxxxx |
Get an API key at alpha.ac/radar.
Recommended for agent applications and multi-user deployments. Supports delegated access with granular scopes. The authorization server is https://www.alpha.ac.
/.well-known/oauth-authorization-server/.well-known/oauth-protected-resource
AI agents integrating with Alpha's API should follow one of three authentication patterns, depending on deployment type. All agent authentication is handled via HTTP headers — no cookies, no sessions.
The simplest approach for agents with a single owner. Set the x-api-key header on every MCP POST request. Suitable for Claude Code, Cursor, Windsurf, and custom agent scripts.
# Python: set header on every MCP request
import httpx
headers = {
"Content-Type": "application/json",
"x-api-key": "YOUR_ALPHA_API_KEY"
}
response = httpx.post(
"https://api.alpha.ac/functions/v1/mcp-server",
json={"jsonrpc": "2.0", "id": 1, "method": "tools/call",
"params": {"name": "score_ai_governance_risk", "arguments": {"ticker": "MSFT"}}},
headers=headers
)
print(response.json())
For agents acting on behalf of multiple users. Each user authenticates via the Authorization Code flow, and the agent uses their individual access token. Token lifetime: 3600 seconds. Refresh using the refresh_token.
# Use Bearer token obtained from OAuth flow headers = { "Content-Type": "application/json", "Authorization": "Bearer alpha_t_xxxxxxxx" # User-specific token } response = httpx.post( "https://api.alpha.ac/functions/v1/mcp-server", json={"jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": {"name": "get_board_profile", "arguments": {"ticker": "MSFT"}}}, headers=headers )
Five tools work without any authentication. These are safe for agent discovery, testing, and public-facing workflows that only need company search or platform statistics.
# No headers needed — public-access tools work without auth
response = httpx.post(
"https://api.alpha.ac/functions/v1/mcp-server",
json={"jsonrpc": "2.0", "id": 1, "method": "tools/call",
"params": {"name": "search_companies", "arguments": {"query": "Apple"}}}
)
On a 401 Unauthorized response, agents should: (1) check that the x-api-key header is set, (2) verify the key is valid at alpha.ac/radar, (3) for OAuth tokens, attempt a token refresh before retrying. Do not retry indefinitely — surface the auth failure to the user after two attempts.
/.well-known/mcp.json or /.well-known/mcp. The discovery document includes authentication, publicAccessTools, and capabilities fields so agents can determine required auth before making their first call.
Alpha uses scoped permissions to control access to different data types. Request only the scopes your agent needs. All scopes are read-only.
| Scope | Access Granted | Tools Unlocked |
|---|---|---|
| read:governance | Company AGR ratings (AAA-D), GEH failure probability (with CI), AART tier, trajectory, and governance risk flags | score_ai_governance_risk, get_governance_rating, get_governance_debt |
| read:ratings | Full D1-D12 dimension scores, D2R Map (EU AI Act/ISO 42001/NIST citations), Disclosure-Practice Divergence (DPD), committee accountability mapping | compare_companies, benchmark_board_ai_readiness, get_governance_signals, find_ai_governance_signals |
| read:directors | Director AGIQ scores (0-200), board seats, committee roles, AI governance expertise classification, interlock mapping | get_director_profile, get_board_profile |
| read:regulatory | EU AI Act compliance status by article, NIST AI RMF function mapping, ISO 42001 gap analysis, enforcement timeline, jurisdiction-specific regulatory intelligence | get_regulatory_intelligence, compare_capability_velocity, get_governance_scaling_index |
To access all authenticated tools, request all four scopes: read:governance read:ratings read:directors read:regulatory
Alpha uses PKCE (Proof Key for Code Exchange) with the S256 challenge method. This is the recommended flow for AI agents and applications.
# Generate a random 64-byte code verifier code_verifier=$(openssl rand -base64 64 | tr -d '\n=+/' | cut -c1-128) # Create S256 challenge: BASE64URL(SHA256(code_verifier)) code_challenge=$(echo -n "$code_verifier" | sha256sum | xxd -r -p | base64 | tr -d '=' | tr '+/' '-_')
GET https://www.alpha.ac/auth/authorize? response_type=code& client_id=YOUR_CLIENT_ID& redirect_uri=https://your-app.example.com/callback& scope=read:governance%20read:ratings& code_challenge=CODE_CHALLENGE& code_challenge_method=S256& state=RANDOM_STATE_VALUE
POST https://api.alpha.ac/functions/v1/auth-token Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=AUTHORIZATION_CODE& redirect_uri=https://your-app.example.com/callback& client_id=YOUR_CLIENT_ID& code_verifier=CODE_VERIFIER
Response:
{
"access_token": "alpha_t_xxxxxxxx",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "alpha_r_xxxxxxxx",
"scope": "read:governance read:ratings"
}
curl -X POST https://api.alpha.ac/functions/v1/mcp-server \
-H "Content-Type: application/json" \
-H "Authorization: Bearer alpha_t_xxxxxxxx" \
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "score_ai_governance_risk",
"arguments": { "ticker": "MSFT" }
}
}'
100 requests per minute per IP address. Every response includes standard rate limit headers:
| Header | Value | Notes |
|---|---|---|
X-RateLimit-Limit | 100 | Requests per minute |
X-RateLimit-Remaining | N (0-100) | Requests remaining in current window |
X-RateLimit-Reset | Unix timestamp | When the current window expires |
Retry-After | Seconds (60) | Included only on 429 responses |
When you receive HTTP 429, wait for the Retry-After duration. Rate limits are applied per IP, not per API key.
Alpha's Model Context Protocol server is the primary integration path for AI agents. It implements Streamable HTTP transport (JSON-RPC 2.0) per MCP protocol version 2025-03-26.
Endpoint: https://api.alpha.ac/functions/v1/mcp-server
Capabilities declared in initialize response:
tools (18 tools, listChanged: false),
resources (8 alpha:// templates + 3 ui:// MCP Apps),
prompts (5 prompts),
apps (MCP Apps support)
# Step 1: Initialize — check capabilities including MCP Apps (apps: {}) curl -X POST https://api.alpha.ac/functions/v1/mcp-server \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{"apps":{}},"clientInfo":{"name":"my-agent","version":"1.0"}}}' # Step 2: List tools (shows public vs authenticated access) curl -X POST https://api.alpha.ac/functions/v1/mcp-server \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}' # Step 3: Search companies (public access, no auth) curl -X POST https://api.alpha.ac/functions/v1/mcp-server \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"search_companies","arguments":{"query":"Microsoft"}}}' # Step 4: Score governance (authenticated access, requires API key or OAuth2 token) curl -X POST https://api.alpha.ac/functions/v1/mcp-server \ -H "Content-Type: application/json" \ -H "x-api-key: YOUR_KEY" \ -d '{"jsonrpc":"2.0","id":4,"method":"tools/call","params":{"name":"score_ai_governance_risk","arguments":{"ticker":"MSFT"}}}'
Alpha's MCP server implements the Streamable HTTP transport from MCP protocol version 2025-03-26. For long-running governance analysis tools, the server streams results as Server-Sent Events (SSE) rather than blocking until completion.
Include text/event-stream in your Accept header. When the server detects this, it streams partial results as each governance dimension completes analysis:
curl -N -X POST https://api.alpha.ac/functions/v1/mcp-server \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-H "x-api-key: YOUR_KEY" \
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "score_ai_governance_risk",
"arguments": { "ticker": "MSFT" }
}
}'
Each SSE event is a complete JSON-RPC 2.0 message. Progress events use event: progress; the final complete result uses event: message:
Content-Type: text/event-stream
Transfer-Encoding: chunked
event: progress
data: {"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"Analyzing D1-D12 dimensions..."}],"partial":true}}
event: progress
data: {"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"Running GEH calibration..."}],"partial":true}}
event: message
data: {"jsonrpc":"2.0","id":1,"result":{"content":[{"type":"text","text":"{ ...complete AGR + GEH result... }"}],"_meta":{"ui":{"resourceUri":"ui://alpha/governance-dashboard?ticker=MSFT","renderHint":"card"}}}}
| Accept Header | Response Type | Notes |
|---|---|---|
application/json only | application/json | Single blocking response. Simpler but slower for multi-dimension tools. |
text/event-stream | text/event-stream | SSE stream. Multiple progress events, then final result. Recommended. |
application/json, text/event-stream | text/event-stream | Server prefers streaming when both are accepted. MCP client default. |
If the SSE stream is interrupted, reconnect using the standard SSE Last-Event-ID header. Alpha includes an id: field on each event. On reconnect, the server resumes from the last acknowledged event ID. If reconnection fails, fall back to a non-streaming request with Accept: application/json.
Test Alpha's API instantly in the sandbox below. Public-access tools require no API key. Authenticated tools require an API key or OAuth 2.0 token.
Copy and run these sandbox commands to verify the API is working. No API key required.
# Sandbox Test 1: Verify MCP server is live curl -X POST https://api.alpha.ac/functions/v1/mcp-server \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"sandbox-test","version":"1.0"}}}' # Sandbox Test 2: Search companies (public access) curl -X POST https://api.alpha.ac/functions/v1/mcp-server \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"search_companies","arguments":{"query":"Apple"}}}' # Sandbox Test 3: Get platform stats (public access) curl -X POST https://api.alpha.ac/functions/v1/mcp-server \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"get_platform_stats","arguments":{}}}'
# Sandbox Test 4: Full governance score (replace YOUR_KEY with your API key from alpha.ac/radar) curl -X POST https://api.alpha.ac/functions/v1/mcp-server \ -H "Content-Type: application/json" \ -H "x-api-key: YOUR_KEY" \ -d '{"jsonrpc":"2.0","id":4,"method":"tools/call","params":{"name":"score_ai_governance_risk","arguments":{"ticker":"MSFT"}}}' # Sandbox Test 5: Board profile curl -X POST https://api.alpha.ac/functions/v1/mcp-server \ -H "Content-Type: application/json" \ -H "x-api-key: YOUR_KEY" \ -d '{"jsonrpc":"2.0","id":5,"method":"tools/call","params":{"name":"get_board_profile","arguments":{"company_name":"Microsoft","ticker":"MSFT"}}}'
X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers.
Alpha supports MCP Apps — interactive HTML resources rendered as inline UI cards in compatible MCP clients. The server declares "apps": {} in its initialize capabilities. Three UI resources are available:
| URI | Name | Description | mimeType |
|---|---|---|---|
ui://alpha/governance-dashboard |
Governance Dashboard | Interactive AGR grade, D1-D12 dimension scores, GEH failure probability, trajectory, and peer benchmarks. Accepts ?ticker=MSFT parameter. |
text/html;profile=mcp-app |
ui://alpha/director-card |
Director AGIQ Card | Interactive director profile showing AGIQ score (0-200), expertise band, board seats, and committee assignments. Accepts ?name=Jane+Smith parameter. |
text/html;profile=mcp-app |
ui://alpha/regulatory-timeline |
Regulatory Timeline | EU AI Act compliance tracker with article-level gap analysis and enforcement countdown. Accepts ?region=EU parameter. |
text/html;profile=mcp-app |
# List available resources (includes ui:// and alpha:// resources) curl -X POST https://api.alpha.ac/functions/v1/mcp-server \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":1,"method":"resources/list"}' # Read a specific UI resource (returns text/html;profile=mcp-app) curl -X POST https://api.alpha.ac/functions/v1/mcp-server \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":2,"method":"resources/read","params":{"uri":"ui://alpha/governance-dashboard?ticker=MSFT"}}'
Governance tool results include _meta.ui.resourceUri linking to the relevant UI resource:
{
"jsonrpc": "2.0",
"id": 4,
"result": {
"content": [{ "type": "text", "text": "{ ...governance data... }" }],
"_meta": {
"ui": {
"resourceUri": "ui://alpha/governance-dashboard?ticker=MSFT",
"renderHint": "card"
}
}
}
}
These tools work without any API key and are accessible to all agents:
| Tool | Description | Example Input |
|---|---|---|
search_companies |
Search Alpha-rated companies by name, ticker, or sector. Returns up to 10 results with basic AGR data. Tool results include _meta.ui.resourceUri. |
{"query": "Microsoft"} |
get_platform_stats |
Alpha coverage statistics: rated companies count, directors scored, validated outcomes, GEH status. | {} |
get_epoch_model_context |
Epoch AI frontier model capability data: training compute (FLOPs), parameter counts, release dates. | {"query": "GPT-4"} |
get_compute_tier |
AI compute tier classification for a rated company: frontier / advanced / standard / minimal. | {"ticker": "MSFT"} |
get_frontier_models_timeline |
Timeline of frontier model releases (training compute ≥10²&sup5; FLOPs) from Epoch AI data. | {"limit": 10} |
Verify ACD.AI (AI Director) or ACE.AI (AI Executive) certifications issued by the Alpha Institute.
curl "https://api.alpha.ac/functions/v1/credential-verify?id=ACD-2026-00142" curl "https://api.alpha.ac/functions/v1/credential-verify?name=Jane+Smith"
| Parameter | Type | Description |
|---|---|---|
id | string | Credential ID (format: ACD-YYYY-NNNNN or ACE-YYYY-NNNNN) |
name | string | Director or executive full name |
Response:
{
"verified": true,
"credential_type": "ACD.AI",
"holder_name": "Jane Smith",
"credential_id": "ACD-2026-00142",
"issued_at": "2026-01-15",
"expires_at": "2028-01-15",
"agiq_band": "Proficient",
"issuer": "Alpha Institute for AI Governance"
}
The MCP server returns standard JSON-RPC 2.0 error objects. REST endpoints return JSON error objects with error and optional code fields.
| Code | Meaning | Action |
|---|---|---|
-32700 | Parse error — invalid JSON | Fix request body |
-32600 | Invalid request — missing required fields | Check jsonrpc/method fields |
-32601 | Method not found | Check method name in tools/list |
-32602 | Invalid params — wrong or missing arguments | Check tool inputSchema |
-32603 | Internal error | Retry; contact support if persistent |
-32029 | Rate limit exceeded | Wait for Retry-After (60s) |
{
"jsonrpc": "2.0",
"id": 3,
"error": {
"code": -32029,
"message": "Rate limit exceeded. Retry after 60 seconds.",
"data": { "retryAfter": 60 }
}
}
| Resource | URL | Format | Description |
|---|---|---|---|
| OpenAPI Specification | /openapi.json | OpenAPI 3.1 JSON | Full API spec with OAuth2 scopes, schemas, examples |
| MCP Server Card | /.well-known/mcp/server-card.json | JSON | MCP server capabilities, tools, ui:// resources |
| MCP Discovery | /.well-known/mcp.json | JSON | MCP server discovery (RFC 9728 compatible) |
| OAuth Metadata | /.well-known/oauth-protected-resource | JSON | RFC 9728: scopes, bearer methods, auth server |
| Auth Server Metadata | /.well-known/oauth-authorization-server | JSON | OAuth 2.0 authorization server metadata |
| LLM Site Guide | /llms.txt | Markdown | Site guide for AI crawlers (llms.txt spec) |
| Extended LLM Guide | /llms-full.txt | Markdown | Full agent integration instructions |
| Agent Manifest | /agent-manifest.json | JSON | SoftwareApplication schema for AI agent discovery |
| API Catalog | /.well-known/api-catalog | Linkset+JSON | RFC 9727: API catalog (api-catalog link relation) |
| NLWeb Feed | /nlweb-feed.json | JSON-LD | NLWeb-compatible governance intelligence feed |
{
"mcpServers": {
"alpha-radar": {
"command": "npx",
"args": ["-y", "@alpha-ac/cowork-plugin"],
"env": {
"ALPHA_API_KEY": "YOUR_KEY"
}
}
}
}
Questions: info@alpha.ac
API keys: alpha.ac/radar
Methodology: alpha.ac/institute/methodology
Standards Crosswalk (EU AI Act × The Alpha Standard): alpha.ac/institute/standards