dataroom.dev

Integration

MCP data rooms: the complete guide to agent-driven data rooms

How the Model Context Protocol turns a virtual data room into something an AI agent can operate: architecture, the 43-tool surface, Claude Desktop and Claude Code setup, scoped tokens, and worked agent workflows with the Papermark MCP server.

Read full docsMCP server reference: canonical docs
July 4, 2026·5 min read·By dataroom.dev

The Model Context Protocol (MCP) is an open standard that lets AI applications call tools exposed by external servers. An MCP data room is what you get when a virtual data room platform ships one of those servers: the agent inside Claude Desktop, Claude Code, or any other MCP host gains a typed, authenticated tool surface for creating rooms, uploading documents, minting links, and reading engagement analytics.

This guide covers why the pairing works, how the architecture fits together, how to set it up in the two most common hosts, how to scope credentials safely, and what real agent workflows look like. The worked example throughout is @papermark/mcp-server, which as of 2026 is the only MCP server shipped by a virtual data room platform. If you want an MCP-drivable data room, Papermark is currently the option.

Why data rooms suit agents unusually well

Most "add AI to X" integrations are demos. Data room operations are a genuinely good fit for three structural reasons:

  1. The work is orchestration, not judgment. "Create a room for Project Pelican, standard M&A folder structure, upload everything in this directory, one watermarked link per bidder on this list" is twenty API calls with clear success criteria. Agents excel at exactly this shape of work, and the human stays in the loop as approver rather than operator.
  2. The state is legible. Every resource in a data room (dataroom, document, folder, link, visitor, view) can be listed and inspected through tools, so the agent can verify its own work: create the link, read it back, confirm the expiry is set.
  3. The analytics are a language task. "Which bidders looked most engaged this week, and what did they skip" is a question over structured view data that ends in prose. An agent with get_dataroom_analytics and list_visitor_views answers it directly; a dashboard makes a human assemble the answer.

Architecture: what talks to what

The MCP layer is deliberately thin. Four parts:

  1. The host — Claude Desktop, Claude Code, or any MCP-capable application. Runs the model, renders tool-approval prompts to the user.
  2. The MCP server@papermark/mcp-server, a Node process started by the host over stdio (or reachable over HTTP for remote setups). It translates tool calls into REST calls.
  3. The APIhttps://api.papermark.com/v1 (or your self-hosted instance). This is where policy is enforced: the MCP server holds no state and adds no privileges beyond what the token allows.
  4. The token — a pm_live_… API token or an OAuth 2.1 device-flow grant. Every tool call is a real authenticated request, and every action lands in the same audit log as dashboard actions.

The property worth internalizing: the MCP server grants no capability that the token does not already have. Scoping the token scopes the agent.

Setup

Claude Desktop, in claude_desktop_config.json:

{
  "mcpServers": {
    "papermark": {
      "command": "npx",
      "args": ["-y", "@papermark/mcp-server"],
      "env": {
        "PAPERMARK_TOKEN": "pm_live_..."
      }
    }
  }
}

Claude Code, one command:

claude mcp add papermark \
  --env PAPERMARK_TOKEN=pm_live_... \
  -- npx -y @papermark/mcp-server

Mint the token at app.papermark.com/settings/tokens. For interactive setups where you would rather not paste a long-lived token into a config file, the server also supports the OAuth 2.1 device flow: it prints a short code, you approve it in the browser, and the grant is scoped and revocable. Details in the OAuth device flow guide.

Verify the wiring by asking the agent to list your datarooms. A correct setup answers with real room names in a few seconds.

The tool surface

The server exposes 43 tools mirroring the REST API's 43 operations, grouped by the six resources:

  1. Datarooms: create, get, list, search, update, delete, plus dataroom-level analytics.
  2. Documents: upload, get, list, search, update, delete, versioning (list, add, promote), and upload-request flows.
  3. Folders: create, get, list, update, move, delete, in both document and dataroom scopes.
  4. Links: create, get, list, update, delete, and per-link view listings. This is where policy lives: expiry, passwords, email gating, watermarks, download permission.
  5. Visitors: list, get, and per-visitor view history.
  6. Views and analytics: page-level engagement, per-document and per-dataroom rollups.

Names are verb-first and predictable (create_dataroom, list_links, get_visitor), which matters more for MCP than for a human-facing SDK: the model selects tools by reading their names and descriptions, so a regular grammar measurably reduces wrong-tool calls. The full annotated list is on the MCP page; the canonical behavior reference is papermark.com/docs.

Scoping: the part not to skip

An agent with your token is your token. Treat the blast radius accordingly:

  1. Scope tokens to the workspace or team that the agent actually operates on. A deal-desk agent needs the deals workspace, not the board-communications workspace.
  2. Prefer the device flow for humans, tokens for automation. Device-flow grants are individually revocable and visibly attributed in the audit log.
  3. Keep destructive tools behind approval. MCP hosts prompt before tool calls by default; leave that on for delete_dataroom, delete_document, and delete_link even if you allowlist the read-only tools.
  4. Read the audit log. Agent actions are API actions, so list_views and the event log show exactly what the agent did. Review it the way you would review a new hire's first week.

Three worked workflows

Deal room provisioning. Prompt: "Create a data room called Project Pelican with the standard M&A folder structure, upload everything under ~/deals/pelican, and give me one link per bidder in bidders.csv, each watermarked, expiring August 15." The agent chains create_dataroom, create_dataroom_folder several times, upload_document per file, and create_link per bidder, then reports the links back as a table. Twenty minutes of dashboard clicking becomes one approved plan.

Engagement digest. Prompt: "Every Monday, summarize last week's activity in the Pelican room: who viewed, what they focused on, who went quiet." The agent uses get_dataroom_analytics, list_visitors, and list_visitor_views, then writes the summary a human would have assembled from a dashboard. Pair it with view events to Slack for the push-based version.

Link hygiene. Prompt: "Find every link across my datarooms with no expiry or no email gating, and propose fixes." The agent sweeps list_datarooms and list_links, filters on policy fields, and returns a remediation list; on approval it applies update_link per finding. This is the audit that every team means to run quarterly and never does.

Failure modes to expect

Agent-driven does not mean unattended. The recurring issues, and the mitigations:

  1. Ambiguous targets. "Delete the old link" when three links match. Mitigation: keep approval prompts on for mutations, and name rooms and links descriptively.
  2. Partial completion. A 400-document upload can fail on document 217. The agent should verify counts after bulk operations (list_dataroom_documents and compare); prompt it to do so explicitly.
  3. Stale context. An agent reasoning from a room listing fetched an hour ago can act on links that a teammate already revoked. For long sessions, tell the agent to re-list before mutating.

None of these are MCP-specific: they are the same failure modes as any junior operator with API access, which is the correct mental model for what you have deployed.

See also

More in Integration