Guide
Deployment & self-hosting options
Most teams use the hosted MCP server. Some need to run the connector core themselves. Here is what each path gives you and where the spend boundary lives in both.
Hosted is the default
The hosted SpendSignoff MCP server is the path almost everyone takes. You point your AI client at one URL, OAuth into your ad accounts, and you are running — token storage, the approval app, the audit log, and the spend envelope are all managed. Nothing to operate.
The hosted endpoint
One Streamable-HTTP URL, OAuth 2.1, scopes mcp.read and mcp.draft only. Add it to your client and authorize.
MCP server URL
https://mcp.spendsignoff.com/mcpWhen self-hosting makes sense
The connector core is open-source. Running it yourself is for teams with specific constraints, not a performance win.
- A privacy or compliance posture that requires ad-account tokens never leave your infrastructure.
- An air-gapped or VPC-only network where a hosted endpoint is not reachable.
- A need to read the exact connector code that talks to Google Ads and Meta before trusting it with reads.
The boundary does not change when you self-host
mcp.approve scope in either deployment.What you take on by self-hosting
Self-hosting the connector means you own its uptime, its secret storage, and its upgrades. The approval app, the KMS-signed audit log, and the 24h spend envelope are the safety substrate — if you run your own stack, you are responsible for keeping those guarantees intact, not just the connector process.
Next
Compatibility
What each AI client supports today: Claude, ChatGPT, Cursor.