Skip to main content
StoreInspect MCP is designed for authenticated AI clients. It uses OAuth instead of API keys.

Authentication

The MCP server is:
https://mcp.storeinspect.com/mcp
The StoreInspect authorization server is:
https://storeinspect.com/api/auth
When a client connects, it starts an OAuth authorization-code flow with PKCE. You sign in to StoreInspect and approve the requested scopes.

Protected resource metadata

MCP clients can discover StoreInspect’s protected-resource metadata from the MCP origin:
https://mcp.storeinspect.com/.well-known/oauth-protected-resource
StoreInspect validates access-token issuer, signature, expiration, scopes, and resource audience on MCP requests.

Resource-bound tokens

Access tokens are issued for the MCP resource:
https://mcp.storeinspect.com/mcp
When OpenID scopes are requested, a token can include more than one audience. StoreInspect requires the MCP resource to be present in the audience.

Scopes and permissions

StoreInspect MCP uses narrow scopes:
ScopePermission
usage:readRead usage and quota state.
stores:readRead store intelligence and taxonomy.
contacts:searchSearch contact previews.
contacts:revealReveal contact channels after confirmation.
The MCP server also checks the current StoreInspect plan and credit state at request time. Plan changes, disabled access, or exhausted credits are not trusted from stale token claims.

Revocation

Manage connected MCP clients from the StoreInspect dashboard:
https://storeinspect.com/dashboard/settings/mcp
Revoking a connection removes the OAuth consent and invalidates refresh-token access for that client. StoreInspect also checks that an active consent exists when MCP tools are called, so revoked clients are blocked on the next request. For the user-facing flow, see Manage MCP connections.

Contact credit controls

The reveal_contacts tool can spend contact credits only when the tool input includes:
{
  "confirm_spend_credits": true
}
Without this flag, the tool refuses the request.

Logging

StoreInspect logs MCP usage for account visibility, support, abuse monitoring, and quota enforcement. Logs may include:
  • Request ID
  • User/account ID
  • OAuth client ID
  • MCP tool name
  • Status and error code
  • Rows returned
  • Credits spent
  • Latency
StoreInspect does not log OAuth access tokens, authorization codes, refresh tokens, API keys, or full Authorization headers.

Troubleshooting

For setup, OAuth, permission, quota, and reveal-confirmation issues, see MCP troubleshooting.
  • Review high-impact actions before confirming them in your AI client.
  • Revoke clients you no longer use.
  • Ask agents to preview contacts before revealing contact channels.