> ## Documentation Index
> Fetch the complete documentation index at: https://storeinspect.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# MCP security

> OAuth, scopes, revocation, and credit-spend controls for StoreInspect MCP.

StoreInspect MCP is designed for authenticated AI clients. It uses OAuth instead of API keys.

## Authentication

The MCP server is:

```text theme={null}
https://mcp.storeinspect.com/mcp
```

The StoreInspect authorization server is:

```text theme={null}
https://storeinspect.com/api/auth
```

When a client connects, it starts an OAuth authorization-code flow with PKCE. You sign in to StoreInspect and approve the requested scopes.

## Protected resource metadata

MCP clients can discover StoreInspect's protected-resource metadata from the MCP origin:

```text theme={null}
https://mcp.storeinspect.com/.well-known/oauth-protected-resource
```

StoreInspect validates access-token issuer, signature, expiration, scopes, and resource audience on MCP requests.

## Resource-bound tokens

Access tokens are issued for the MCP resource:

```text theme={null}
https://mcp.storeinspect.com/mcp
```

When OpenID scopes are requested, a token can include more than one audience. StoreInspect requires the MCP resource to be present in the audience.

## Scopes and permissions

StoreInspect MCP uses narrow scopes:

| Scope             | Permission                                  |
| ----------------- | ------------------------------------------- |
| `usage:read`      | Read usage and quota state.                 |
| `stores:read`     | Read store intelligence and taxonomy.       |
| `contacts:search` | Search contact previews.                    |
| `contacts:reveal` | Reveal contact channels after confirmation. |

The MCP server also checks the current StoreInspect plan and credit state at request time. Plan changes, disabled access, or exhausted credits are not trusted from stale token claims.

## Revocation

Manage connected MCP clients from the StoreInspect dashboard:

```text theme={null}
https://storeinspect.com/dashboard/settings/mcp
```

Revoking a connection removes the OAuth consent and invalidates refresh-token access for that client. StoreInspect also checks that an active consent exists when MCP tools are called, so revoked clients are blocked on the next request.

For the user-facing flow, see [Manage MCP connections](/mcp/manage-connections).

## Contact credit controls

The `reveal_contacts` tool can spend contact credits only when the tool input includes:

```json theme={null}
{
  "confirm_spend_credits": true
}
```

Without this flag, the tool refuses the request.

## Logging

StoreInspect logs MCP usage for account visibility, support, abuse monitoring, and quota enforcement.

Logs may include:

* Request ID
* User/account ID
* OAuth client ID
* MCP tool name
* Status and error code
* Rows returned
* Credits spent
* Latency

StoreInspect does not log OAuth access tokens, authorization codes, refresh tokens, API keys, or full Authorization headers.

## Troubleshooting

For setup, OAuth, permission, quota, and reveal-confirmation issues, see [MCP troubleshooting](/mcp/troubleshooting).

## Recommended usage

* Review high-impact actions before confirming them in your AI client.
* Revoke clients you no longer use.
* Ask agents to preview contacts before revealing contact channels.
