Search Console MCP

--- title: 'Security' --- # Security Overview Search Console MCP is designed with a security-first architecture appropriate for a local CLI application. --- ## OAuth Model The application uses OAuth 2.0 Device Authorization Flow. - Users authenticate directly with Google (OAuth) or Bing (API Key). - The application never receives user passwords. - Only read-only Search Console and Bing scopes are requested. --- ## Token Storage OAuth tokens are stored locally on the user’s device. Primary storage: - macOS: Keychain - Windows: Credential Manager - Linux: Secret Service / libsecret Fallback storage: - Encrypted file using AES-256-GCM - Machine-bound key derivation - File permissions restricted to the current user Only minimal token data is stored: - `refresh_token` - Expiry metadata --- ## Data Handling Search Console MCP: - Does not operate a backend server. - Does not transmit user data to the developer. - Does not collect analytics about user data. All API communication occurs directly between the user’s device and Google's/Bing's APIs. --- ## Revocation Users may revoke access at any time via their Google Account security settings. After revocation, stored tokens become invalid.