Skip to main content

Security Overview

Search Console MCP is designed with a security-first architecture appropriate for a local CLI application.

OAuth Model

The application uses OAuth 2.0 Device Authorization Flow.
  • Users authenticate directly with Google.
  • The application never receives user passwords.
  • Only read-only Search Console scope is requested.

Token Storage

OAuth tokens are stored locally on the user’s device. Primary storage:
  • macOS: Keychain
  • Windows: Credential Manager
  • Linux: Secret Service / libsecret
Fallback storage:
  • Encrypted file using AES-256-GCM
  • Machine-bound key derivation
  • File permissions restricted to the current user
Only minimal token data is stored:
  • refresh_token
  • Expiry metadata

Data Handling

Search Console MCP:
  • Does not operate a backend server.
  • Does not transmit user data to the developer.
  • Does not collect analytics about user data.
All API communication occurs directly between the user’s device and Google’s APIs.

Revocation

Users may revoke access at any time via their Google Account security settings. After revocation, stored tokens become invalid.