Skip to main content

Security Overview

Search Console MCP is designed with a security-first architecture appropriate for a local CLI application.

OAuth Model

The application uses OAuth 2.0 Device Authorization Flow.
  • Users authenticate directly with Google (OAuth) or Bing (API Key).
  • The application never receives user passwords.
  • Only read-only Search Console and Bing scopes are requested.

Token Storage

OAuth tokens are stored locally on the user’s device. Primary storage:
  • macOS: Keychain
  • Windows: Credential Manager
  • Linux: Secret Service / libsecret
Fallback storage:
  • Encrypted file using AES-256-GCM
  • Machine-bound key derivation
  • File permissions restricted to the current user
Only minimal token data is stored:
  • refresh_token
  • Expiry metadata

Data Handling

Search Console MCP:
  • Does not operate a backend server.
  • Does not transmit user data to the developer.
  • Does not collect analytics about user data.
All API communication occurs directly between the user’s device and Google’s/Bing’s APIs.

Revocation

Users may revoke access at any time via their Google Account security settings. After revocation, stored tokens become invalid.