See it in action:

Overview

Workspace MCP is the single most complete MCP server that integrates all major Google Workspace services with AI assistants. It supports both single-user operation and multi-user authentication via OAuth 2.1, making it a powerful backend for custom applications. Built with FastMCP for optimal performance, featuring advanced authentication handling, service caching, and streamlined development patterns. The entire toolset is available for CLI usage supporting both local and remote instances.

Simplified Setup: Now uses Google Desktop OAuth clients - no redirect URIs or port configuration needed!

Features

12 services  —  Gmail · Drive · Calendar · Docs · Sheets · Slides · Forms · Chat · Apps Script · Tasks · Contacts · Search

Quick Start

Set credentials → pick a launch command → connect your client

# 1. Credentials
export GOOGLE_OAUTH_CLIENT_ID="..."
export GOOGLE_OAUTH_CLIENT_SECRET="..."

# 2. Launch — pick a tier
uvx workspace-mcp --tool-tier core       # essential tools
uvx workspace-mcp --tool-tier extended   # core + management ops
uvx workspace-mcp --tool-tier complete   # everything

# Or cherry-pick services
uv run main.py --tools gmail drive calendar

_{Credential setup → · All launch options → · Tier details →}

One-Click Claude Desktop Install

.dxt bundles server, deps & manifest — download → double-click → done. No terminal, no JSON editing.

1. Download the latest google_workspace_mcp.dxt from Releases
2. Install — double-click the file, Claude Desktop prompts to install
3. Configure — Settings → Extensions → Google Workspace MCP, paste your OAuth credentials
4. Use it — start a new Claude chat and call any Google Workspace tool

Prerequisites

Python 3.10+ · uv/uvx · Google Cloud Project with OAuth 2.0 credentials

Configuration

1. Create Project — Open Console → → Create new project

2. Create OAuth Credentials — APIs & Services → Credentials → Create Credentials → OAuth Client ID

   • Choose Desktop Application (no redirect URIs needed!)
   • Download and note your Client ID & Client Secret

3. Enable APIs — APIs & Services → Library, then enable each service:

   Calendar	Drive	Gmail	Docs
   Sheets	Slides	Forms	Tasks
   Chat	People	Custom Search	Apps Script

4. Set Credentials — see Environment Variable Reference above, or:

   export GOOGLE_OAUTH_CLIENT_ID="your-client-id"
   export GOOGLE_OAUTH_CLIENT_SECRET="your-secret"
   

_{Full OAuth documentation → · Credential setup details →}

Google Custom Search Setup

programmablesearchengine.google.com
/controlpanel/create

→ Configure sites or entire web
→ Note your Engine ID (cx)

developers.google.com
/custom-search/v1/overview

→ Create/select project
→ Enable Custom Search API
→ Create credentials (API Key)

export GOOGLE_PSE_API_KEY=\
  "your-api-key"
export GOOGLE_PSE_ENGINE_ID=\
  "your-engine-id"

Start the Server

📌 Transport Mode Guidance: Use streamable HTTP mode (--transport streamable-http) for all modern MCP clients including Claude Code, VS Code MCP, and MCP Inspector. Stdio mode is only for clients with incomplete MCP specification support.

uv run main.py

uv run main.py \
  --transport streamable-http

uv run main.py \
  --single-user

# Load specific services only
uv run main.py --tools gmail drive calendar
uv run main.py --tools sheets docs

# Combine with other flags
uv run main.py --single-user --tools gmail

# Requests only read-only scopes & disables write tools
uv run main.py --read-only

# Combine with specific tools or tiers
uv run main.py --tools gmail drive --read-only
uv run main.py --tool-tier core --read-only

# Per-service permission levels
uv run main.py --permissions gmail:organize drive:readonly

# Combine permissions with tier filtering
uv run main.py --permissions gmail:send drive:full --tool-tier core

uv run main.py --tool-tier core      # ● Essential tools only
uv run main.py --tool-tier extended  # ◐ Core + additional
uv run main.py --tool-tier complete  # ○ All available tools

docker build -t workspace-mcp .
docker run -p 8000:8000 -v $(pwd):/app \
  workspace-mcp --transport streamable-http

# With tool selection via environment variables
docker run -e TOOL_TIER=core workspace-mcp
docker run -e TOOLS="gmail drive calendar" workspace-mcp

CLI

The workspace-cli command lists tools and calls them against a running server — with encrypted, disk-backed OAuth token caching so you only authenticate once. On first run it opens a browser for Google consent; subsequent runs reuse the cached tokens automatically.

Tokens are stored encrypted at ~/.workspace-mcp/cli-tokens/ using a Fernet key auto-generated at ~/.workspace-mcp/.cli-encryption-key.

uv run workspace-cli list
uv run workspace-cli --url https://custom.server/mcp list

# Or, if installed globally:
workspace-cli list
workspace-cli --url https://custom.server/mcp list

uv run workspace-cli call search_gmail_messages \
  query="is:unread" max_results=5

Set URL for remote endpoints with --url or the WORKSPACE_MCP_URL environment variable.

The upstream FastMCP CLI is also bundled and provides additional commands for schema inspection, client installation, and editor discovery. Note that fastmcp uses in-memory token storage, so each invocation may re-trigger the OAuth flow.

fastmcp inspect fastmcp_server.py                        # print tools, resources, prompts
fastmcp install claude-code fastmcp_server.py             # one-command client setup
fastmcp install cursor fastmcp_server.py
fastmcp discover                                          # find servers configured in editors

See fastmcp --help or the FastMCP CLI docs for the full command reference.

Tool Tiers

The server organizes tools into three progressive tiers for simplified deployment. Choose a tier that matches your usage needs and API quota requirements.

Usage Examples

# Basic tier selection
uv run main.py --tool-tier core                            # Start with essential tools only
uv run main.py --tool-tier extended                        # Expand to include management features
uv run main.py --tool-tier complete                        # Enable all available functionality

# Selective service loading with tiers
uv run main.py --tools gmail drive --tool-tier core        # Core tools for specific services
uv run main.py --tools gmail --tool-tier extended          # Extended Gmail functionality only
uv run main.py --tools docs sheets --tool-tier complete    # Full access to Docs and Sheets

# Combine tier selection with granular permission levels
uv run main.py --permissions gmail:organize drive:full --tool-tier core

📋 Credential Configuration

export GOOGLE_OAUTH_CLIENT_ID=\
  "your-client-id"
export GOOGLE_OAUTH_CLIENT_SECRET=\
  "your-secret"

# Download & place in project root
client_secret.json

# Or specify custom path
export GOOGLE_CLIENT_SECRET_PATH=\
  /path/to/secret.json

cp .env.oauth21 .env
# Edit .env with credentials

🧰 Available Tools

Note: All tools support automatic authentication via @require_google_service() decorators with 30-minute service caching.

📅 Google Calendar _{calendar_tools.py}

📁 Google Drive _{drive_tools.py}

📧 Gmail _{gmail_tools.py}

Both send_gmail_message and draft_gmail_message support attachments via two methods:

Option 1: File Path (local server only)

attachments=[{"path": "/path/to/report.pdf"}]

Reads file from disk, auto-detects MIME type. Optional filename override.

Option 2: Base64 Content (works everywhere)

attachments=[{
    "filename": "report.pdf",
    "content": "JVBERi0xLjQK...",  # base64-encoded
    "mime_type": "application/pdf"   # optional
}]

⚠️ Centrally Hosted Servers: When the MCP server runs remotely (cloud, shared instance), it cannot access your local filesystem. Use Option 2 with base64-encoded content. Your MCP client must encode files before sending.

When downloading Gmail attachments (get_gmail_attachment_content) or Drive files (get_drive_file_download_url), files are saved to a persistent local directory rather than a temporary folder in the working directory.

Default location: ~/.workspace-mcp/attachments/

Files are saved with their original filename plus a short UUID suffix for uniqueness (e.g., invoice_a1b2c3d4.pdf). In stdio mode, the tool returns the absolute file path for direct filesystem access. In HTTP mode, it returns a download URL via the /attachments/{file_id} endpoint.

To customize the storage directory:

export WORKSPACE_ATTACHMENT_DIR="/path/to/custom/dir"

Saved files expire after 1 hour and are cleaned up automatically.

📝 Google Docs _{docs_tools.py}

📊 Google Sheets _{sheets_tools.py}

🖼️ Google Slides _{slides_tools.py}

📋 Google Forms _{forms_tools.py}

✓ Google Tasks _{tasks_tools.py}

👤 Google Contacts _{contacts_tools.py}

💬 Google Chat _{chat_tools.py}

🔍 Google Custom Search _{search_tools.py}

⚡ Google Apps Script _{apps_script_tools.py}

Connect to Claude Desktop

The server supports two transport modes:

Stdio Mode (Legacy - For Clients with Incomplete MCP Support)

⚠️ Important: Stdio mode is a legacy fallback for clients that don't properly implement the MCP specification with OAuth 2.1 and streamable HTTP support. Claude Code and other modern MCP clients should use streamable HTTP mode (--transport streamable-http) for proper OAuth flow and multi-user support.

In general, you should use the one-click DXT installer package for Claude Desktop.
If you are unable to for some reason, you can configure it manually via claude_desktop_config.json

Manual Claude Configuration (Alternative)

1. Open Claude Desktop Settings → Developer → Edit Config

   • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
   • Windows: %APPDATA%\Claude\claude_desktop_config.json

2. Add the server configuration:

{
  "mcpServers": {
    "google_workspace": {
      "command": "uvx",
      "args": ["workspace-mcp"],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1"
      }
    }
  }
}

Connect to LM Studio

Add a new MCP server in LM Studio (Settings → MCP Servers) using the same JSON format:

{
  "mcpServers": {
    "google_workspace": {
      "command": "uvx",
      "args": ["workspace-mcp"],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1",
      }
    }
  }
}

2. Advanced / Cross-Platform Installation

If you’re developing, deploying to servers, or using another MCP-capable client, keep reading.

Instant CLI (uvx)

# Requires Python 3.10+ and uvx
# First, set credentials (see Credential Configuration above)
uvx workspace-mcp --tool-tier core  # or --tools gmail drive calendar

Note: Configure OAuth credentials before running. Supports environment variables, .env file, or client_secret.json.

Local Development Setup

# Install everything needed for linting, tests, and release tooling
uv sync --group dev

# Run the same linter that git hooks invoke automatically
uv run ruff check .

# Execute the full test suite (async fixtures require pytest-asyncio)
uv run pytest

• uv sync --group test installs only the testing stack if you need a slimmer environment.
• uv run main.py --transport streamable-http launches the server with your checked-out code for manual verification.
• Ruff is part of the dev group because pre-push hooks call ruff check automatically—run it locally before committing to avoid hook failures.

OAuth 2.1 Support (Multi-User Bearer Token Authentication)

The server includes OAuth 2.1 support for bearer token authentication, enabling multi-user session management. OAuth 2.1 automatically reuses your existing GOOGLE_OAUTH_CLIENT_ID and GOOGLE_OAUTH_CLIENT_SECRET credentials - no additional configuration needed!

When to use OAuth 2.1:

• Multiple users accessing the same MCP server instance
• Need for bearer token authentication instead of passing user emails
• Building web applications or APIs on top of the MCP server
• Production environments requiring secure session management
• Browser-based clients requiring CORS support

⚠️ Important: OAuth 2.1 and Single-User Mode are mutually exclusive

OAuth 2.1 mode (MCP_ENABLE_OAUTH21=true) cannot be used together with the --single-user flag:

• Single-user mode: For legacy clients that pass user emails in tool calls
• OAuth 2.1 mode: For modern multi-user scenarios with bearer token authentication

Choose one authentication method - using both will result in a startup error.

Enabling OAuth 2.1:
To enable OAuth 2.1, set the MCP_ENABLE_OAUTH21 environment variable to true.

# OAuth 2.1 requires HTTP transport mode
export MCP_ENABLE_OAUTH21=true
uv run main.py --transport streamable-http

If MCP_ENABLE_OAUTH21 is not set to true, the server will use legacy authentication, which is suitable for clients that do not support OAuth 2.1.

FastMCP ships a native GoogleProvider that we now rely on directly. It solves the two tricky parts of using Google OAuth with MCP clients:

1. Dynamic Client Registration: Google still doesn't support OAuth 2.1 DCR, but the FastMCP provider exposes the full DCR surface and forwards registrations to Google using your fixed credentials. MCP clients register as usual and the provider hands them your Google client ID/secret under the hood.

2. CORS & Browser Compatibility: The provider includes an OAuth proxy that serves all discovery, authorization, and token endpoints with proper CORS headers. We no longer maintain custom /oauth2/* routes—the provider handles the upstream exchanges securely and advertises the correct metadata to clients.

The result is a leaner server that still enables any OAuth 2.1 compliant client (including browser-based ones) to authenticate through Google without bespoke code.

Stateless Mode (Container-Friendly)

The server supports a stateless mode designed for containerized environments where file system writes should be avoided:

Enabling Stateless Mode:

# Stateless mode requires OAuth 2.1 to be enabled
export MCP_ENABLE_OAUTH21=true
export WORKSPACE_MCP_STATELESS_MODE=true
uv run main.py --transport streamable-http

Key Features:

• No file system writes: Credentials are never written to disk
• No debug logs: File-based logging is completely disabled
• Memory-only sessions: All tokens stored in memory via OAuth 2.1 session store
• Container-ready: Perfect for Docker, Kubernetes, and serverless deployments
• Token per request: Each request must include a valid Bearer token

Requirements:

• Must be used with MCP_ENABLE_OAUTH21=true
• Incompatible with single-user mode
• Clients must handle OAuth flow and send valid tokens with each request

This mode is ideal for:

• Cloud deployments where persistent storage is unavailable
• Multi-tenant environments requiring strict isolation
• Containerized applications with read-only filesystems
• Serverless functions and ephemeral compute environments

MCP Inspector: No additional configuration needed with desktop OAuth client.

Claude Code: No additional configuration needed with desktop OAuth client.

OAuth Proxy Storage Backends

The server supports pluggable storage backends for OAuth proxy state management via FastMCP 2.13.0+. Choose a backend based on your deployment needs.

Available Backends:

Configuration:

# Memory storage (fast, no persistence)
export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=memory

# Disk storage (persists across restarts)
export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=disk
export WORKSPACE_MCP_OAUTH_PROXY_DISK_DIRECTORY=~/.fastmcp/oauth-proxy

# Valkey/Redis storage (distributed, multi-server)
export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=valkey
export WORKSPACE_MCP_OAUTH_PROXY_VALKEY_HOST=redis.example.com
export WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PORT=6379

Disk support requires workspace-mcp[disk] (or py-key-value-aio[disk]) when installing from source.
The official Docker image includes the disk extra by default.
Valkey support is optional. Install workspace-mcp[valkey] (or py-key-value-aio[valkey]) only if you enable the Valkey backend.
Windows: building valkey-glide from source requires MSVC C++ build tools with C11 support. If you see aws-lc-sys C11 errors, set CFLAGS=/std:c11.

Encryption: Disk and Valkey storage are encrypted with Fernet. The encryption key is derived from FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY if set, otherwise from GOOGLE_OAUTH_CLIENT_SECRET.

External OAuth 2.1 Provider Mode

The server supports an external OAuth 2.1 provider mode for scenarios where authentication is handled by an external system. In this mode, the MCP server does not manage the OAuth flow itself but expects valid bearer tokens in the Authorization header of tool calls.

Enabling External OAuth 2.1 Provider Mode:

# External OAuth provider mode requires OAuth 2.1 to be enabled
export MCP_ENABLE_OAUTH21=true
export EXTERNAL_OAUTH21_PROVIDER=true
uv run main.py --transport streamable-http

How It Works:

• Protocol-level auth enabled: All MCP requests (including initialize and tools/list) require a valid Bearer token, following the standard OAuth 2.1 flow. Unauthenticated requests receive a 401 with resource metadata pointing to Google's authorization server.
• External OAuth flow: Your external system handles the OAuth flow and obtains Google access tokens (ya29.*)
• Token validation: Server validates bearer tokens by calling Google's userinfo API
• Multi-user support: Each request is authenticated independently based on its bearer token
• Resource metadata discovery: The server serves /.well-known/oauth-protected-resource (RFC 9728) advertising Google as the authorization server and the required scopes

Key Features:

• No local OAuth flow: Server does not provide /authorize, /token, or /register endpoints — only resource metadata
• Bearer token only: All authentication via Authorization: Bearer <token> headers
• Stateless by design: Works seamlessly with WORKSPACE_MCP_STATELESS_MODE=true
• External identity providers: Integrate with your existing authentication infrastructure

Requirements:

• Must be used with MCP_ENABLE_OAUTH21=true
• OAuth credentials still required for token validation (GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET)
• External system must obtain valid Google OAuth access tokens (ya29.*)
• Each tool call request must include valid bearer token

Use Cases:

• Integrating with existing authentication systems
• Custom OAuth flows managed by your application
• API gateways that handle authentication upstream
• Multi-tenant SaaS applications with centralized auth
• Mobile or web apps with their own OAuth implementation

VS Code MCP Client Support

✅ Recommended: VS Code MCP extension properly supports the full MCP specification. Always use HTTP transport mode for proper OAuth 2.1 authentication.

{
    "servers": {
        "google-workspace": {
            "url": "http://localhost:8000/mcp/",
            "type": "http"
        }
    }
}

Note: Make sure to start the server with --transport streamable-http when using VS Code MCP.

Claude Code MCP Client Support

✅ Recommended: Claude Code is a modern MCP client that properly supports the full MCP specification. Always use HTTP transport mode with Claude Code for proper OAuth 2.1 authentication and multi-user support.

# Start the server in HTTP mode first
uv run main.py --transport streamable-http

# Then add to Claude Code
claude mcp add --transport http workspace-mcp http://localhost:8000/mcp

Reverse Proxy Setup

If you're running the MCP server behind a reverse proxy (nginx, Apache, Cloudflare, etc.), you have two configuration options:

Problem: When behind a reverse proxy, the server constructs OAuth URLs using internal ports (e.g., http://localhost:8000) but external clients need the public URL (e.g., https://your-domain.com).

Solution 1: Set WORKSPACE_EXTERNAL_URL for all OAuth endpoints:

# This configures all OAuth endpoints to use your external URL
export WORKSPACE_EXTERNAL_URL="https://your-domain.com"

Solution 2: Set GOOGLE_OAUTH_REDIRECT_URI for just the callback:

# This only overrides the OAuth callback URL
export GOOGLE_OAUTH_REDIRECT_URI="https://your-domain.com/oauth2callback"

You also have options for:
| OAUTH_CUSTOM_REDIRECT_URIS (optional) | Comma-separated list of additional redirect URIs |
| OAUTH_ALLOWED_ORIGINS (optional) | Comma-separated list of additional CORS origins |

Important:

• Use WORKSPACE_EXTERNAL_URL when all OAuth endpoints should use the external URL (recommended for reverse proxy setups)
• Use GOOGLE_OAUTH_REDIRECT_URI when you only need to override the callback URL
• The redirect URI must exactly match what's configured in your Google Cloud Console
• Your reverse proxy must forward OAuth-related requests (/oauth2callback, /oauth2/*, /.well-known/*) to the MCP server

# Configure credentials first (see Credential Configuration section)

# Start with specific tools only
uvx workspace-mcp --tools gmail drive calendar tasks

# Start with tool tiers (recommended for most users)
uvx workspace-mcp --tool-tier core      # Essential tools
uvx workspace-mcp --tool-tier extended  # Core + additional features
uvx workspace-mcp --tool-tier complete  # All tools

# Start in HTTP mode for debugging
uvx workspace-mcp --transport streamable-http

Requires Python 3.10+ and uvx. The package is available on PyPI.

Development Installation

For development or customization:

git clone https://github.com/taylorwilsdon/google_workspace_mcp.git
cd google_workspace_mcp
uv run main.py

Development Installation (For Contributors):

{
  "mcpServers": {
    "google_workspace": {
      "command": "uv",
      "args": [
        "run",
        "--directory",
        "/path/to/repo/google_workspace_mcp",
        "main.py"
      ],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1"
      }
    }
  }
}

HTTP Mode (For debugging or web interfaces)

If you need to use HTTP mode with Claude Desktop:

{
  "mcpServers": {
    "google_workspace": {
      "command": "npx",
      "args": ["mcp-remote", "http://localhost:8000/mcp"]
    }
  }
}

Note: Make sure to start the server with --transport streamable-http when using HTTP mode.

First-Time Authentication

The server uses Google Desktop OAuth for simplified authentication:

• No redirect URIs needed: Desktop OAuth clients handle authentication without complex callback URLs
• Automatic flow: The server manages the entire OAuth process transparently
• Transport-agnostic: Works seamlessly in both stdio and HTTP modes

When calling a tool:

1. Server returns authorization URL
2. Open URL in browser and authorize
3. Google provides an authorization code
4. Paste the code when prompted (or it's handled automatically)
5. Server completes authentication and retries your request

◆ Development

Project Structure

google_workspace_mcp/
├── auth/              # Authentication system with decorators
├── core/              # MCP server and utilities
├── g{service}/        # Service-specific tools
├── main.py            # Server entry point
├── client_secret.json # OAuth credentials (not committed)
└── pyproject.toml     # Dependencies

Adding New Tools

from auth.service_decorator import require_google_service

@require_google_service("drive", "drive_read")  # Service + scope group
async def your_new_tool(service, param1: str, param2: int = 10):
    """Tool description"""
    # service is automatically injected and cached
    result = service.files().list().execute()
    return result  # Return native Python objects

Architecture Highlights

• Service Caching: 30-minute TTL reduces authentication overhead
• Scope Management: Centralized in SCOPE_GROUPS for easy maintenance
• Error Handling: Native exceptions instead of manual error construction
• Multi-Service Support: @require_multiple_services() for complex tools

Credential Store System

The server includes an abstract credential store API and a default backend for managing Google OAuth
credentials with support for multiple storage backends:

Features:

• Abstract Interface: CredentialStore base class defines standard operations (get, store, delete, list users)
• Local File Storage: LocalDirectoryCredentialStore implementation stores credentials as JSON files
• Configurable Storage: Environment variable GOOGLE_MCP_CREDENTIALS_DIR sets storage location
• Multi-User Support: Store and manage credentials for multiple Google accounts
• Automatic Directory Creation: Storage directory is created automatically if it doesn't exist

Configuration:

# Optional: Set custom credentials directory
export GOOGLE_MCP_CREDENTIALS_DIR="/path/to/credentials"

# Default locations (if GOOGLE_MCP_CREDENTIALS_DIR not set):
# - ~/.google_workspace_mcp/credentials (if home directory accessible)
# - ./.credentials (fallback)

Usage Example:

from auth.credential_store import get_credential_store

# Get the global credential store instance
store = get_credential_store()

# Store credentials for a user
store.store_credential("[email protected]", credentials)

# Retrieve credentials
creds = store.get_credential("[email protected]")

# List all users with stored credentials
users = store.list_users()

The credential store automatically handles credential serialization, expiry parsing, and provides error handling for storage operations.

⊠ Security

• Prompt Injection: This MCP server has the capability to retrieve your email, calendar events and drive files. Those emails, events and files could potentially contain prompt injections - i.e. hidden white text that tells it to forward your emails to a different address. You should exercise caution and in general, only connect trusted data to an LLM!
• Credentials: Never commit .env, client_secret.json or the .credentials/ directory to source control!
• OAuth Callback: Uses http://localhost:8000/oauth2callback for development (requires OAUTHLIB_INSECURE_TRANSPORT=1)
• Transport-Aware Callbacks: Stdio mode starts a minimal HTTP server only for OAuth, ensuring callbacks work in all modes
• Production: Use HTTPS & OAuth 2.1 and configure accordingly
• Scope Minimization: Tools request only necessary permissions
• Local File Access Control: Tools that read local files (e.g., attachments, file:// uploads) are restricted to the user's home directory by default. Override this with the ALLOWED_FILE_DIRS environment variable:

  # Colon-separated list of directories (semicolon on Windows) from which local file reads are permitted
  export ALLOWED_FILE_DIRS="/home/user/documents:/data/shared"
  

  Regardless of the allowlist, access to sensitive paths (.env, .ssh/, .aws/, /etc/shadow, credential files, etc.) is always blocked.

≡ License

MIT License - see LICENSE file for details.

Validations: