> ## Documentation Index
> Fetch the complete documentation index at: https://docs.supercycle.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Security model and best practices for the Operators MCP

The Operators MCP connects to your live Supercycle data, it can read and write to your store.

## Authentication

The Operators MCP uses OAuth authentication:

* You log in with your existing Shopify credentials
* No API keys to manage or rotate
* Access is scoped to your store only, no other merchant's data is accessible
* Sessions can be revoked from <Icon icon="shopify" iconType="solid" /> [Integrations](https://admin.shopify.com/apps/supercycle/settings/integrations)

## Approval flows

The Operators MCP uses MCP safety annotations to protect your data:

* **Read operations**: Auto-approved for seamless searching and viewing of cycles, inventory, charges, and customers.
* **Write operations**: Request user confirmation before creating, updating, or deleting data.

Your AI tool will prompt you for approval before making any changes to your store.

## Data access

* The MCP only operates within your store's data
* You have the same data access as your Supercycle admin account
* No data is shared with external systems unless you explicitly configure integrations
* All operations are performed through the Supercycle API with standard rate limits and validation

## Best practices

* **Review write operations** - Always read the confirmation prompt before approving changes from your AI tool
* **Revoke sessions when needed** - If a team member leaves or access should be removed, revoke their session from <Icon icon="shopify" iconType="solid" /> [Integrations](https://admin.shopify.com/apps/supercycle/settings/integrations)
