Security & Privacy for AI Agents
Last Updated: March 2026
BrewLogica's MCP integration is built with a principle of minimal trust: AI agents get access only to what you explicitly authorize, only to your data, and only for as long as your token is active. This page explains the full security model.
How Agent Authentication Works
Every MCP request is authenticated with a Bearer token included in the HTTP Authorization header. Tokens are generated by you at brewlogica.app/tokens and are never issued automatically.
Token Properties
| Format | bl_ prefix followed by a 64-character random string |
| Generation | Cryptographically random, never reused |
| Storage | Stored as a one-way hash server-side — BrewLogica cannot recover your plain-text token |
| Expiry | No automatic expiry — tokens remain valid until you revoke them |
| Visibility | Shown only once at creation — store it securely immediately |
Never commit API tokens to version control.
Store tokens in environment variables or your AI client's secure configuration. If a token is exposed, revoke it immediately from the tokens page and generate a new one.
What Can an AI Agent Access?
All MCP tokens are scoped to your account only. An authenticated agent can read and write your beans, bags, and brews — but cannot access any other user's data, your billing information, or account credentials.
| Data / Action | MCP Agent Can Access |
|---|---|
| Your beans, bags, brews | Yes — read and write |
| Your brewing stats and analytics | Yes — read only |
| Other users' data | No — strict account isolation |
| Your email address or password | No — authentication data is not exposed |
| Billing or subscription details | No — billing is not accessible via MCP |
| Generate or revoke other tokens | No — token management requires web UI login |
| Delete your account | No — destructive account operations require authentication |
Transport Security
All MCP traffic is encrypted in transit. The API endpoint (https://api.brewlogica.app/mcp) enforces:
- TLS 1.2 minimum — older protocol versions are rejected
- HTTPS-only — HTTP requests are redirected to HTTPS
- HSTS enabled — browsers and clients are instructed to always use HTTPS
Managing and Revoking Tokens
Pro subscribers can create and manage multiple API tokens. Each token is independent — revoking one does not affect others.
When to revoke a token
- You suspect a token was exposed in a commit, log, or conversation
- You are removing an AI client or tool that used the token
- You want to rotate tokens as a security best practice
- You no longer use a specific AI assistant configuration
How to revoke
Visit brewlogica.app/tokens, find the token by its label, and click Revoke. Revocation is immediate — the token stops working within seconds.
Security Best Practices
- 1
Use one token per client or use case
Label tokens clearly (e.g., "Claude Code - work laptop"). This makes it easy to revoke access to a specific client without disrupting others.
- 2
Store tokens in environment variables, not config files committed to git
Use
$BREWLOGICA_TOKENin your MCP config and load it from your shell environment. - 3
Rotate tokens periodically
Tokens do not expire automatically. Consider rotating them every 90 days as a precaution, especially for shared or long-running setups.
- 4
Review active tokens regularly
Revoke any tokens you no longer use. Unused tokens are a dormant risk if the device they were stored on is lost or compromised.
Data Privacy
BrewLogica does not sell your coffee data. Limited processing may occur through infrastructure and AI service providers as described in the Privacy Policy. For MCP usage, BrewLogica scopes all token-based access to your account and only processes requests required to execute tool calls.
For full details on how we handle your data, see the Privacy Policy.