# Security & Privacy for AI Agents - BrewLogica Last Updated: March 2026 How BrewLogica handles authentication, data scoping, and security for MCP integrations. ## How Agent Authentication Works Every MCP request is authenticated with a Bearer token in the HTTP Authorization header. Tokens are generated at [https://brewlogica.app/tokens](https://brewlogica.app/tokens) and are never issued automatically. ### Token Properties | Property | Value | | ---------- | ------------------------------------------------------------ | | Format | `bl_` prefix followed by a 64-character random string | | Generation | Cryptographically random, never reused | | Storage | Stored as a one-way hash server-side; plain-text is unrecoverable | | Expiry | No automatic expiry; tokens remain valid until revoked | | Visibility | Shown only once at creation; store it securely immediately | ## What Can an AI Agent Access? All MCP tokens are scoped to your account only. An authenticated agent can read and write your beans, bags, and brews, but cannot access any other user's data, billing information, or credentials. | Data / Action | MCP Agent Can Access | | -------------------------------- | -------------------------------------------------------- | | Your beans, bags, brews | Yes; read and write | | Your brewing stats and analytics | Yes; read only | | Other users' data | No; strict account isolation | | Your email address or password | No; authentication data is not exposed | | Billing or subscription details | No; billing is not accessible via MCP | | Generate or revoke other tokens | No; token management requires web UI login | | Delete your account | No; destructive account operations require authentication | ## Transport Security All MCP traffic uses HTTPS. The endpoint `https://api.brewlogica.app/mcp` enforces: - TLS 1.2 minimum; older protocol versions are rejected - HTTPS-only; HTTP requests are redirected to HTTPS - HSTS enabled; clients are instructed to always use HTTPS ## Managing and Revoking Tokens Pro subscribers can create and manage multiple API tokens. Each token is independent; revoking one does not affect others. **When to revoke a token:** - You suspect a token was exposed in a commit, log, or conversation - You are removing an AI client or tool that used the token - You want to rotate tokens as a security best practice - You no longer use a specific AI assistant configuration **How to revoke:** Visit [https://brewlogica.app/tokens](https://brewlogica.app/tokens), find the token, and click Revoke. Revocation is immediate. ## Security Best Practices 1. **Use one token per client or use case.** Label tokens clearly (for example, "Claude Code - work laptop"). 2. **Store tokens in environment variables, not config files committed to git.** Use `$BREWLOGICA_TOKEN` in your MCP config and load it from your shell environment. 3. **Rotate tokens periodically.** Tokens do not expire automatically. Consider rotating every 90 days. 4. **Review active tokens regularly.** Revoke any tokens you no longer use. **Never commit API tokens to version control.** If a token is exposed, revoke it immediately and generate a new one. ## Data Privacy BrewLogica does not sell your coffee data. Limited processing may occur through infrastructure and AI service providers as described in the [https://brewlogica.app/privacy](https://brewlogica.app/privacy) policy. For MCP usage, BrewLogica scopes all token-based access to your account and only processes requests required to execute tool calls. Full privacy details: [https://brewlogica.app/privacy](https://brewlogica.app/privacy) ## Related Documentation - Rate Limits: [https://brewlogica.app/docs/rate-limits](https://brewlogica.app/docs/rate-limits) - Getting Started: [https://brewlogica.app/docs/getting-started](https://brewlogica.app/docs/getting-started) - MCP Quickstart: [https://brewlogica.app/docs/mcp-quickstart](https://brewlogica.app/docs/mcp-quickstart)