Auth and Scopes
MCP access should be scoped by user consent and enforced by application services plus Supabase RLS.
For ChatGPT and other remote MCP clients, Saviqo uses an OAuth consent flow. The client discovers the Saviqo authorization server, opens a Saviqo consent screen, receives a short-lived MCP access token, and can renew access with a refresh token until the user revokes the connected agent.
Users can also create a manual MCP bearer token from Settings > Connected Agents in the web app. This manual token is a Supabase user-session access token, so it should be treated like an account credential and used only with trusted local bridges or clients that cannot complete OAuth.
Planned toolset scopes:
budget.readanalytics.readstatements.readstatements.writegoals.readgoals.writeplans.readplans.write
Write scopes should be granted conservatively.
OAuth-connected clients receive explicit Saviqo scopes and continue through the consent flow. Current first-party session tokens without explicit OAuth client claims are accepted for read-only MCP access as an advanced compatibility path.
When an OAuth access token expires, compatible clients should use the Saviqo token endpoint to rotate the refresh token and receive a new access token. If refresh fails, the client should show the Saviqo authorization link again so the user can reconnect from the chat or agent interface.
Deployment Configuration
Apply supabase-mcp-oauth-connected-agents-migration.sql before enabling OAuth clients in production.
The API service needs these environment variables:
SAVIQO_SUPABASE_URLSAVIQO_SUPABASE_SERVICE_ROLE_KEYSAVIQO_OAUTH_TOKEN_SECRETSAVIQO_CONNECTED_AGENT_ENCRYPTION_KEYSAVIQO_PUBLIC_API_URLSAVIQO_PUBLIC_WEB_URL
SAVIQO_OAUTH_TOKEN_SECRET is used for token hashing. SAVIQO_CONNECTED_AGENT_ENCRYPTION_KEY is used to encrypt the Supabase session material that lets Saviqo preserve RLS while refreshing MCP access.