Auth and Scopes

MCP access should be scoped by user consent and enforced by application services plus Supabase RLS.

Users can create a short-lived MCP bearer token from Settings > Connected Agents in the web app. This token is a Supabase user-session access token, so it should be treated like an account credential and pasted only into trusted MCP clients.

Planned toolset scopes:

• budget.read
• analytics.read
• statements.read
• statements.write
• goals.read
• goals.write
• plans.read
• plans.write

Write scopes should be granted conservatively.

Current first-party session tokens without explicit OAuth client claims are accepted for read-only MCP access. Third-party OAuth clients should receive explicit Saviqo scopes and continue through the consent flow.