Authentication & scoping
- Org-scoped keys. Every
ecn_mcp_… key is tied to exactly one organization.
A key for org A can never read or write org B’s data — cross-tenant access is
rejected.
- Hashed at rest. Keys are stored as SHA-256 hashes; the plaintext secret is
shown only once at creation. If you lose it, create a new key.
- Revocable. Revoke any key instantly in Settings → Connect external AI tools
or via
DELETE /api/v1/mcp/keys/<id>/. Each key tracks last_used_at.
Reads are safe; sends are gated
ECN follows a read/write safety model:
| Action class | Behavior |
|---|
| Reads (search, get context, list contacts, balances) | Run directly and freely. |
| Workspace writes (create contact/task, update context) | Apply to your org’s data. |
| Outreach drafts (GTM emails, social/outreach campaigns) | Created as approval-gated drafts (OutreachDraft, GtmEmailDraft) — not sent until a human approves. |
Direct sends (compose_email) | Send immediately when the tool is called, via your connected Gmail (Mailgun fallback). Treat these as live actions. |
seeded/draft and is never auto-marked verified, so a person stays in the
loop before it’s published. The exception is direct-send tools like compose_email,
which send the moment they’re called — only expose them to trusted callers.
Treat an ecn_mcp_… key like a password. Don’t commit it to shared repos or
paste it into project config that syncs publicly. Prefer environment variables.
What an MCP client can and cannot do
- ✅ Search and read directory + context, manage CRM records, run prospecting,
draft outreach, check spend.
- ⛔ Bypass credit budgets, escape org scoping, or read another organization’s data.
(Note: compose_email does send directly — it is not gated behind a draft.)
Reporting an issue
Found a security problem? Email the maintainers via the
repository rather than opening a
public issue with sensitive details.