MCP scopes, permissions, and security
How Coinrule MCP access works — the read and write scopes, what each allows, the OAuth security model, and how to revoke an AI assistant's access.
When you connect an AI assistant to Coinrule, you decide exactly how much it can do. Access is granted through OAuth scopes that you approve at connect time and can revoke at any moment. This page explains the two scopes, the security model, and how to manage access.
The two scopes
| Scope | Granted by | Allows |
|---|---|---|
coinrule:read | Read only and Read + Write | List and inspect strategies, read balances and holdings, view trades, signals, PnL, and backtests. |
coinrule:write | Read + Write only | Everything above, plus create, launch, update, start, and stop strategies, launch baskets, and run backtests. |
Read only grants just coinrule:read. Read + Write grants both. Write tools are hidden from the assistant entirely unless you granted coinrule:write, so a read-only connection cannot place or change a single trade.
Read + Write can move real money
On a live exchange, a Read + Write connection lets your assistant launch strategies that trade real funds. Grant it deliberately, review what you ask the assistant to do, and consider paper trading while you build trust.
How the security model works
- OAuth 2.1, not passwords or API keys. Your assistant authenticates through Coinrule's OAuth flow and receives a scoped, expiring token. It never sees your Coinrule password or your exchange API keys.
- You approve the scope. The read-only vs read+write choice happens on Coinrule's own consent screen, not inside the AI client.
- The MCP only reaches the Coinrule API. The server acts on your behalf through the same API the web app uses — it has no direct access to databases, Redis, or your exchange keys.
- Tokens expire and rotate. Access tokens are short-lived and refresh tokens rotate, limiting the impact of a leaked token.
- Rate limited. Requests are rate-limited per user to protect your account.
Revoking access
You are always in control. To review or revoke connections:
Open Settings → Integrations
Go to Settings → Integrations in the Coinrule web app.
Review connected assistants
Each connection shows its name, access level (Read only or Read + Write), and when it was connected.
Revoke
Click Revoke to cut off that assistant immediately. Its tokens stop working right away and it can no longer reach your account.
Revoking is instant and safe — reconnect any time by adding the connector again. To change an assistant from Read only to Read + Write (or back), revoke it and reconnect at the new level.