Skip to content

MCP scopes, permissions, and security

How Coinrule MCP access works — the read and write scopes, what each allows, the OAuth security model, and how to revoke an AI assistant's access.

Updated 2026-07-10·3 min read

When you connect an AI assistant to Coinrule, you decide exactly how much it can do. Access is granted through OAuth scopes that you approve at connect time and can revoke at any moment. This page explains the two scopes, the security model, and how to manage access.

The two scopes

ScopeGranted byAllows
coinrule:readRead only and Read + WriteList and inspect strategies, read balances and holdings, view trades, signals, PnL, and backtests.
coinrule:writeRead + Write onlyEverything above, plus create, launch, update, start, and stop strategies, launch baskets, and run backtests.

Read only grants just coinrule:read. Read + Write grants both. Write tools are hidden from the assistant entirely unless you granted coinrule:write, so a read-only connection cannot place or change a single trade.

Read + Write can move real money

On a live exchange, a Read + Write connection lets your assistant launch strategies that trade real funds. Grant it deliberately, review what you ask the assistant to do, and consider paper trading while you build trust.

How the security model works

  • OAuth 2.1, not passwords or API keys. Your assistant authenticates through Coinrule's OAuth flow and receives a scoped, expiring token. It never sees your Coinrule password or your exchange API keys.
  • You approve the scope. The read-only vs read+write choice happens on Coinrule's own consent screen, not inside the AI client.
  • The MCP only reaches the Coinrule API. The server acts on your behalf through the same API the web app uses — it has no direct access to databases, Redis, or your exchange keys.
  • Tokens expire and rotate. Access tokens are short-lived and refresh tokens rotate, limiting the impact of a leaked token.
  • Rate limited. Requests are rate-limited per user to protect your account.

Revoking access

You are always in control. To review or revoke connections:

  1. Open Settings → Integrations

    Go to Settings → Integrations in the Coinrule web app.

  2. Review connected assistants

    Each connection shows its name, access level (Read only or Read + Write), and when it was connected.

  3. Revoke

    Click Revoke to cut off that assistant immediately. Its tokens stop working right away and it can no longer reach your account.

Revoking is instant and safe — reconnect any time by adding the connector again. To change an assistant from Read only to Read + Write (or back), revoke it and reconnect at the new level.

Was this article helpful?