> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rippit.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Information

> Authentication and security details for the Rippit MCP server.

## How authentication works

The Rippit MCP server is an OAuth 2.1 Protected Resource (RFC 9728). Your client bounces you to `app.rippit.com` in a browser window, you sign in there, and your client receives a short-lived JWT audience-bound to this MCP server (RFC 8707).

```mermaid theme={null}
sequenceDiagram
    participant Client as MCP Client
    participant MCP as Rippit MCP
    participant AS as Rippit Auth Server
    participant Browser as Browser

    Client->>MCP: POST /mcp (no token)
    MCP-->>Client: 401 + WWW-Authenticate
    Client->>MCP: GET /.well-known/oauth-protected-resource
    MCP-->>Client: { authorization_servers: ["app.rippit.com"] }
    Client->>Browser: Open /oauth/authorize (PKCE)
    Browser->>AS: User signs in and approves
    AS-->>Browser: Redirect with auth code
    Browser-->>Client: Auth code delivered
    Client->>AS: Exchange code + PKCE verifier
    AS-->>Client: Access token (JWT, aud = mcp.rippit.com/mcp)
    Client->>MCP: POST /mcp (Authorization: Bearer ...)
    MCP-->>Client: Tool results
```

You only ever enter your Rippit credentials in the browser. The MCP server and your agent never see them. Supported clients refresh tokens automatically; if a token cannot be refreshed, you will be prompted to sign in again.

## Security and access control

### Token scope

The MCP server acts as the signed-in user. It can read and write only what that user could read and write directly in `app.rippit.com`. There is no service account, no admin scope, and no way for the MCP server to bypass Rippit's existing workspace permissions or role assignments. Revoking a user's access in Rippit revokes their MCP access on the next token refresh.

### Read / write surface

| Capability                                  | Effect                                                                                                                                                          |
| ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Workbook and worksheet access               | Read-only for existing objects. New objects are written through Ask Rippit.                                                                                     |
| Ask Rippit (start and continue an analysis) | Creates an Ask Rippit conversation in the user's workspace and appends questions to it. These show up in the user's history at `app.rippit.com` like any other. |

### Hostnames

For allowlisting, the client touches three origins:

| Origin           | Purpose                                     | Direction                      |
| ---------------- | ------------------------------------------- | ------------------------------ |
| `mcp.rippit.com` | MCP endpoint; all JSON-RPC traffic          | Client → Rippit (HTTPS)        |
| `app.rippit.com` | OAuth authorization server; user sign-in    | Browser → Rippit (HTTPS)       |
| `cdn.rippit.com` | Static assets loaded by the Ask Rippit card | Client iframe → Rippit (HTTPS) |

No client-side traffic goes to third parties.

### Card sandbox

Ask Rippit cards render inside your MCP client's standard sandboxed iframe. The card's only outbound network capabilities are JSON-RPC calls back to `mcp.rippit.com` (proxied through the host) and static asset loads from `cdn.rippit.com`.

### Data handling

Rippit retains tool-call telemetry (which user, which tool, when, with what argument shape) for support and abuse prevention. Natural-language questions you submit to Ask Rippit are retained for the same purposes and to improve results. For specifics on retention windows, processing locations, and subprocessors, refer to your Rippit DPA or contact your Rippit point of contact.
