Docs

Security

Safe MCP usage

Sociality MCP gives AI clients access to Sociality.io data through the connected user and workspace context. Before using it in ongoing or automated workflows, review server trust, workspace access, OAuth connection state, and write-action behavior.

Trusted server guidance

Connect only to trusted MCP servers. For Sociality MCP, use the official remote server URL: https://api.sociality.io/mcp.

Review any client-side warnings before approving a custom MCP connection, and avoid authorizing unknown servers that you do not control or trust.

Least-privilege access

MCP access follows the connected Sociality.io user and workspace permissions. Use an account with only the access needed for the workflow you want to run.

Before production use, confirm the active team and user context with social_workspace_context. Review which owned accounts and tracked competitors are available to that user, and adjust access in Sociality.io if the workflow does not need full workspace coverage.

OAuth hygiene

Complete OAuth only from a trusted MCP client. If authentication fails, becomes stale, or looks suspicious, reconnect Sociality MCP from your client.

When switching accounts, teams, or workspaces, remove the existing MCP connection and authorize again with the correct Sociality.io account. Review connected client access when team members, permissions, or production workflows change.

Write-action review

Most current Sociality MCP tools are read-only. The main exception is social_competitors_create, which is a write action used to add a tracked competitor to the workspace.

Before approving this action, confirm that the user explicitly wants to track the profile, the profile URL is correct, and the selected workspace is the right destination.

Production checklist

Before using Sociality MCP in recurring, automated, or production workflows, confirm that:

  • The official Sociality MCP server URL is used.
  • OAuth is connected with the correct Sociality.io account.
  • Workspace and user context are verified with social_workspace_context.
  • User access follows least-privilege principles.
  • Write actions are reviewed before approval.
  • Credit usage, limit, and resets_at are checked before larger workflows.
  • Supported channels and metrics are confirmed with social_platform_capabilities.
  • Recurring or automated workflows are monitored for unusual usage.
Previous
How billing and credits work