Security and Data Use
WriteByte uses OAuth-backed MCP connections, keeps the public author tool surface separate from internal admin tooling, and currently runs resumable MCP sessions on a single application instance.
Last updated April 25, 2026
Security facts
- OAuthPublic AI integrations use OAuth 2.1 authorization code with PKCE and browser consent.
- TokensWriteByte stores OAuth clients, access tokens, and refresh tokens server-side.
- SurfacePublic connectors expose non-admin author tools only. Admin review and editorial tools stay internal.
- SessionsStreamable MCP session resumability currently depends on in-memory server state and should run as a single instance for public v1.
Public AI integrations use OAuth 2.1 authorization code + PKCE. The MCP surface validates WriteByte-issued bearer tokens for the protected resource, and users approve the connection in the browser before a host can call any author tools.
The public MCP endpoint exposes the non-admin author surface only. Internal admin triage and editorial tools live on a separate admin route and are not part of public ChatGPT or Claude packaging.
Streamable MCP session resumability is currently backed by in-memory server state. For the public v1 launch, this should run as a single instance. Durable multi-instance session storage is a later infrastructure milestone and is not claimed by the public packaging docs.
To report a security concern, email support@writebyte.org with the subject line "Security report". General privacy expectations are summarized on the Privacy Policy.