MCP Data Privacy & Integrity
How RESTK protects your credentials, redacts sensitive data, and enforces integrity when AI agents connect through MCP.
When you connect an AI assistant to RESTK through MCP, a natural question arises: what can the AI actually see? This guide covers the privacy architecture, redaction boundaries, threat model, and answers to common questions. For setup and tool reference, see MCP Setup & Usage.
Core Principle
Credentials never leave the app.
RESTK's MCP server is designed around a single rule: AI agents can see the structure of your API work, but never the secrets that make it run.
- Authentication tokens, API keys, and passwords are redacted before any data reaches the MCP layer
- Secret environment variable values are replaced with placeholder text
- The AI sees enough context to help you — request names, URLs, methods, header keys, response structure — without accessing anything that could compromise your accounts
- All communication happens over
localhost; no MCP data transits the internet
Zero-Knowledge Design
The MCP server applies redaction at the data layer, not the transport layer. Even if an AI client were compromised, it would only receive already-redacted data. The one exception is export_as_curl with include_auth: true, which is read-only but includes real credentials in the exported command — review the output carefully before sharing or running it outside RESTK.
What AI Agents Can See
The following data is visible to AI clients connected through MCP:
| Data Category | Visible Information |
|---|---|
| Collections | Name, description, number of requests and folders, sharing status |
| Requests | Name, HTTP method, URL (with variables unresolved), header keys |
| Query Parameters | Parameter names and non-secret values |
| Request Body | Structure and field names (content is shared for non-sensitive payloads) |
| Responses | Status code, response headers, timing data. Response bodies are truncated to 100 KB before AI exposure and automatically scanned for sensitive patterns — matching values are replaced with [REDACTED] |
| Environments | Variable names, variable types, non-secret default values |
| Folders | Name, position, parent collection |
| Scripts | Whether pre-request or post-response scripts are configured (boolean flags and a descriptive hint, e.g. "Pre-request script configured" — script source code is not exposed) |
| Workspace | Workspace name, collection count, request count |
What AI Agents Cannot See
RESTK automatically redacts the following before data reaches the MCP layer:
| Data Type | What AI Sees Instead | Example |
|---|---|---|
| Bearer tokens | [REDACTED] | Authorization: Bearer [REDACTED] |
| API keys in headers | [REDACTED] | X-API-Key: [REDACTED] |
| Basic auth credentials | [REDACTED] | Authorization: Basic [REDACTED] |
| OAuth tokens | [REDACTED] | Token value replaced entirely |
| Secret environment variables | [REDACTED] | database_password: [REDACTED] |
| Cookie values | [REDACTED] | Set-Cookie: session=[REDACTED] |
| Custom secret headers | [REDACTED] | Any header marked as secret in settings |
| Response content | Sanitized output | All response content — regardless of format — is sanitized to remove credentials and sensitive data before reaching AI assistants |
Redaction Is Automatic
You don't need to configure redaction rules. RESTK identifies sensitive data by field type (auth headers, secret variables, cookie values) and redacts automatically. The only tool that can expose credentials is export_as_curl with include_auth: true — all other tool responses use redacted values.
User-Controlled Access
Beyond automatic redaction, you control what AI can access at multiple levels:
Collection-Level Sharing
Choose What to Share
Each collection has a Share with AI toggle. Collections are not shared by default — you must explicitly enable sharing for each collection you want AI to access.
Review Shared Collections
Open Settings → AI Integration to see a list of all collections currently shared with AI. Audit this list periodically.
Adjust as Needed
You can toggle sharing on or off at any time. Changes take effect immediately — the AI loses access to unshared collections in the current session.
Workspace Isolation
Each workspace is an independent boundary. An AI client connected to one workspace cannot see collections from another workspace. This means:
- Personal workspace collections stay private from team workspace AI sessions
- Different team workspaces are isolated from each other
- Switching workspaces changes what the AI can access
Per-Action Approval
Write operations require explicit approval through a confirmation dialog:
- The dialog shows the tool name, target item, and proposed changes
- If you don't respond within the timeout window, the action is automatically denied
- Destructive operations (deletes) always require manual approval, even with auto-approve enabled
- Read operations do not require approval (the data is already redacted)
Local-Only Architecture
RESTK's MCP implementation communicates exclusively over localhost. Here's the privacy boundary:
+------------------------------------------------+
| YOUR MACHINE |
| |
| +------------------+ |
| | AI Client | |
| | (Claude, Cursor,| |
| | Windsurf) | |
| +--------+---------+ |
| | |
| | localhost only |
| v |
| +--------+------------+ |
| | RESTK MCP Server | |
| | (redacts secrets, | |
| | enforces approval)| |
| +--------+------------+ |
| | |
| v |
| +---------------------+ |
| | Your API Data | |
| | (Collections, | |
| | Requests, Envs) | |
| +---------------------+ |
| |
+------------------------------------------------+
[x] No cloud relay
[x] No external MCP proxy
[x] No data sent to AI provider through MCP
Key points:
- The MCP server is embedded in the RESTK app — not a separate service
- Communication stays on localhost, never the internet
- No cloud relay or proxy sits between the AI client and RESTK
- The MCP server itself works without internet. However, RESTK requires an authenticated session to launch, so initial sign-in needs connectivity. Once authenticated, MCP operates fully offline
- Your AI provider (Anthropic, OpenAI, etc.) does not receive MCP traffic — they only see what you type into the AI chat and what the AI client chooses to include in its prompts
AI Provider vs MCP
MCP data stays local, but your conversation with the AI (your prompts and the AI's responses) does go to the AI provider. Be mindful of what you type. For example, don't paste secrets into the chat — use MCP tools instead, and let the AI work with redacted data.
Data Integrity Safeguards
RESTK enforces multiple safeguards to prevent accidental or malicious modifications through MCP:
Confirmation Before Mutation
Every create, update, delete, and execute operation shows a confirmation dialog before proceeding. The dialog displays:
- The operation type (create, update, delete, execute)
- A title and message describing the action
- A details dictionary with key-value pairs showing the relevant parameters
Soft Deletes
When an AI requests deletion of a collection or request, RESTK uses soft delete. The item is marked as deleted but can be recovered. This protects against accidental deletions from misunderstood prompts.
URL Validation
Before executing any HTTP request (via send_request or send_curl), RESTK validates the target URL to prevent requests to internal network addresses. Blocked ranges include 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, and their IPv6 equivalents. This protects against server-side request forgery (SSRF) scenarios where a compromised AI might try to probe internal services.
Size Limits
Request bodies, header values, and response data exposed through MCP are subject to size limits to prevent resource exhaustion. Key limits: response bodies are truncated to 100 KB before AI exposure, collection imports are capped at 50 MB, and overall response payloads are limited to 10 MB.
Audit Logging
All MCP tool invocations are logged with:
- Timestamp
- Tool name
- Parameters (with secrets redacted)
- Result status (approved, denied, timed out, error)
- Session identifier
Review audit logs in Settings → AI Integration → Security Settings to see exactly what AI has done in your workspace. The audit trail is also available as a resource at restk://audit.
Threat Model
This table summarizes the threats RESTK's MCP implementation defends against and how:
| Threat | Mitigation |
|---|---|
| Credential theft via MCP | Credentials are redacted at the data layer before reaching MCP. AI only sees [REDACTED] placeholders. The only way credentials can be exposed is through export_as_curl with include_auth: true, which is a read-only tool — review its output before sharing. |
| Unauthorized modification | Every write operation requires explicit user approval. Unapproved actions are denied automatically after a timeout. Destructive operations (delete) always require manual approval. |
| Server-side request forgery (SSRF) | URL validation blocks requests to private/internal network ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, and IPv6 equivalents) before execution. Restricted destinations are rejected at the application layer. |
| Data exfiltration via prompts | MCP communication is local-only. Data cannot be routed to external endpoints through the MCP channel. |
| Session hijacking | MCP sessions are scoped to localhost. Session identifiers are only valid between local processes on your machine — there is no network path for an external attacker to intercept or replay them. |
| Sensitive error messages | Error responses are sanitized before reaching AI: file paths are stripped, API token patterns (prefixes like sk-, ghp-, xoxb-, AKIA) are redacted, and messages are truncated to 500 characters. No stack traces or system paths are exposed. |
| Prompt injection via API data | The AI client is responsible for handling its own prompt context. RESTK provides structured, typed data through MCP to reduce injection surface. |
| Browser-based attacks | Requests originating from web browsers are automatically blocked, preventing malicious websites from accessing the local MCP server. |
| Denial of service | Size limits on requests and responses prevent resource exhaustion through MCP. Rate limiting applies to tool invocations. |
Privacy FAQ
Does the AI see my full request body?
For non-sensitive requests, yes — the AI can see request body content so it can help you debug, modify, and create requests. However, authentication credentials embedded in request bodies are still redacted. If a request body contains data you don't want AI to see, disable Share with AI on that collection.
Can the AI extract my Bearer tokens?
No. Bearer tokens and all other authentication credentials are redacted before data reaches the MCP layer. The AI sees Authorization: Bearer [REDACTED] — there is no mechanism to retrieve the actual token value through MCP.
What happens if I share a collection by accident?
Sharing only exposes metadata and non-secret content. Even if shared accidentally, your credentials are still redacted. You can unshare a collection at any time — changes take effect immediately.
Is MCP traffic encrypted?
RESTK's MCP server only accepts connections from your machine. Since data never leaves your device, TLS is not required — your operating system's process and network isolation protects the communication channel. External machines cannot reach the MCP server.
Can AI access other workspaces?
No. MCP access is scoped to the active workspace. AI cannot see or interact with collections in other workspaces, even if those workspaces are signed into the same account.
Does RESTK send telemetry about MCP usage?
No. RESTK does not send telemetry about which tools AI invokes, what collections are accessed, or how MCP is used. All MCP activity data stays local.
Can I use MCP in air-gapped environments?
The MCP server itself runs entirely locally and requires no internet connection. However, RESTK requires an authenticated session to launch — so you need internet connectivity for the initial sign-in. Once authenticated, the MCP server operates fully offline. For fully air-gapped environments, you'll also need a local AI model rather than a cloud-hosted one.
What about response data from APIs?
API responses (status codes, headers, body content) are visible to the AI so it can help you analyze, debug, and compare them. Response bodies are truncated to 100 KB and automatically scanned for common sensitive patterns — matching values are replaced with [REDACTED] before reaching the AI. If an API returns sensitive data that doesn't match these patterns, consider whether that endpoint's collection should have AI sharing disabled.