> ## Documentation Index
> Fetch the complete documentation index at: https://docs.abconvert.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & token management

> How tokens work, how to manage them safely, and what's protected by default.

## Token model

A token is a single-shop, single-purpose credential. It looks like `abc_1lRrF_CdEOYbg6xCP6FFoiFnOcp05s8E`.

<CardGroup cols={2}>
  <Card title="One token per app" icon="key">
    Mint a separate token for each integration: Claude Code, your team's automation, etc. Revoking one doesn't break the others. (Claude Desktop and Claude.ai use [connector credentials](/mcp/claude-connector) instead, managed from the same page.)
  </Card>

  <Card title="Shop-scoped" icon="store">
    A token you mint for Shop A can never access Shop B's data — even if you own both.
  </Card>

  <Card title="No expiration by default" icon="clock">
    Tokens stay valid until you revoke them. There's no automatic rotation. We may add expiration in a future update.
  </Card>

  <Card title="Revocable instantly" icon="ban">
    Settings → Claude / MCP Access → Revoke. Takes effect within one request — the next call from that token returns 401.
  </Card>
</CardGroup>

## Treat tokens like passwords

If someone has your token, they can do anything you can do via MCP — create tests, modify rates, end experiments. The same goes for a [connector client secret](/mcp/claude-connector): treat both like passwords.

<Warning>
  **Don't:**

  * Paste tokens in shared Slack channels, GitHub issues, or screenshots
  * Commit tokens to a repo (even a private one)
  * Email tokens in plaintext
  * Store tokens in a shared 1Password vault unless your team genuinely needs shared access
</Warning>

<Tip>
  **Do:**

  * Mint a personal token for each team member, not a shared one
  * Name tokens descriptively ("Claude Code — Jeff", not "token1")
  * Revoke tokens you stop using immediately
  * Set a recurring reminder to audit your token list quarterly
</Tip>

## What protects you by default

Even if a token leaks, several layers limit blast radius:

**1. Per-shop feature flag.** MCP is opt-in per shop. If your shop has the flag off, even a valid token can't do anything.

**2. Rate limit.** 200 requests per minute per token, server-enforced. A leaked token can't be used to hammer the API or run an unbounded loop.

**3. Token kill switch.** Revoke from Settings → Claude / MCP Access. Effective within one request. Don't wait — the moment you suspect a token is compromised, kill it.

**4. Resource overlap protection.** Even with a leaked token, an attacker can't launch a price test on a product that already has an active price test running. Same for shipping zones, themes, templates, and redirect URLs.

**5. Backend audit trail.** Every API call is logged with the token ID, timestamp, and outcome. Contact support if you need to investigate suspicious activity.

## Auditing token usage

Today, the in-app audit view is read-only and shows:

* Token name + when it was created
* Last successful use timestamp
* Whether it's currently active or revoked

A more granular activity log (which tools were called, when, by which client) is on the roadmap. If you need it sooner, contact support — we can pull logs server-side on request.

## When to rotate

Rotate (revoke + mint a new one) when:

* A team member leaves
* You change laptops
* You suspect any leakage (committed to git by accident, pasted in a public chat, lost a device)
* Quarterly as part of a routine audit — minimal effort, maximum hygiene

## What's NOT covered yet

These are on the roadmap:

* **OAuth for every client.** Claude.ai and Claude Desktop already connect through an [OAuth custom connector](/mcp/claude-connector). Other clients still require a manually pasted token; broader OAuth support (e.g. Dynamic Client Registration for Codex) is on the roadmap.
* **Per-token scopes.** Today, every token has full access. Future tokens will let you create read-only or scope-limited tokens for safer sharing.
* **Per-IP allowlist.** Lock a token to specific IP ranges (e.g. your office) for extra defense.

If any of these would change your decision to use MCP, let support know — that's how we prioritize.

## Reporting a suspected leak

If you think a token has been compromised:

1. **Revoke it immediately** — Settings → Claude / MCP Access → Revoke. Don't wait.
2. **Check the audit timestamps** — was the token used recently from somewhere unexpected?
3. **Email [security@abconvert.io](mailto:security@abconvert.io)** with the token's name and approximate compromise window. We'll pull server-side logs and confirm whether anything unusual happened.

The fastest mitigation is always step 1. Don't delay revocation while you investigate.
