Security

MCP Hero sits between AI assistants and the MCP servers you trust, which puts us on the path of credentials, tool calls, and third-party data. The design assumes a hostile network and a hostile MCP server. This page summarizes the controls we rely on.

Isolation

Every MCP server you connect runs in its own ephemeral cloud sandbox, provisioned per session and torn down when the session ends. Sandboxes have no shared filesystem and no persistent state, and they cannot reach the gateway host or other tenants' sandboxes. A misbehaving or compromised MCP server is contained to its own session.

Authentication and tenancy

Dashboard access uses Google OAuth; we never see or store a password. Every account belongs to an organization, and all data — MCP servers, variables, OAuth tokens, logs — is scoped to that organization. Role-based access controls which tools each member can invoke. Cross-organization data access is not a code path; it is an absent one.

Encryption at rest

Every sensitive value stored in our database is encrypted with AES-256-GCM: upstream OAuth access and refresh tokens, OAuth client secrets, password-typed variables, and any credential or config files you upload to a server. The encryption key is derived from a deployment-wide root secret via HKDF, with a fresh random nonce per record so identical plaintexts never produce identical ciphertexts. The root secret lives only in the deployment's environment; the gateway refuses to start without it, and a database snapshot taken without it cannot be decrypted. Plaintext credentials never touch disk.

Encryption in flight

All public traffic terminates on TLS at the edge. Plaintext credentials exist only briefly in process memory: the gateway decrypts them at session start, hands them to the sandbox, and discards them. They are never returned by any API — list and detail endpoints expose only metadata (name, last-4 preview for passwords, timestamps).

Logging

Logs never contain raw credentials. A static check in CI fails the build if any log call is wired to receive raw environment, header, or variable values, and any password value an MCP server echoes to its own stderr is replaced with [REDACTED:NAME] before it reaches the operator's log buffer.

Deletion

When you delete an MCP server, its variables, tokens, uploaded files, and logs are deleted with it. Deleting an organization removes the same data for every member. Encrypted backups exist for disaster recovery and roll over on a fixed retention window; after that, deleted data is unrecoverable.

Reporting an issue

If you find a security issue, please email · . We will acknowledge your report and keep you posted as we investigate and fix.