Security · read-only v1
TradeJournal MCP Security & Privacy
MCP and the on-site agent use the same user-scoped, read-only tool layer. Your token or login session never grants access to another trader's journal or Django admin data.
Active tokens
See label, prefix, and Revoke for each active MCP token.
- Max active tokens per plan
- Revoke unused clients
- Staff does not widen scope
Quick summary
- Your account only: Every tool starts with
.filter(user=user)— no platform-wide search. - Read-only v1: No trade placement, post edits, or settings changes via MCP.
- Revoke anytime: Connect AI → revoke token; staff status does not widen MCP scope.
Key takeaway
TradeJournal.co MCP security is built on per-user tokens or session auth, mandatory user-scoped querysets, read-only v1 tools, and explicit denial of cross-user and admin data; revoke leaked tokens in Connect AI and use the on-site agent if you prefer not to store a token in an IDE.
What MCP and the agent never expose
| Category | Examples (blocked) |
|---|---|
| Other users' data | Trades, posts, profiles, emails, Stripe IDs |
| Platform admin | Raw User table, LogEntry, tjadmin aggregates |
| Internal / marketing | Enzlo leads, campaign data, SnapTrade secrets |
| Secrets | API keys, service keys, other users' MCP tokens |
External: Model Context Protocol · FTC privacy guidance (general consumer context).
Frequently asked questions
No. Every tool resolves the authenticated user from your token or session only. User id is never taken from tool arguments for authorization.
v1 is read-only. AI cannot place trades, edit posts, or change account settings via MCP.
Revoke it immediately in Account Settings → Connect AI and generate a new token. Never commit tokens to git or share mcp.json publicly.
No. MCP identity is the token's user only. Admin browsing stays in Django admin with staff session—not in MCP tools.
Engineering details live in our internal gameplan; this page summarizes trader-facing guarantees. External reference: Model Context Protocol documentation at modelcontextprotocol.io.
Start free trial — claim onboarding
Import trades, then ask real questions about your data.