β Back to Documentation Index
β Back to README
The ClickUp MCP Server is built with security as a core concern, not an afterthought. Below is a summary of the protections in place for both STDIO (local) and hosted/remote deployments.
- Sensitive data is never stored or logged. Your
CLICKUP_API_KEY(or OAuth token) is held only in memory for the duration of the session and never written to disk or any external service. - No third-party credential exposure. All ClickUp API calls are made directly from the server to ClickUp β your credentials never pass through any intermediary.
In the remote deployment, every MCP session gets its own isolated service instance in memory:
- No user-specific data (API keys, workspace IDs, tool filters) is stored in global state
- Data from one user's session cannot leak to another
- Tool execution is scoped strictly to the session that initiated it
- Client-provided credentials always take precedence over any server-side defaults
When using OAuth 2.1 (remote mode), the server implements enterprise-grade protections:
- HMAC-Signed State β All redirect parameters are cryptographically signed to prevent manipulation
- CSRF Session Binding β Logins are bound to the initiating browser session via secure cookies
- Timing-Safe Verification β Cryptographic comparisons use constant-time checks to prevent side-channel attacks
- Auto-Expiring Credentials β Issued codes and client registrations have enforced TTLs; stale tokens are automatically rejected
The server automatically manages ClickUp's API rate limits (100 requests/minute):
- Requests are spaced and queued to avoid hitting limits
- If a rate limit is reached, the server backs off and retries transparently
- No requests are silently dropped
You can limit which tools the AI agent is allowed to use, following the principle of least privilege:
ENABLED_TOOLSβ whitelist specific tools; all others are blockedDISABLED_TOOLSβ blacklist specific tools; all others remain available
Disabled tools are completely absent from the AI's tool list β the LLM never sees them and cannot select them. A secondary call-time check also blocks any attempt to invoke a disabled tool directly.
- Zero Content Logging β Your ClickUp data is never logged.
- Anonymous Auditing β Every session uses a unique, randomized ID to maintain an audit trail without tracking your personal identity.
- Protocol Isolation β Logs are strictly separated from your communication stream to ensure they never impact connection speed or reliability.
If you discover a security vulnerability, please report it by opening a GitHub issue marked as a security concern.