Security and limits

The MCP server inherits Qonto’s standard security posture for OAuth integrations. This page summarises the parts most relevant to AI assistants.

Identity and authorization

Every tool call is authenticated as the consenting Qonto user, using a per-client OAuth access token. There is no shared secret, no API key, and no impersonation.
The server cannot exceed your role. If you are a reporting user, write tools refuse with an authorization error; the LLM will tell you.
The set of operations a tool can perform is also constrained by the OAuth scopes you granted at consent time. To grant more scopes, you have to re-authorize.

Data handling

The Qonto MCP server is stateless: it does not store conversation content, transcripts, tool inputs, tool outputs, prompts, or any of your business data. It only forwards each tool call to the Qonto Business API and returns the response to your client.
Logs retained by the server are limited to operational telemetry: HTTP method, tool name, response status, latency, anonymized organization identifier. They are retained per Qonto’s standard observability policy and are not used for training.
The MCP client (Claude, ChatGPT, Cursor, etc.) does see and store conversation data, including tool inputs and outputs. Its retention, training-use, and sharing policies are governed by that vendor, review them before connecting.

Strong Customer Authentication

Operations that PSD2 classifies as sensitive (creating certain card types, approving multi-transfer requests) require SCA in the Qonto mobile app. The MCP server cannot bypass SCA. When a tool needs it, your client surfaces the prompt:

The action needs Strong Customer Authentication. Open Qonto on your phone, approve, and let me know when it’s done.

After you approve in the app, the tool call completes.

Rate limits

The MCP server is subject to the same rate limits as the underlying Business API. See Rate limitations for the current ceilings. Bursting tool calls in a chat can trip them; the assistant will tell you and back off.

Sensitive data in responses

Some responses contain presigned URLs (statements, attachments, the card iframe URL). They are short-lived credentials. The server hands them back to your client; the client should not echo them in plain text unless you explicitly asked to download or view the artefact. If your client’s UX shows raw tool output, treat presigned URLs as you would a download link, they are valid for anyone who holds them for the duration of their TTL.

Allow-listed tool surface

The MCP server only exposes a curated, vetted subset of the Business API. Endpoints outside that subset are unreachable through MCP even if you have an OAuth scope that would otherwise allow them. See What you can do for the full list.

Revoking access

You can withdraw a client’s access at any time from the connected apps section of your Qonto account. Once revoked, the MCP client can no longer reach the Qonto API on your behalf and would need to go through the consent flow again to reconnect. Your Qonto data is unaffected, revocation is the equivalent of removing the app from your laptop.

Reporting issues

Security issues should be reported through the Qonto Bug Bounty programme. Please do not file vulnerabilities in the public docs repository.

​Identity and authorization

​Data handling

​Strong Customer Authentication

​Rate limits

​Sensitive data in responses

​Allow-listed tool surface

​Revoking access

​Reporting issues