Security

Oura MCP is designed as a read-oriented integration for Oura API data via OAuth.

Controls in place

• HTTPS-only endpoints for application and API traffic.
• OAuth 2.0 Authorization Code flow with PKCE.
• Per-user credential isolation (no cross-user data access).
• Scoped API usage aligned to requested Oura data access.
• Access-token refresh with expiration handling for continuity.
• Operational metrics and logs limited to reliability, abuse detection, and troubleshooting.

What we do not do

• We do not sell user data.
• We do not intentionally expose credentials in public outputs.
• We do not provide medical diagnosis or treatment recommendations.

Report a vulnerability

Email: dave@vexti.co with subject Security Report — Oura MCP.