Least privilege
Grant only what the task needs. Read-only for analysis and reporting; add write scopes only when the agent genuinely needs to create or run campaigns.
How the iSearchFrom MCP server scopes what an agent can do — the consent flow, live permission checks, the isolated query layer, token spend, and revoking a connection.
An MCP-connected agent can never do more than you can, and usually should do far less. Access is the intersection of what you approved at connect time and what your role still allows right now, re-checked on every tool call.
What an agent can do is bounded by two independent gates. A tool call must pass both:
The effective permission set is the intersection of the two. Neither the client nor the agent can widen it — the checks run on iSearchFrom’s servers, not in the client.
When a client connects for the first time, iSearchFrom opens a browser consent screen where you:
The client receives a token bound to that organization and grant. It reuses the token for later sessions until you revoke it.
The flexible query layer (describe_schema and query_sql)
never touches the same database connection the app uses. It runs as a dedicated non-owner,
read-only database role with row-level security that pins every query to your organization.
Concretely, query_sql:
describe_schema advertises exactly that subset.The result is a safe analytical window onto your own data. It’s powerful — the agent can answer novel questions with joins and aggregates — without being a security hole.
MCP actions spend tokens identically to the app:
whoami, get_*, describe_schema, query_sql, options tools.run_proxy_search costs one token per requested page.trigger_*_run costs tokens per keyword or prompt checked.run_direct_search, create_*, update_*, delete_* are free.You can cut off a client at any time — the agent loses access immediately on its next call.
claude mcp remove isearchfrom), which stops it
from calling — though revoking in iSearchFrom is the authoritative cut-off.Revoking is the right move if you no longer use a client, suspect a machine is compromised, or want to re-authorize with a tighter scope.
Least privilege
Grant only what the task needs. Read-only for analysis and reporting; add write scopes only when the agent genuinely needs to create or run campaigns.
One client, one purpose
Authorize separate clients for separate jobs so you can revoke one without disrupting the others.
Human-in-the-loop for writes
For autonomous agents, prefer read/search tools. Require a human to confirm before wrapping create, update, delete, or trigger tools into an unattended loop.
Mind the balance
Point agents at an organization with a sensible token balance, and monitor spend.