Skip to main content

Documentation Index

Fetch the complete documentation index at: https://developer.affinity.co/llms.txt

Use this file to discover all available pages before exploring further.

The Affinity MCP Server is built on the same authentication, permissioning, and data-handling controls as the Affinity API. The MCP layer doesn’t add new ways to read or modify data; every request goes through the Affinity API as the authenticated user. For Affinity’s broader security and compliance posture (certifications, data residency, incident response, and more), see the Affinity Trust Center.

Authentication uses industry-standard protocols

Connections to the hosted MCP server are authenticated using:
  • OAuth 2.0: Each end user authorizes Affinity once in their browser and receives an access token scoped to their account. Affinity admins can revoke access for any AI client under Settings → Affinity MCP (or per role on Enterprise plans), and end users can disconnect from their AI client at any time.
  • API key: A long-lived Affinity API key passed as a Bearer token in the Authorization header. API keys can be rotated or revoked at any time under Settings → Manage Apps.
See Authentication for details and management instructions.

The MCP server does not store sensitive data or secrets

The hosted MCP server is stateless. Every tool call is proxied to the Affinity API in real time:
  • No CRM records, notes, emails, meeting content, or other Affinity data are persisted by the MCP server.
  • Credentials (API keys and OAuth tokens) are not retained by the MCP server beyond what is required to authenticate the in-flight request.
Affinity does not see your prompts. The conversation between you and your AI assistant stays between you and the AI provider. The MCP server only receives the structured tool calls your AI client decides to make (for example, search_companies(query: "fintech")), not the natural-language prompts you typed. Your prompts and the AI’s responses are governed by your AI provider’s own data-handling policies.

API permissions are fully enforced

Every MCP tool call executes with the permissions of the authenticating user, the same permissions that apply when they use the Affinity CRM directly:
  • List access controls, role permissions, and field-level visibility all apply.
  • Users cannot read records they don’t have access to in the CRM, and cannot create or update records they wouldn’t be able to update in the CRM.
  • OAuth users can additionally restrict the connection to read-only at consent time by unchecking the write scope, which prevents the AI client from making any changes through MCP.
There is no MCP-only privilege escalation. If a user is removed from a list or has their role changed in Affinity, those changes take effect on the next MCP tool call.