Security
The app is intentionally read-only. It exposes no create, update, delete, message-send, payment, or administrative tools.
Authentication
Protected MCP access supports OAuth authorization code with PKCE for ChatGPT-style clients and an optional service bearer token for controlled server-to-server verification.
Permission scope
The only OAuth scope is swfi.read. It permits source-backed lookup, fetch, rankings, transactions, opportunities, and institution comparison.
Source behavior
Tools must return backend data, unknown, partial, or no rows. They must not infer missing values.