Security
Security Posture
Last updated: 2026-06-30
Nectar is designed around scoped access, explicit approval gates, Cloud Run deployment, rate limits, and customer entitlement boundaries.
Authentication
The MCP server supports API key, JWT/JWKS, and OAuth token introspection configurations. Public customer launch should use OAuth/OIDC with tenant-aware entitlements.
The agency dashboard is private and protected by a TOTP-backed session gate in this submission build. It is not a replacement for full customer OAuth.
Authorization
MCP tools check scopes for lookup, owner evidence, market data, jobs, raw output, contacts, messages, usage, and feature requests.
Unmasked contacts and live messaging require elevated scope or operator approval.
Operational Boundaries
Unit Bot, Property Finder scans, and WhatsApp delivery run through controlled worker lanes. The MCP connector does not mutate browser sessions or execute arbitrary code.
Rate limits and usage stores are available; production launch should verify distributed quota storage and the selected OAuth issuer before public listing.