Nectar

Security

Security Posture

Last updated: 2026-06-30

Nectar is designed around scoped access, explicit approval gates, Cloud Run deployment, rate limits, and customer entitlement boundaries.

Authentication

The MCP server supports API key, JWT/JWKS, and OAuth token introspection configurations. Public customer launch should use OAuth/OIDC with tenant-aware entitlements.

The agency dashboard is private and protected by a TOTP-backed session gate in this submission build. It is not a replacement for full customer OAuth.

Authorization

MCP tools check scopes for lookup, owner evidence, market data, jobs, raw output, contacts, messages, usage, and feature requests.

Unmasked contacts and live messaging require elevated scope or operator approval.

Operational Boundaries

Unit Bot, Property Finder scans, and WhatsApp delivery run through controlled worker lanes. The MCP connector does not mutate browser sessions or execute arbitrary code.

Rate limits and usage stores are available; production launch should verify distributed quota storage and the selected OAuth issuer before public listing.