OAuth & privacy
When you connect an AI assistant to ScentSell, you authorise it using OAuth 2.1. This page explains what access is granted and how to manage or revoke it.
What you'll learn
- What data your AI client can access
- How the OAuth flow works
- How to revoke access
What your AI client can access
When you authorise an MCP client, it gains access to:
| Scope | Access |
|---|---|
| Read collection | View your fragrances and remaining ml |
| Write collection | Add or remove items from your collection |
| Write wears | Log wears and add notes |
| Read stats | View your wear history and statistics |
The AI client cannot:
- Access your payment information
- See your marketplace orders or messages
- Access other users' data
- Change your account settings or password
How OAuth works
- You add ScentSell to your AI client (Claude Desktop, etc.) with the server URL.
- The first time a tool is called, your AI client redirects to
https://mcp.scentsell.com.au/oauth/authorize. - A browser window opens. You sign in to ScentSell (if not already signed in).
- You review the permissions and tap Authorise.
- ScentSell issues an access token to your AI client.
- Future tool calls use this token automatically.
Token lifecycle
- Access tokens expire after 24 hours.
- Your AI client automatically refreshes the token using a refresh token — you don't need to re-authorise unless you explicitly revoke access.
Revoking access
To disconnect an AI client from ScentSell:
- Go to Account → Connected apps.
- Find the client you want to disconnect.
- Tap Revoke access.
You can also revoke access by removing the MCP server from within your AI client's settings.
Does ScentSell see my AI conversations?
No. ScentSell only sees the tool calls made to its MCP server — the specific structured requests (e.g. "log this wear") and nothing else. ScentSell never receives the full text of your AI conversation.
Next steps: