How ReminderIt keeps your account secure with MCP and API keys

Giving an AI assistant access to your reminder account requires trust in the security of the connection. Here's exactly how ReminderIt secures MCP access — from API key generation to OAuth token exchange — and what each layer protects against.

API key design

ReminderIt API keys are generated as rmt_ + 64 random hex characters (32 bytes from a CSPRNG). The raw key is shown once at creation and never stored — we store only its SHA-256 hash. This means a database breach reveals nothing usable. Keys are per-user and you can revoke them at any time from the API Keys page.

Per-request authentication in HTTP mode

The hosted MCP server (mcp.reminderit.com) authenticates every request individually. The Bearer token from your Authorization header is hashed, looked up in the database, and validated — no session state, no shared credentials. A key that's compromised can be revoked without affecting other keys or other users.

OAuth 2.0 with PKCE for Claude.ai

The Claude.ai web connector uses the authorization code flow with PKCE (Proof Key for Code Exchange). A code_verifier is generated in the browser and its SHA-256 hash is stored with the auth code. When Claude.ai exchanges the code for a token, it must provide the verifier — meaning intercepting the code is useless without it.

Trusted domain allowlists

Dynamic client registration only accepts redirect_uris from verified domains (claude.ai and reminderit.com). An attacker can't register a malicious redirect_uri and steal your authorization code — it simply won't be accepted at registration time.