Skip to main content

About the Datadrew MCP connection — security, data access, and revocation

Understand what data AI assistants can see through Datadrew MCP, how tokens and sessions work, and how to revoke access. Free on every plan.

Updated in the last hour

What is Datadrew MCP?

Datadrew MCP is a read-only endpoint at https://mcp.datadrew.io/mcp that lets external AI assistants — Claude, ChatGPT, and any other Model Context Protocol client — query your Datadrew data. It uses the open MCP standard and the same OAuth 2.1 sign-in flow you are used to from other apps.

This article explains what your AI assistant can and cannot do, how sign-in works, and how to revoke access.

Available on every plan

Datadrew MCP is included on every Datadrew plan, including Free. You do not need a paid subscription to connect Claude, ChatGPT, or any other MCP-compatible AI assistant.

Read-only by design

Every tool exposed via Datadrew MCP is read-only. Your AI assistant can:

  • Query orders, products, customers, and inventory from Shopify.

  • Pull campaign performance from Meta Ads, Google Ads, Amazon Ads.

  • Read traffic and conversion data from GA4 and Google Search Console.

  • Read email metrics from Klaviyo and Brevo.

  • Pull subscription data from Recharge, Skio, Stripe.

  • Read warehouse, review, and shipping data from Unicommerce, Judge.me, AfterShip.

It cannot:

  • Create, edit, or delete anything in your store.

  • Send emails, SMS, or ads on your behalf.

  • Change Datadrew settings or billing.

  • Access integrations you have not connected in Datadrew.

  • Access data from any other Datadrew account.

How sign-in works

  1. The AI client registers itself with Datadrew via OAuth 2.1 Dynamic Client Registration (RFC 7591).

  2. Your browser opens to app.datadrew.io to sign in. This is the same sign-in you use for Datadrew itself — email/password or Google.

  3. If your account has multiple shops, you pick which one the AI assistant will query.

  4. Datadrew issues an access token (1h) and a refresh token (30d) to the AI client.

  5. Every tool call uses the access token. When it expires, the client silently rotates it using the refresh token.

You never share your Datadrew password or API keys with the AI client — it only ever sees short-lived tokens.

Token lifecycle at a glance

Token

Lifetime

What it does

Access token

1 hour

Signs every tool call. Auto-refreshed by the AI client.

Refresh token

30 days

Used to get new access tokens. Rotated each use.

Session idle

30 days

30 days without use → sign in again.

Multi-shop accounts

One Datadrew MCP connector is scoped to one shop at a time. If your account has multiple shops, switch inside the chat:

  • "List my Datadrew shops"

  • "Switch Datadrew to [shop name]"

How to revoke access

From Datadrew:

  1. Click your profile avatar in the top-right and open Connected AI assistants (also reachable from Settings → Datadrew MCP).

  2. Click Revoke next to the AI client.

What happens on revoke. The refresh token is invalidated immediately, so the AI client can no longer mint new access tokens. An access token that was already issued keeps working until its 1-hour expiry — this is how stateless OAuth 2.1 tokens work. For most uses the next tool call will fail within a few minutes as the client tries to refresh. If you need to cut off in-flight access instantly, also remove the Datadrew connector inside the AI client itself.

From your AI client: remove the Datadrew connector from its settings. This deletes the local tokens so the client stops making requests.

What Datadrew logs

Datadrew records which tools your AI assistant calls, the shop the call is scoped to, and the timestamp — the same way we log other activity in your account. We do not log response content beyond what is required to serve the request.

Frequently asked questions

Does Datadrew MCP cost extra or consume AI credits?

No. It's included on every plan at no additional cost. AI credits are only consumed when you use Drew AI (Datadrew's in-app AI analyst). External MCP connections do not draw from your credit balance.

Which AI clients are supported?

Any client that supports custom remote MCP servers, including Claude Desktop, Claude.ai, ChatGPT (Pro/Business/Enterprise), Claude Code, Cursor, Windsurf, and most self-built MCP clients.

Will the AI assistant see my payment details?

Stripe tools return invoice, charge, and payout summaries — the same data visible in the Stripe dashboard. They do not return raw card numbers.

Can I limit which tools the AI assistant can use?

Today the connector exposes read access to all connected integrations. To exclude a specific platform, disconnect it under Datadrew Integrations.

Is my data leaving Datadrew?

Your AI assistant receives only the data it requests to answer your question — same as your browser receiving dashboard data. What your AI client does with that data (including whether it's used for training) is governed by that client's privacy policy, not Datadrew's.

Need help?

Reach out at support@datadrew.io or use the in-app chat.

Related Articles
Connecting your Klaviyo account
Connecting Datadrew to Claude, ChatGPT, and other AI assistants
Did this answer your question?