Security

ai2workout is a narrow OAuth-based bridge between Intervals.icu and MCP-compatible AI clients. We deliberately keep the attack surface small.

Core principles

• No user-facing Intervals.icu API-key copy-paste. We use OAuth 2.0 exclusively.
• OAuth access tokens are encrypted with AES-256-GCM before being persisted in PostgreSQL.
• Encryption key (TOKEN_ENCRYPTION_KEY) lives only in server runtime env vars, never in the repo.
• Training data is fetched on demand from Intervals.icu instead of bulk-imported by default.
• Each MCP write tool (workout, calendar event) is explicitly scoped and auditable.
• Audit logging is enabled for sensitive service events (token exchanges, MCP tool calls).

Authentication

End users authenticate via Supabase Auth (email/password, Google OAuth). MCP clients authenticate via a per-account bearer token bound to the user’s ai2workout account. Tokens can be revoked at any time.

Data isolation

Row-level security (RLS) is enabled in PostgreSQL: a user can only read or modify the Intervals.icu connection attached to their auth.users.id. Server-side route handlers use the Supabase service role and validate the caller’s JWT before performing privileged operations.

Responsible disclosure

If you find a vulnerability, email contact@cloudustry.eu with a clear description and reproduction steps. Please do not access data that is not yours and give us a reasonable window to fix issues before public disclosure.

Current beta limitations

Public launch hardening will include a self-serve disconnect & deletion page, expanded token revocation handling, stricter abuse controls (rate limiting, anomaly detection) and production-grade monitoring/alerting.