Authentication

The Upstream MCP server uses Personal Access Tokens (PATs) for authentication.

Creating a token

1. Open Upstream and go to Settings
2. Navigate to API and MCP
3. Click Create token
4. Copy the token — it will only be shown once

Using your token

Pass your token as a Bearer token in the Authorization header when configuring your MCP client:

Authorization: Bearer <your-token>

See the client setup guides for exactly where to paste this in your specific AI client.

What your token can access

Your token gives the MCP server access to the same data you see in the Upstream app. It cannot access other users’ private data. Specifically:

• Your inbox, threads, and messages
• Your labels, channels, and inbox splits
• Your rules and settings
• Your contacts and organization members
• Sending replies and composing emails on your behalf

Security

• Keep your token private. Don’t share it or commit it to version control.
• One token per client is recommended so you can revoke access individually.
• Revoke compromised tokens immediately from Settings > API and MCP.
• The MCP server acts as a proxy to your Upstream account — it does not store your email data separately.

Caution

Write actions like compose-thread, reply-to-thread, and trash-threads make real changes to your inbox. Most MCP clients will ask for confirmation before executing them.