![GS Logo-GS platform.png]](https://support.govspend.com/hs-fs/hubfs/GS%20Logo-GS%20platform.png?height=25&name=GS%20Logo-GS%20platform.png){kind=small}
MCP Server: IT & Security FAQ
Data flow, authentication, network requirements, and the practical security posture of the GovSpend MCP integration.
Security summary: The recommended setup paths store no API keys on endpoint devices. All GovSpend traffic originates from the AI vendor's cloud infrastructure, not user laptops. Access can be revoked at the GovSpend account level (revoke key) or at the workspace level (remove the app or connector).
| Data Classification | Authentication & Key Management |
| Encryption | Data Flow |
| Logging & Auditability | Security Comparison: Vendor-Cloud vs. On-Device |
| IT Review Checklist |
Data Classification
What kind of data does this integration access?
No customer or end-user PII flows through this integration. The data returned is, by source, public procurement information — the same data the customer's GovSpend account is already entitled to access through the web application. The MCP grants no additional access beyond existing entitlements.
Network Requirements
| Item | Value |
|---|---|
| MCP endpoint | https://mcp-spark-prod.govspend.com/mcp |
| Health check (no auth required) | https://mcp-spark-prod.govspend.com/health |
| Protocol | MCP over HTTPS (TLS) on TCP/443 |
| Direction | Outbound HTTPS only — no inbound connections |
| Plain HTTP | Not allowed. Plain HTTP requests are rejected. |
Do we need firewall changes?
It depends on the integration path:
- Vendor-cloud paths (Claude, ChatGPT, M365 Copilot, Copilot Studio): The AI vendor's MCP runtime calls GovSpend from the vendor's cloud, not from user devices. No firewall changes are required.
- On-device paths (Claude Bridge and CLIs): Calls originate from the user's machine. Outbound HTTPS to
mcp-spark-prod.govspend.comon TCP/443 must be allowed.
Authentication & Key Management
How does authentication work?
| Aspect | Vendor-cloud (recommended) | On-device (Bridge / CLI) |
|---|---|---|
| Auth mechanism | OAuth handshake (Claude, ChatGPT, M365 Copilot) or static API key in Authorization header (Copilot Studio) | Bearer token in HTTP Authorization header |
| Where the key lives | Vendor-managed credential store | Plain-text config or browser-managed OAuth token |
| Key issuance | Created by a GovSpend account admin in the GovSpend platform | Same |
| Revocation | GovSpend admin revokes; workspace admin can disconnect | GovSpend admin revokes; user removes local config |
| Permission scope | Same entitlements as the GovSpend web app — no privilege elevation | Same |
What is the key rotation recommendation?
Rotate API keys according to your organization's secret-rotation policy. For on-device paths (Claude Bridge and CLIs), treat the API key as a workstation-resident secret — rotate immediately if a device is lost, stolen, or decommissioned.
Encryption
Is data encrypted in transit?
Yes. All MCP traffic uses TLS over HTTPS. The endpoint rejects plain-text HTTP. For specific TLS version and cipher requirements, contact support@govspend.com.
What about data at rest?
Procurement data follows GovSpend's published data-protection standards. Contact support@govspend.com for the documentation applicable to your organization.
Data Flow
Vendor-cloud paths (Claude / ChatGPT / M365 Copilot / Copilot Studio)
- User sends a question in their AI client.
- The client transmits the conversation to the AI vendor's servers.
- The vendor's MCP runtime calls
mcp-spark-prod.govspend.com/mcpover HTTPS. Authentication is either an OAuth-issued bearer token (Claude, ChatGPT, M365 Copilot) or a static API key in the Authorization header (Copilot Studio). Either way, the credential lives in the vendor's credential store — not on user devices. - GovSpend returns data scoped to the user's entitlements.
- The vendor forwards the response to the client. The GovSpend MCP is read-only — all calls are query-only.
On-device paths (Claude Bridge & CLIs)
- User sends a question in Claude Desktop (Bridge) or a CLI (Claude Code, Codex, Gemini).
- The local bridge or CLI calls GovSpend over HTTPS using a bearer token from local config or a browser-managed OAuth token.
- GovSpend returns data; the bridge or CLI returns it to the client.
- The client then transmits the conversation (including tool results) to the AI vendor per its standard data flow.
Logging & Auditability
GovSpend side API requests via MCP are logged and attributable to the user whose key was used. Contact support@govspend.com for log retention periods and audit access.
AI vendor side Conversation and tool-use activity is logged per each vendor's policies. For vendor-cloud paths, the vendor is in the data path and this is the primary audit surface. Enterprise plans typically expose admin audit controls for custom apps and connectors.
Customer side (Bridge & CLIs only) Outbound MCP calls can be captured by standard EDR and endpoint monitoring tools.
Security Comparison: Vendor-Cloud vs. On-Device
| Consideration | Vendor-cloud (recommended) | On-device (Bridge / CLI) |
|---|---|---|
| API key on endpoint devices | No | Yes (plain-text config) |
| Local software to patch | None | Python, Node.js, Git, bridge package, or a CLI |
| Egress source for MCP calls | AI vendor data centers | User's machine |
| Customer firewall changes | None | Outbound HTTPS from user devices |
| Centralized disconnection | Yes (workspace-level revoke or connector removal) | No (each user removes local config) |
IT Review Checklist
Before deploying the GovSpend MCP integration, work through the following:
- Confirm
mcp-spark-prod.govspend.comis reachable over HTTPS from your chosen connection path. - ChatGPT Business/Enterprise/Edu: Decide whether Developer Mode should be enabled at the workspace level.
- Claude Team/Enterprise: Identify which Owner will install the GovSpend connector at the org level.
- Copilot Studio: Classify the GovSpend MCP in your Power Platform DLP policy and identify which environments will host agents using it.
- M365 Copilot: Confirm the tenant is Commercial, GCC, or GCCH (not DoD); designate the admin who will provision the federated connector.
- Designate which GovSpend admin(s) will issue and rotate API keys.
- Confirm that user accounts being granted keys have the correct GovSpend entitlements.
- Request current GovSpend security and compliance documentation from support@govspend.com.
- If allowing the Claude Bridge: Confirm EDR and endpoint monitoring is appropriate for environments where API keys are stored on user devices.