Skip to content
Aurora MCP by Consilio

Security model

Aurora MCP was built to be safely handed to an AI assistant. This page covers what that means in plain terms. For procurement-grade detail — SIG / CAIQ responses, architecture deep-dives, threat-model walk-throughs — email infosec.clientrequests@consilio.com and we’ll work through it with you.

In one paragraph

Section titled “In one paragraph”

Your AI assistant signs in as you, against the same identity service you already use for the Consilio portal. Every request the assistant makes is scoped to your existing access — nothing more, nothing less. The tools we expose only read data; nothing written by Aurora MCP ever changes a matter, a workspace, or a document. And the access token your assistant receives never reaches the MCP server itself — it’s validated at Consilio’s gateway, which forwards a verified identity to the service on your behalf.

What this means in practice

Section titled “What this means in practice”
  • Authentication is per user. No shared secrets, no service accounts, no client passwords stored on your laptop.
  • Visibility matches the portal. If you can see a matter in Consilio, your assistant can see it through Aurora MCP. If you can’t, it can’t.
  • Off-boarding is automatic. Lose access in the portal and your MCP access disappears in the same instant.
  • Read-only. No tool writes, updates, or deletes anything upstream. An overly enthusiastic AI has nothing destructive to reach for.
  • Tokens stay at the edge. The MCP server never sees, logs, or forwards your access token.
  • Your prompts and results aren’t kept. We don’t persist prompt content or tool output server-side.

Standards we build on

Section titled “Standards we build on”

We use established, audited standards rather than rolling our own:

  • OAuth 2.1 with PKCE for sign-in.
  • Audience-bound tokens — a token issued for Aurora MCP can’t be replayed against any other Consilio service.
  • Automatic discovery of authentication metadata, so clients configure themselves with one URL.
  • SSO and MFA through Consilio Identity, our enterprise identity service.

If you’d like the specific RFCs and protocol details, your security team is welcome to ask — we’ll send them. We’ve kept them out of this page so it stays useful to non-engineers.

Reporting a security concern

Section titled “Reporting a security concern”

Email infosec.clientrequests@consilio.com for any suspected vulnerability. Please don’t file public issues. We acknowledge within one business day and follow Consilio’s incident-response policy for coordinated disclosure. See FAQ → Support for the full contact list.

Want more depth?

Section titled “Want more depth?”

Procurement and security teams routinely ask us for SIG / CAIQ responses, architecture diagrams, and threat-model walk-throughs. Email infosec.clientrequests@consilio.com with your organisation name and timeline and we’ll arrange the right level of detail.