Authentication

YNAB MCP uses OAuth 2.0 to securely connect to your YNAB account. Your YNAB credentials are never shared with us - you authorize access directly through YNAB.

How it works

  1. You click "Connect YNAB" - We redirect you to YNAB's authorization page
  2. You authorize access - YNAB asks you to confirm access to your budget data
  3. YNAB redirects back - You're sent back with an authorization code
  4. We exchange for tokens - The code is exchanged for access and refresh tokens
  5. You get your user ID - A unique ID to use in your MCP client configuration

Connecting your account

Connect YNAB Account

After authorizing, you'll see a page with your user ID. Copy this ID and add it to your Claude Desktop configuration:

claude_desktop_config.json

{
  "mcpServers": {
    "ynab": {
      "command": "npx",
      "args": ["-y", "ynab-mcp"],
      "env": {
        "YNAB_USER_ID": "your-user-id-here"
      }
    }
  }
}

Token security

Your tokens are protected with multiple layers of security:

  • Encrypted storage - Access and refresh tokens are encrypted with AES-256-GCM before storage
  • Per-user encryption keys - Each user's SQLite database is encrypted with a unique key
  • Automatic refresh - Access tokens expire after 2 hours and are automatically refreshed
  • MongoDB Atlas - Token storage uses MongoDB with TLS encryption in transit

Revoking access

You can revoke YNAB MCP's access to your account in two ways:

Option 1: Through YNAB

  1. Go to YNAB Account Settings
  2. Click "Developer Settings"
  3. Find "YNAB MCP" and click "Revoke"

Option 2: Through the API

Send a POST request to revoke your access and delete all stored data:

curl -X POST https://api.ynabmcp.com/oauth/revoke \
  -H "x-ynab-user-id: your-user-id"

This will:

  • Delete your encrypted tokens from MongoDB
  • Delete your encrypted SQLite database
  • Immediately invalidate your session

What data do we access?

YNAB MCP requests read-only access to your budget data:

  • Budgets - List of your budgets and their settings
  • Accounts - Account names, types, and balances
  • Categories - Category groups, categories, and budgeted amounts
  • Transactions - Transaction details including payees, memos, and amounts
  • Payees - Payee names and locations

We never have access to:

  • Your YNAB username or password
  • Your bank credentials
  • The ability to create, modify, or delete any data

Continue to the quickstart guide

Was this page helpful?