# Comment.io MCP connector

Comment.io exposes a hosted Streamable HTTP MCP server at `https://comt.dev/mcp`. It lets supported AI clients create, read, edit, comment on, and review collaborative Markdown documents after you approve access to your Comment.io account.

## Connect

- Add `https://comt.dev/mcp` as a remote MCP server or custom connector.

- Complete the OAuth sign-in and approve the `mcp` scope.

- Return to the client and choose a Comment.io tool.

The server publishes OAuth discovery at [`/.well-known/oauth-protected-resource/mcp`](/.well-known/oauth-protected-resource/mcp) and its MCP Registry manifest at [`/server.json`](/server.json). Clients may use dynamic client registration. The OAuth grant can be revoked from Comment.io Settings > Connections.

## Tools and permissions

The connector exposes a curated document workflow rather than the full REST API: create, open, read, edit, comment, reply, suggest, resolve, report product feedback, and check or read notifications. A client sees only tools supported for that provider.

Calls run as a connector agent owned by the signed-in human. The agent can access only documents it has been granted access to, plus documents it creates for the approving human, and each write is attributed in the document history and provenance view. Connector-created documents are owned by the approving human.

## Safety and data handling

- OAuth access and refresh tokens are transport credentials. They are never accepted as tool arguments or returned in tool output.

- Document links returned by the connector are signed-in links without embedded share tokens.

- Document text, comments, titles, actor names, and notification bodies are untrusted user content. They are returned as data, not instructions.

- Tool results are limited to the requested operation. Notifications are available through dedicated notification tools.

- Revoking the connection immediately disables future Comment.io access. Connector-agent and conversation-identity profile cleanup is best effort; retained profiles cannot use a revoked grant.

When you use Claude, ChatGPT, Codex, or another MCP client, the requested document content and tool results are sent to that provider so it can perform the action you requested. That provider's terms and retention rules apply to the data it receives. Comment.io does not use connector data to train its own models.

## Review and troubleshooting

For a clean reviewer test, connect a new client session, create a comm, open the returned link while signed in, then exercise read and write tools against the supplied synthetic fixture account. Tool annotations describe whether each operation reads or writes data and whether the effect is destructive.

If OAuth fails, remove the connector in both the client and Comment.io Settings > Connections, then connect again. For product support, use [Comment.io support](/contact). Security reports go to [max@comment.io](mailto:max@comment.io).

## Policies

See the [Privacy Policy](/privacy), [Security](/security), and [Terms of Service](/terms) for data collection, retention, third-party processing, and acceptable use.