OpenTool is an open-source, self-hosted MCP (Model Context Protocol) server that gives AI agents like Claude, GPT, and Cursor secure, authenticated access to tools like GitHub, Notion, Slack, and more. It is the open-source alternative to Arcade.dev.

What is an MCP server?

MCP (Model Context Protocol) is a standard by Anthropic that lets AI agents call external tools securely. An MCP server handles authentication, tool execution, and security so your agent can create GitHub issues, send Slack messages, or query databases.

How is OpenTool different from Arcade.dev?

OpenTool is fully open-source (MIT licensed), self-hosted (runs on your infrastructure), and free forever. Your OAuth tokens and API keys never leave your server. Arcade.dev is proprietary, cloud-hosted, and paid.

Which AI agents work with OpenTool?

Any MCP-compatible agent — Claude Desktop, Cursor, Windsurf, Claude Code, and any custom agent using the MCP SDK.

How do I deploy OpenTool?

One command: docker compose up -d. OpenTool ships as a Docker image with PostgreSQL included. No external dependencies needed.

Is my data secure with OpenTool?

Yes. OpenTool runs entirely on your infrastructure. OAuth tokens are encrypted with AES-256-GCM. API keys are hashed with bcrypt. Every tool call is logged in an audit trail. Your tokens never leave your server.

Legal

Privacy Policy

Last updated: April 9, 2025

OpenTool ("we", "us", "our") is an open-source MCP (Model Context Protocol) server platform. This Privacy Policy explains how we collect, use, store, and protect your information when you use the OpenTool hosted service at opentool.space, our dashboard, CLI, SDKs, and related services (collectively, the "Service").

If you self-host OpenTool, this policy applies only to any interactions with our hosted services (such as package registries or documentation). Your self-hosted instance is under your own control and responsibility.

1. Information We Collect

Account Information

When you create an account, we collect your email address and a hashed version of your password. We never store plaintext passwords. Your password is hashed using bcrypt before storage.

API Keys

We generate and store API keys that authenticate your requests. These keys are associated with your account and can be revoked at any time through the dashboard.

OAuth Tokens

When you connect third-party services (GitHub, Slack, Notion, etc.), we receive OAuth access tokens and refresh tokens from those providers. These tokens are encrypted at rest using AES-256-GCM before being stored in our database.

Usage Data

We collect basic usage metrics including tool execution counts, error rates, and response times. This data is used to improve service reliability and is not tied to individual user identities.

Log Data

Our servers automatically log request metadata including IP addresses, timestamps, user agents, and request paths. Logs are retained for a limited period for debugging and security purposes.

2. How We Use Your Information

Authenticate you and authorize access to connected services
Execute tool calls on your behalf through the MCP protocol
Maintain and improve the reliability and performance of the Service
Send important service notifications (security alerts, breaking changes)
Debug issues and respond to support requests
Comply with legal obligations

We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not use your data to train AI models.

3. Data Storage & Security

We take the security of your data seriously. Our security measures include:

All OAuth tokens are encrypted at rest using AES-256-GCM with a server-side encryption key
Passwords are hashed using bcrypt with appropriate salt rounds
All data in transit is encrypted via TLS/HTTPS
Database connections use SSL with certificate verification
Rate limiting is enforced on all authentication endpoints
API keys can be rotated and revoked at any time

Our database is hosted on Neon (PostgreSQL) with automated backups. Redis caching is provided by Upstash with TLS encryption. The application is hosted on Render with automatic SSL.

4. Third-Party Services

OpenTool integrates with third-party services on your behalf. When you connect a provider, we access only the data and permissions you explicitly authorize through OAuth consent screens. The providers we currently support include:

GitHub

Google (Gmail, Calendar, Drive, Meet)

Notion

Slack

Linear

Vercel

Resend

Each provider has its own privacy policy governing how they handle your data. We encourage you to review their policies. We only store the OAuth tokens necessary to execute tool calls — we do not bulk-download or cache your data from these services.

5. OAuth & Provider Access

When you connect a third-party service, you are redirected to that provider's authorization page where you grant specific permissions (scopes). OpenTool requests only the minimum scopes necessary for the tools to function. You can disconnect any provider at any time through the dashboard, which will immediately revoke our stored tokens.

We do not access any data beyond what is required to fulfill the specific tool call you initiate. For example, the GitHub "Create Issue" tool only accesses the repository you specify in that request.

6. Data Retention

Account data: Retained until you delete your account
OAuth tokens: Retained while the provider is connected; deleted immediately upon disconnection
API keys: Retained until revoked by you or account deletion
Server logs: Retained for 30 days, then automatically purged
Usage metrics: Retained in aggregate form; no personally identifiable information

7. Your Rights

You have the right to:

Access the personal information we hold about you
Request correction of inaccurate data
Request deletion of your account and all associated data
Disconnect any third-party provider at any time
Revoke API keys at any time
Export your data in a portable format
Withdraw consent for data processing

To exercise any of these rights, contact us at the email address below or use the relevant features in the dashboard.

8. Cookies

The OpenTool dashboard uses only essential cookies and local storage for authentication state (API key storage). We do not use tracking cookies, analytics cookies, or any third-party advertising cookies. No cookie consent banner is required as we only use strictly necessary storage.

9. Children's Privacy

OpenTool is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the dashboard or via email. Continued use of the Service after changes constitutes acceptance of the updated policy. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

If you have any questions about this Privacy Policy or our data practices, please reach out:

Email: privacy@opentool.space

GitHub: Open an issue

OpenTool is open-source software released under the MIT License. This privacy policy applies to the hosted service at opentool.space. Self-hosted instances are governed by the operator's own policies.