Privacy and telemetry

What each MCP server sees on the wire, what it writes to logs, and what it stores at rest. Covers the hosted cloud server and the local npm package.

Hosted server (mcp.omnidim.io)

What crosses the wire on a tool call. Your MCP client sends a JSON-RPC request to https://mcp.omnidim.io/mcp with your access token in the Authorization header. The cloud validates the token, looks up the upstream credential bound to your account, and forwards the call to the OmniDimension REST API. The response comes back the same way.

What the server sees in memory. Because the cloud is a proxy, every tool call's arguments, response, and Bearer token pass through process memory while the request is in flight. Standard for any hosted API gateway. Nothing in this section claims otherwise.

What we write to logs. Per-request structured logs capture: tool name, request ID, your OmniDimension user ID, HTTP method and path, status code, and duration. We use these for debugging and Grafana dashboards.

What we don't write to logs. A log scrubber runs at the top of the logging pipeline and recursively redacts known-sensitive keys from every event before it's persisted: api_key, access_token, refresh_token, client_secret, code_verifier, Authorization. Tool call request and response bodies also stay out of logs.

What we store at rest, and how.

• Access tokens, refresh tokens, and authorization codes: SHA-256 hashes only. The plaintext only ever exists in the issuing response and the client that holds it.
• The upstream OmniDimension API credential that backs your OAuth grant: encrypted with Fernet (AES-128-CBC + HMAC-SHA256), key derived from the service's signing secret.
• Tool call inputs and outputs: not persisted at all.

Disconnect. Revoke at any time from omnidim.io/api-management or from inside your MCP client. The entire grant family is revoked. Subsequent tool calls return 401.

Local server (@omnidim-ai/mcp-server)

What crosses the wire on a tool call. Your MCP client spawns the package as a stdio child process and pipes JSON-RPC to its stdin. The server validates arguments, then sends an HTTPS request to the OmniDimension REST API with Authorization: Bearer ${OMNIDIM_API_KEY}. No traffic leaves your machine for any other host.

Anonymous telemetry. The package sends a small set of anonymous events to https://mcp.omnidim.io/api/telemetry/event:

• Install ID (random UUID, generated locally on first run).
• Package version, Node version, OS family, CPU arch.
• Setup-step outcomes (succeeded, failed with a category like config_write_error).
• Per-session tool call counts grouped by tool name and outcome category (e.g. http_500, timeout).

What we never send.

• Your API key.
• Tool call inputs or outputs.
• Error messages (only short category codes).
• File paths, hostnames, IP addresses, usernames, or anything that could identify you personally.

Local diagnostics log. When something goes wrong, the real local error message is appended to ~/.config/omnidim/logs/mcp.log (or platform equivalent). The log is capped at 256 KB, redacts known-sensitive keys, and is never transmitted. The doctor command reads it for support reports.

Disable telemetry.

npx -y @omnidim-ai/mcp-server telemetry disable

This writes ~/.config/omnidim/telemetry with the disable flag. Re-enable with telemetry enable. The DO_NOT_TRACK=1 environment variable is also respected silently.

Source

Both servers are open source:

• omnidim-mcp-cloud (hosted, Apache 2.0)
• omnidim-mcp-server (local, MIT)

Audit the logging and telemetry code directly. The dispatcher is in app/services/dispatcher.py on the cloud side and src/telemetry.ts on the npm side.