Skip to main content
When you connect an MCP client to Variable, three things are working together. An Agent does the thinking, Variable holds your data and decides what’s allowed, and MCP is the wiring that connects them. The agent runs outside Variable — you might self-host it or use a third-party service like Claude or ChatGPT — so it sits on its own side of a trust boundary. Knowing which layer does what, and who runs it, helps you understand what data is visible to whom, and how to keep your data safe.

The three roles

Agent

The LLM-powered client (Claude, ChatGPT, Copilot). It reads your chat messages, decides what to do, and calls tools to get data or make changes.
Any data you send in a chat message or data that is read from Variable will be visible to the agent and to whoever hosts it.

MCP

The open protocol that lets agents and Variable communicate. It tells the agent how to send and receive data from Variable.

Variable

The source of truth. It stores your data, enforces permissions, and returns results to the agent. Variable never sees your chat messages.

Where your data flows

Chat messages go to the agent, which decides what to do (respond directly, get or send data via an MCP, etc.). When the MCP receives a request, it passes it to Variable, which authenticates the request and enforces permissions. The results are sent back to the agent, which then responds to you. Solid arrows are the request on its way in; dashed arrows are the data coming back. The two boxes are separate trust boundaries: the agent (and its host) on one side, Variable on the other — they share only what crosses between them.

What stays where

The split of roles is also a set of trust boundaries. A few things follow from it:
  • The agent is separate from Variable — and where it runs is your trust decision. The agent sits entirely outside Variable, whether you self-host it or use a third-party service (Anthropic, OpenAI, Microsoft, etc.). Whoever hosts it sees your prompts and every result the agent reads, under their terms — not Variable’s. Self-hosting keeps that data inside your own network; with a third-party service, vet its data handling the way you’d vet any vendor before you connect it.
  • The agent reads everything in the conversation. It has no direct line to the database, but every tool result it fetches lands in the chat and stays there — so the conversation holds whatever data you’ve pulled into it.
  • OAuth scopes every call to one account. The agent can only touch your active Variable account. Switching accounts changes what it can reach — see Switching accounts.
  • Variable enforces permissions, not the agent. Each tool call runs under your account with the same rules as the app. The agent can’t do anything you can’t do yourself, and it can’t see any data you don’t have access to.