Skip to main content

​
How Authentication Works

When you use Pylance MCP, secure authentication happens automatically in the background.

​
What Gets Protected

Your Workspace

Only you can access your Python projects and code

Your Requests

Each API call is authenticated and encrypted

Your Data

Code analysis happens securely - nothing is shared

Your API Keys

Keys are hashed and never stored in plain text

​
Automatic Security Features

Every request is protected:
  • βœ… Encrypted connections (TLS 1.3)
  • βœ… Secure token validation
  • βœ… Automatic session expiry
  • βœ… Rate limit protection
  • βœ… Workspace isolation

​
Authorization

​
Role-Based Access Control (RBAC)

RolePermissionsUse Case
Free100 requests/dayPersonal projects
Hobby5,000 requests/daySide projects
Pro50,000 requests/dayProfessional development
EnterpriseUnlimitedLarge teams

​
Workspace Isolation

Each user’s workspace is isolated:
Users can only access files within their workspace directory. No parent directory traversal.
Pylance runs in a separate process per user with resource limits (CPU, memory).
No outbound network access from analysis processes. Only MCP server can make external calls.

​
Data Security

​
Encryption

In Transit

All connections use TLS 1.3. No unencrypted traffic.

At Rest

PostgreSQL uses AES-256 encryption for stored data.

Environment Variables

Secrets stored in Railway/Fly.io encrypted vaults.

API Keys

Hashed with bcrypt before database storage.

​
Data Retention

Data TypeRetentionPurpose
User codeSession onlyAnalysis, not stored
Request logs30 daysDebugging, auditing
Usage metrics90 daysBilling, analytics
Error reports7 daysIssue resolution
Your code never leaves your machine when using local deployment. Cloud deployment analyzes code in memory only.

​
Rate Limiting

Prevents abuse and ensures fair usage: 
# Rate limits by subscription tier
FREE_TIER = {
    "requests_per_day": 100,
    "requests_per_hour": 20,
    "concurrent_requests": 2
}

HOBBY_TIER = {
    "requests_per_day": 5000,
    "requests_per_hour": 500,
    "concurrent_requests": 5
}

PRO_TIER = {
    "requests_per_day": 50000,
    "requests_per_hour": 5000,
    "concurrent_requests": 20
}

​
Rate Limit Headers

Responses include rate limit information: 
X-RateLimit-Limit: 5000
X-RateLimit-Remaining: 4987
X-RateLimit-Reset: 1703001600

​
Vulnerability Management

​
Security Updates

1

Automated Dependency Scanning

Dependabot monitors for CVEs in dependencies
2

Weekly Security Audits

npm audit and pip-audit run in CI/CD
3

Rapid Patching

Critical vulnerabilities patched within 24 hours
4

Notification

Users notified via email for breaking changes

​
Responsible Disclosure

Found a security issue? Email: security@pylancemcp.dev
Do not open public GitHub issues for security vulnerabilities.
We typically respond within:
  • πŸ”΄ Critical: 4 hours
  • 🟑 High: 24 hours
  • 🟒 Medium/Low: 72 hours

​
Compliance

​
GDPR Compliance

Right to Access: Download your data via API
Right to Erasure: Delete account removes all data
Data Portability: Export in JSON format
Privacy by Design: Minimal data collection

​
SOC 2 Type II

Enterprise plan includes SOC 2 Type II compliance:
  • Annual third-party audits
  • Security controls documentation
  • Incident response procedures
  • Access logs and monitoring

​
Best Practices for Users

​
Protecting Your API Keys

Never share your API keys or commit them to version control.
# βœ… Store keys securely in your environment
export PYLANCE_MCP_API_KEY="your_key_here"

# βœ… Use your IDE's secure credential storage
# Each IDE guide shows how to configure this safely

​
Using the Service Securely

Keep Keys Private

API keys are like passwords - never share them publicly or in screenshots

Review Permissions

Only grant workspace access to projects you trust

Monitor Usage

Check your dashboard regularly for unexpected activity

Update Regularly

Keep your MCP client and IDE extensions updated

​
If You Suspect a Security Issue

1

Rotate Your Keys

Immediately generate new API keys from your dashboard
2

Review Activity

Check your usage logs for suspicious requests
3

Contact Support

Email security@pylancemcp.dev with details
4

Update Configurations

Replace old keys in all your IDE configurations

​
Our Security Commitment

We take security seriously:
  • πŸ”’ Automatic Encryption: All data encrypted in transit and at rest
  • πŸ›‘οΈ Regular Audits: Independent security audits for Enterprise customers
  • ⚑ Rapid Response: Critical vulnerabilities patched within 24 hours
  • πŸ“Š Transparency: Security updates communicated promptly

​
Additional Resources

Clerk Security

Learn about Clerk’s security features

OWASP Top 10

Common web application security risks

Railway Security

Railway platform security

Fly.io Security

Fly.io infrastructure security