Authentication
Understand how Presso uses OAuth 2.0 to securely connect your data sources, manage permissions, and protect your credentials.
Overview
Presso uses OAuth 2.0 to connect to your data sources. This means Presso never sees or stores your usernames and passwords for services like Shopify, Google, or Meta. Instead, each data source issues a scoped access token that grants Presso read-only access to the specific data it needs.
This is the same authentication standard used by apps in the Shopify App Store, Google Cloud, and Meta Business Suite. It's the most secure and widely trusted method for third-party data access.
How OAuth works with Presso
When you connect a data source in the Presso dashboard, the following happens:
- You click "Connect" for a data source (e.g., Shopify) in the Presso dashboard.
- Redirect to the provider. Presso redirects you to the data source's authorization page (e.g., Shopify's OAuth consent screen).
- You grant permission. You review the requested permissions (scopes) and approve access. You're granting access to Presso, not to any individual AI assistant.
- Token exchange. The data source issues an access token (and usually a refresh token) to Presso. These tokens are encrypted and stored securely.
- Redirect back. You're returned to the Presso dashboard, where the connection appears as active.
From this point on, when an AI assistant calls a Presso tool, Presso uses the stored tokens to fetch data on your behalf. You don't need to re-authenticate unless the token is revoked or the connection expires.
┌──────────┐ ┌──────────┐ ┌──────────────┐ ┌──────────┐
│ Claude │────>│ Presso │────>│ OAuth Consent│────>│ Data │
│ Code │<────│ Server │<────│ (Shopify, │<────│ Source │
│ │ │ │ │ Google, etc.)│ │ │
└──────────┘ └──────────┘ └──────────────┘ └──────────┘
Tool call Fetch data Grant access Return data
Connecting data sources
General process
The connection flow is the same for all data sources:
- Log in to the Presso dashboard.
- Click Add Connection.
- Select the data source from the list.
- Authorize access on the provider's consent screen.
- Verify the connection shows a Connected status on your dashboard.
Provider-specific notes
| Data Source | Account Required | Notes |
|---|---|---|
| Shopify | Shopify store with admin access | Connects as a Shopify app. You must be a store owner or have staff permissions to install apps. |
| Google Analytics 4 | Google account with GA4 property access | Select the specific GA4 property during authorization. |
| Google Ads | Google Ads account | Grants access to campaign, ad group, and keyword data. |
| Meta Ads | Meta Business account | Select the ad account(s) to connect during authorization. |
| Google Search Console | Google account with Search Console property | Select the website property to connect. |
| Google Merchant Center | Google Merchant Center account | Connects to your product feed data. |
| Amazon Ads | Amazon Advertising account | Grants access to sponsored products and campaign data. |
| Google Tag Manager | Google account with GTM access | Select the container(s) to connect. |
| Klaviyo | Klaviyo account | Grants access to campaigns, flows, profiles, segments, and analytics data. |
| ShipStation | ShipStation account (Gold plan+) | Connects via API key. Grants read-only access to shipments, carriers, rates, and inventory. |
| Judge.me | Judge.me account connected to Shopify | Grants read-only access to reviews, ratings, reviewers, and shop statistics. |
Permissions and scopes
Presso requests the minimum permissions necessary to read your data. Presso does not request write access to any of your data sources.
What Presso can access
- Read-only data. Presso can view your products, orders, analytics, ad campaigns, and other data. It cannot modify, create, or delete anything in your data sources.
- Scoped access. Each provider limits the access to specific APIs and data types. For example, Shopify grants access to read products and orders, but not to modify store settings.
What Presso cannot do
- Modify products, orders, or any store data
- Place or cancel orders
- Change ad campaign settings or budgets
- Access payment card details or sensitive customer financial information
- Access data from accounts you haven't explicitly connected
Scope details by provider
| Provider | Scope | Description |
|---|---|---|
| Shopify | read_products, read_orders, read_customers, read_inventory, etc. | Read-only access to store data |
| Google (GA4, Ads, GSC, GMC, GTM) | readonly scopes for each service | Read-only access to analytics, ads, and configuration |
| Meta Ads | ads_read, read_insights | Read-only access to ad accounts and performance data |
| Amazon Ads | advertising::campaign_management | Read access to campaign and performance data |
| Klaviyo | campaigns:read, flows:read, profiles:read, metrics:read, segments:read, lists:read | Read-only access to marketing and customer data |
| ShipStation | API key (v2) | Read-only access to shipping, carrier, rate, and inventory data |
| Judge.me | read_reviews, read_products, read_reviewers, read_shops, read_settings, read_widgets | Read-only access to review and shop data |
Managing connections
Viewing connection status
The Presso dashboard shows all your connected data sources with their current status:
- Connected -- The OAuth token is valid and data can be fetched.
- Expired -- The token has expired and needs to be refreshed or reconnected.
- Disconnected -- The connection has been removed.
Disconnecting a data source
To disconnect a data source:
- Go to the Presso dashboard.
- Find the data source you want to disconnect.
- Click the options menu and select Disconnect.
- Confirm the disconnection.
Disconnecting removes the OAuth token from Presso's storage. AI assistants will no longer be able to query that data source through Presso.
Reconnecting
To reconnect a disconnected or expired data source, click Reconnect next to the data source on the dashboard. You'll go through the OAuth flow again to issue a new token.
Token refresh and session handling
Automatic token refresh
Most OAuth providers (Google, Meta, Shopify) issue both an access token and a refresh token:
- Access tokens are short-lived (typically 1 hour for Google, longer for Shopify).
- Refresh tokens are long-lived and used to automatically obtain new access tokens when they expire.
Presso handles token refresh automatically. You don't need to manually reconnect your data sources when access tokens expire. As long as the refresh token is valid, Presso will seamlessly obtain new access tokens in the background.
When reconnection is needed
In some cases, automatic refresh isn't possible and you'll need to reconnect manually:
- Refresh token revoked. If you revoke Presso's access from the provider's settings (e.g., Google Account security page), the refresh token becomes invalid.
- Password change. Some providers invalidate all tokens when you change your account password.
- Scope changes. If Presso updates the permissions it requests, you may need to re-authorize to grant the new scopes.
- Provider policy. Some providers expire refresh tokens after extended periods of inactivity (e.g., 6 months).
When reconnection is needed, you'll see an Expired status on the Presso dashboard. Click Reconnect to re-authorize.
MCP session handling
When Claude Code (or another AI client) calls a Presso tool:
- Presso validates your MCP session.
- If the session is new or expired, Presso initiates browser-based authentication.
- Once authenticated, the session is maintained for the duration of your Claude Code session.
- Subsequent tool calls within the same session don't require re-authentication.
Security
Presso is designed with security as a core principle. Here's how your data is protected:
Encryption
- In transit. All communication between Claude Code, Presso, and data sources uses TLS 1.2+ encryption (HTTPS). No data is transmitted in plaintext.
- At rest. OAuth tokens and account data are encrypted at rest using AES-256 encryption.
No permanent raw data storage
Presso does not permanently store your raw e-commerce data. When an AI assistant requests data (e.g., "show me my orders"), Presso:
- Fetches the data in real time from the source API.
- Returns the results to the AI client.
- Does not retain copies of the fetched data.
Query metadata (timestamps, tool names) may be logged for operational purposes, but the actual data content from your stores and ad accounts is not persisted on Presso's servers.
Infrastructure
- Presso runs on secure, managed cloud infrastructure.
- All servers are in SOC 2-compliant data centers.
- Access to production systems is restricted to authorized Stellagent Inc. personnel with multi-factor authentication.
Credential isolation
- OAuth tokens for each user are stored separately and encrypted.
- Tokens are never shared between Presso accounts.
- Presso staff cannot view your OAuth tokens or use them to access your data sources.
Revoking access
You can revoke Presso's access at two levels:
From the Presso dashboard
Disconnect a data source in the Presso dashboard (see Managing connections above). This removes the token from Presso's storage.
From the provider
You can also revoke access directly from each data source's settings:
| Provider | How to revoke |
|---|---|
| Shopify | Go to your Shopify Admin > Settings > Apps and sales channels > Find Presso > Remove app |
| Google (GA4, Ads, GSC, GMC, GTM) | Go to myaccount.google.com/permissions > Find Presso > Remove Access |
| Meta | Go to facebook.com/settings?tab=business_tools > Find Presso > Remove |
| Amazon | Go to Amazon Advertising settings > Manage apps > Find Presso > Revoke access |
| Klaviyo | Go to Klaviyo Settings > Integrations > Find Presso > Remove |
| ShipStation | Go to ShipStation Settings > Account > API Keys > Regenerate or delete your API key |
| Judge.me | Go to Judge.me Settings > Apps > Find Presso > Revoke |
Revoking from the provider immediately invalidates the OAuth tokens. Presso will no longer be able to fetch data from that source, even if the connection still appears on the Presso dashboard.
Note: We recommend disconnecting from both the Presso dashboard and the provider's settings for a complete cleanup.
Frequently asked questions
Does Presso store my Shopify password?
No. Presso uses OAuth, which means it never sees or stores your Shopify password (or any other provider password). Authentication happens entirely on the provider's side.
Can Presso modify my store data?
No. Presso only requests read-only permissions. It cannot create, update, or delete products, orders, or any other data in your connected accounts.
What happens if I delete my Presso account?
All stored OAuth tokens and connection data are permanently deleted. Presso will no longer have access to any of your data sources. You should also revoke access from each provider's settings for completeness.
Is my data shared with other Presso users?
No. Each Presso account's data and connections are completely isolated. There is no cross-account data sharing.
Does Anthropic (Claude) store my e-commerce data?
Presso sends data to the AI client (e.g., Claude Code) as tool call results. Refer to Anthropic's data retention policy for how Claude handles conversation data. Presso itself does not control what the AI client does with the data after it's returned.
Next steps
- MCP Server Connection — Set up Presso in Claude Code and other AI clients.
- Quick Start — Get started with your first Presso queries.
- Troubleshooting — Solutions for common issues including authentication problems.