Last updated: 2026-05-17
This service is a hosted Model Context Protocol (MCP) server for Oura Ring. It lets a user connect their Oura account to supported MCP clients (such as Claude) through OAuth.
When you authorize this service with Oura, we access only the data your granted OAuth scopes permit, which can include daily readiness, sleep, activity, stress, heart-rate series, workouts, mindfulness sessions, user-entered tags, SpO2, and ring/personal metadata.
We use your Oura data exclusively to fulfil MCP tool requests you initiate through your connected client. We refresh OAuth access tokens when needed using your Oura refresh token, and operate and secure the hosted MCP service. We do not sell or share your Oura data with third parties.
This service runs on Cloudflare Workers. It does not maintain a long-term database of your Oura ring data. We store the minimum data required to operate the connector:
We do not log Oura ring data contents. Operational logs are limited to non-sensitive service metadata.
Stored OAuth credentials are retained only as long as needed to keep your connector working. To delete your data immediately, visit /delete and confirm with Oura — this removes your stored access/refresh tokens, all cached response entries scoped to your Oura user id, and revokes any OAuth grants this server issued to MCP clients on your behalf. Note that deletion via this site does not revoke Oura's own OAuth grant on Oura's side; revoke that separately from your Oura account's connected-apps page if desired.
We do not share your Oura data with third parties except with Cloudflare, which provides the hosting infrastructure (Workers, Workers KV) required to operate the service, when required by law, or when necessary to protect the security, integrity, or operation of the service. Cloudflare is the only third-party infrastructure provider used by this service.
We use OAuth-based delegated access rather than asking for your Oura credentials. Tokens are encrypted at rest. Secrets are stored as Cloudflare Worker secrets, not in source control. No system can guarantee absolute security, but reasonable technical measures are used to reduce unauthorized access risk.
You can stop using this service at any time by removing the connector in your MCP client's settings, or by revoking the Oura OAuth grant for this application from your Oura account. You can also delete stored data immediately by visiting /delete.
Questions about this policy or requests related to stored OAuth credentials: ivan@smirnovlabs.com.