Skip to content

Security & privacy

What runs locally and what never leaves your machine.

Godot MCP Studio is local-first by design. The parts that touch your code run on

your machine, not our servers.

Everything runs locally

The MCP server runs on your computer as a local process. Your AI client talks to

it directly. Your project files, scenes, scripts, and everything the AI does to

them are processed on your own machine.

The editor bridge is loopback-only

Live tools talk to Godot over a WebSocket bound to localhost, protected by a

per-project bearer token. Nothing is exposed to your network or the internet.

Running-game sessions use their own short-lived token, handed off privately and

authenticated on every message.

The addon is readable on purpose

The Godot editor addon installs as plain GDScript into your project, so you can

audit every line of the code that touches your scenes and files. Nothing that

runs inside your editor is hidden. The MCP server and desktop app are compiled,

licensed binaries; the addon they install is open for inspection.

What we don't collect

  • No telemetry or analytics from the desktop app or the local MCP server.
  • We never read, upload, or store your Godot projects. Code stays with you.
  • We don't sell or share your data. See the full

Privacy Policy.

What we do store

Only what's needed to run your account: your email and name, authentication

details, and your license and device activations. Payments are handled by Polar,

so we never see your card details.

Permission modes are enforced server-side

The permission mode you choose is enforced by the MCP server, not just the UI.

An AI can't call a tool your mode disallows, and destructive or command-running

actions require confirmation. See Permission modes.

Your responsibility

Keep your license code and account private, and use version control on your

projects. As with any tool that can edit code, a clean git history is your best

undo.