Direct answer
BookWriter app cards never show manuscript excerpts or internal AI diagnostics. OAuth scopes separate reading, writing, and publishing; every protected call validates the token’s issuer, audience, expiry, and scopes before accessing owner-scoped data.
Visible in cards
Book title, chapter position, accepted counts, goal progress, version/status labels, allowance counters, and safe BookWriter links may appear.
Never visible in cards
Manuscript excerpts, private prompts, model routing, provider names, token usage, cost, raw diagnostics, prompt hashes, credentials, and production identifiers are excluded.
Data boundaries
The conversation receives only the bounded context needed for the requested task. Authenticated BookWriter editors and owner-scoped resources remain the place to inspect full book content.
Connection security
The app uses OAuth authorization code flow with PKCE S256 and a protected-resource audience. Reconnect prompts include the required scope without disclosing private state.
Frequently asked
Do screenshots contain customer writing?
No. Product and reviewer evidence use neutral synthetic titles and compact status only.
Keep going
Continue the connected writing workflow.
Canonical URL: https://www.bookwriter.vip/mcp/guide/privacy-and-security · Updated July 15, 2026