Big security concern MakeApp API + MCPs

What is your goal?

I want to restrict API access to Organizations and / or Teams, instead of connecting them to a user and then giving that API access whatever the user has access to.

What is the problem & what have you tried?

This is super dangerous because it is not made obvious before making these connections.

I wanted to connect a MakeApp to call a Subscenario.
After going through the OAuth, I got offered more Organizations that I expected (in some I am admin, in some just a developer, so I am VERY confused about the rules here.. ).
This means that whoever else would use the connection would instantly have access to the other Orgs and Scenarios that came up.
I attached the pictures.
With the MakeApp, this connection should definitely be Organization and Team restricted only!
Is this just a bug?

For the MCP, I generated an API token in Make, and as they are connected to a user, and run across Organizations and Teams the user is added to, this was even worse.
I got instant access to ALL the organizations and teams I am a member of (regardless of which access rights), instead of only having access to the scope within the Organization and / or Team.

As it currently is, this creates a bleeding effect, where I (or anybody else has access to the connection, even from an unrelated team!) can technically run scenarios of other Orgs and Teams.

Please please please. Can this be fixed?

One way to solve this would be adding a dedicated dev service account to a specific Team, which would exist solely to create that API token..
But can you imagine how many different user accounts we would have to create?

Otherwise this is effectively restricting us from using the MCPs or really working on scenarios in multiple organizations, as the connections bleed over without our control..

I get that with MCP the API is technically mine.. but still, maybe I don’t want to jeopardize other Orgs in case something goes wrong with the way AI handles the instruction?

Curious to hear what the idea here was.. for now, I am disabling all the API tokens, lol.

Screenshots (scenario flow, module settings, errors)

MakeApp API issue.png1535×721 99.4 KB

Hi @Alena_Rebernik,

Make’s API tokens and OAuth connections are user-scoped, not organization/team-scoped. I understand your concern, but I think this is intended in the current setup.

I see you are using the Make App, with your user OAuth connection. Dependent on scopes, you might have access to anything in the connected service through that user (which in this case is Make itself). This doesn’t work any differently than other services that you connect to Make. From the Teams plan onward, connections are limited to a team instead of the Organization.

Potential solution:

If you’re on the Teams plan or higher, you may consider creating a separate team in which you are the only member to connect to Make using your personal accounts and details. Source: Connect an application - Help Center

The challenge here is that you have a Make account with restrictions, in which you want to enable a service which coincidentally is Make itself, overruling the restrictions. Because your user has access to different Organizations and Teams, the connection does too.

In this case, why don’t consider the ‘Call a Scenario’ module in this built in App?

Scherm­afbeelding 2026-01-25 om 07.46.051030×1192 46.1 KB

Or if you want to use OAuth, you can scope the connection in the advanced settings (which can also be done for API tokens)

Scherm­afbeelding 2026-01-25 om 07.49.091016×2244 275 KB

Happy to hear what works out for you.