- Your SharkClean email/password are used once, during
shark-mcp-auth, to log in through SharkNinja's real Auth0 browser flow. They are read from environment variables or a local.envfile. - The server does not store your password. The one-time login yields an Auth0
refresh token, cached at
~/.config/shark-mcp/tokens.json(file mode600). The server mints short-lived access tokens from it as needed. .envand the token cache are never committed (.envis in.gitignore).
- Treat
~/.config/shark-mcp/tokens.jsonlike a password — it grants control of your robot. Delete it to revoke this machine's access; re-runshark-mcp-authto restore. - If you suspect your SharkClean password leaked (e.g. it was typed into a shared shell),
change it in the SharkClean app and re-run
shark-mcp-auth.
Open a GitHub issue for non-sensitive reports. For anything sensitive, contact the maintainer privately rather than filing a public issue.
This is an unofficial project, not affiliated with or endorsed by SharkNinja. It relies on community reverse engineering of a private API that can change at any time.