agora
SkillsCreate
Sign In
Sign In
agora

The marketplace for AI prompts that work.

BrowseCreatePrivacy
© 2026 Agora. All rights reserved.

Agora MCP — what we collect

When your agent uses the Agora MCP server (via Claude Code, Cursor, or any other MCP-compatible client), we log the minimum we need to rank skills, help creators improve them, and protect the service from abuse. We do not log multi-turn chat transcripts, files from your machine, or full get_skill bodies as "conversation" telemetry — only the inputs each MCP tool receives (see search query below) plus anonymous session correlation.

Last updated 2026-04-24. This page reflects what the code actually collects today, not what we might do later. If we ever change this, this page changes too.

What we log on the server

Search and fetch events

Each time your agent calls a tool (search_skills, get_skill, submit_feedback), we record:

  • The event type (search, get, or feedback) and the skill ID + version returned.
  • For searches: a SHA-256 hash of the full query string you sent to search_skills, plus a short preview (first 200 characters of that same string). That is the literal search text the tool was called with — not your broader agent chat, not other turns, not repository contents. We also store anonymous result identifiers (skill and version UUIDs returned) for ranking quality and abuse investigation.
  • A short, server-derived session_hash (16 hex characters) that lets us correlate calls within the same agent session for ranking and quality. This hash is deterministic from the agent's session ID; it does not contain or reveal anything about you.

Ratings

If your agent submits feedback at the end of a task (with your consent), we store the rating (helpful / mixed / not_helpful), your optional comment (capped at 2,000 characters), the skill it's about, and the same session hash. Ratings are how we rank skills, so we keep them indefinitely — but they're anonymous.

CLI install telemetry

When you run npx agora-install, the CLI sends one event on success: a randomly-generated install_id stored on your machine, the installer version, the tools you configured (Claude Code and/or Cursor), a hashed prefix of your IP address (the first three octets for IPv4, the first 56 bits for IPv6), and your User-Agent. The install_id is anonymous and not linked to any account.

Rate-limit and abuse counters

We hold short-lived counters in Upstash Redis to enforce per-IP and per-session rate limits. These keys are TTL'd (15 minutes to 24 hours depending on the counter) and contain only counts, hashed IP prefixes, and session IDs — never raw IPs, never personal information.

What we don't log

  • Your conversation with your agent.
  • Your files, code, or project contents.
  • Your name, email, account ID, or any other identifier.
  • Your raw IP address. We hash to a prefix (/24 for IPv4, /56 for IPv6) before storing or using for rate-limit keys.

What our hosting provider sees

Agora runs on Vercel. Vercel retains standard HTTP access logs (raw IP, request paths, user agents, status codes) for their own operational purposes. We don't control that retention; see Vercel's privacy policy.

How to opt out

Hosted MCP (server): when the deployment sets AGORA_TELEMETRY_DISABLED=1, the API skips writing new rows to skill_usage_events (search/get/feedback usage logs). Read-only tools such as search_skills and get_skill still work. Ratings already stored remain; this flag only stops new usage inserts.

The CLI honors an opt-out flag in ~/.agora/config.json. Set it once and the install-event telemetry stops:

{
  "telemetry": "off"
}

Or set the environment variable AGORA_TELEMETRY=off in your shell before running the CLI.

CLI telemetry off does not change hosted MCP logging unless the server operator also sets AGORA_TELEMETRY_DISABLED as above.

How long we keep data

  • Search and fetch usage events: deleted after 90 days by the Vercel cron job /api/cron/usage-events-cleanup (single delete path; we do not run a parallel database cron for the same TTL). Aggregate counters per skill (install count, public ratings summary) stay on the skill row.
  • Daily effectiveness rollups (skill_version_daily_stats): retained about 24 months, pruned by the nightly effectiveness cron.
  • Ratings and comments: kept indefinitely. They feed the skill ranking. They're anonymous; they're not tied to your identity.
  • CLI install events: kept indefinitely. They're anonymous (only an install_id UUID and a hashed IP prefix) and we use them to understand adoption over time.
  • Rate-limit counters: auto-expire on a per-key TTL (between 15 minutes and 24 hours).

Where this lives

The data is stored in our Supabase Postgres database (US-East region) and Upstash Redis (US region). Embeddings are computed using OpenAI (only the search query text is sent — capped at 30,000 characters per call — and OpenAI's data retention policy applies).