Slate
← The Slate Journal
Guide··8 min read

How to give Claude access to your financial data (safely)

A plain-English walkthrough of how to give Claude read-only access to your real financial data — and how to keep that access tight, scoped and revocable.

Giving an AI access to your money sounds like the plot of a cautionary tale. Done right, it’s closer to handing your accountant a quarterly statement: scoped, read-only, easy to take back. The trick is understanding the trust chain, picking the right middle layer, and using a few simple habits that keep blast radius small. Here’s the practical version, with the security choices explained as we go.

The shape of the setup

You’re not giving Claude your bank password. You’re giving Claude a token to a middle layer — a personal finance app that already has read-only access to your accounts via Plaid (or MX, Finicity, etc.). Claude calls the middle layer; the middle layer answers with just enough data to satisfy the question. Three independent links in the chain:

  • Bank → Plaid: secured by your bank login, MFA and Plaid’s consent flow. You can revoke from either side.
  • Plaid → finance app (e.g. Slate): read-only access tokens, encrypted at rest, scoped to your accounts only.
  • Finance app → Claude: a per-user MCP token you can revoke in one click, with optional auto-expiry.

A failure or compromise in one link doesn’t automatically compromise the others. That’s the point of the chain.

Step 1: Pick a good middle layer

The middle layer is the most important decision in the whole stack. The non-negotiables:

  • Read-only access to the assistant. The MCP connector exposed to Claude must not be able to move money. If the docs are vague, assume the answer is no.
  • Per-user tokens. Not a single shared API key. Not “our company’s key in your env.”
  • One-click revocation. You should be able to disconnect Claude in under ten seconds, without contacting support.
  • An explicit no-train policy. The privacy policy should state plainly that your data is not sold and not used to train models.
  • A real product behind the MCP. If the MCP is the whole product, the data underneath it is probably thin. Look for an app you’d use even without the connector.

Slate is built around exactly this shape, and is the example we’ll use below. Other generalist apps work too, as long as they meet those criteria.

Step 2: Create a Claude token

  1. Open Settings → Integrations in your finance app.
  2. Pick Claude (not “generic MCP” if there’s an option for Claude specifically — vendor-specific connectors usually carry better defaults).
  3. Set an expiry. 30 days is a reasonable default; 90 if you live in your assistant; “until I turn it off” if you really mean it. There’s nothing wrong with rotating monthly.
  4. Copy the MCP URL. It contains the token; treat it like a password.

Step 3: Add the connector to Claude

In Claude Desktop, go to Settings → Connectors → Add custom connector. On the web (Pro/Team), it’s Settings → Tools. Paste the URL and approve. Claude will show you every tool the connector exposes — things like get_accounts, search_transactions, list_budgets, get_net_worth_breakdown. All read-only. Skim the list once so you have a mental model of what Claude can and can’t see.

What Claude can and can’t do

  • Can: see your accounts, transactions, balances, budgets, net worth, goals; produce summaries, charts and projections.
  • Can’t: move money, change a password, see anyone else’s data (even within your household, unless you’ve explicitly shared), or keep accessing your data after you revoke the token.
  • Can do incidentally: remember details from the conversation. So treat the chat itself like a notebook — don’t paste in sensitive things that don’t need to be there.

Step 4: Audit and revoke as a habit

A good MCP setup shows you what the assistant has actually read and when. Check it occasionally, the same way you’d glance at the active sessions on your email account. Look for anything that doesn’t match a conversation you remember. If anything looks off — or you’re just done with the experiment — click revoke. Access cuts off on Claude’s next tool call.

Habits worth keeping

  • One token per assistant. Use separate connectors for Claude and ChatGPT. Revocation becomes surgical.
  • Rotate quarterly. Even when nothing’s wrong. A small habit with disproportionate resilience.
  • Don’t share the MCP URL. Not in a screenshot, not in a Slack thread, not pasted into a chat with a different AI. It’s a credential.
  • Keep your bank’s own alerts on. Push notifications for any outbound transfer above a threshold you set. Defense in depth, and it costs you nothing.
  • Re-read your finance app’s privacy policy once a year. Policies change. Yours doesn’t.

What I don’t do, and probably you shouldn’t either

  • Don’t hook an MCP server up to a fully autonomous agent. Long-running, unsupervised agents and read-only finance data are technically fine; in practice the value is low and the surprise factor is high.
  • Don’t install random MCP servers from GitHub against your real accounts. Try them in a sandbox first if you’re curious.
  • Don’t use any setup that requires giving the AI vendor (Anthropic, OpenAI) your bank credentials directly. That isn’t how MCP works; if you’re being asked, you’re looking at a scam or a deeply confused integration.

See it work on your own accounts.

Slate connects to your bank in about two minutes and ships ready-made connectors for Claude and ChatGPT. Free for the core features — no card to start.

Try Slate free →Read the setup guide

Keep reading