Managing third-party apps and AI assistants
When you connect a third-party app with Synci or link an AI assistant through MCP, you decide what it can access, you can see everything you've connected in one place, and you can cut off access instantly. This article covers the consent screen, per-account access, where connections live, and the notifications you'll get.
Written By Matias
Last updated 2 days ago
The consent screen
Every time you authorize an app or assistant, you approve it on a Synci-hosted consent screen. It shows:
The app or assistant's name and branding.
A verification status. Apps and assistants that Synci has reviewed show as verified. Anything unreviewed carries a clear "unverified" notice so you can decide before approving.
The exact permissions being requested, in plain language. Sensitive permissions are highlighted. If an app asks to see your full account identifiers (IBAN, account and card numbers, account-holder names), that request is clearly flagged so you notice it before approving.
An account picker. You choose which financial accounts to grant. Grant all of them, or pick specific ones. You can also choose to include accounts you add in the future.
Approve or Deny. Permissions are all-or-nothing: you either approve the app with the permissions it asks for, or deny it. You can't approve some permissions and drop others, though you do control which accounts it can see. If a requested permission is more than you're comfortable with, deny the app and let the developer know.
Your password is never shared with the app or assistant.
Per-account access control
An app or assistant only ever sees the accounts you selected at consent. This is enforced everywhere account data is read, including data embedded inside other responses, so a connection can never reach an account you didn't grant.
Where your connections live
Third-party apps you've authorized through Connect with Synci appear on your Connected Apps screen. Each entry shows the granted permissions, which accounts the app can access, and when access expires.
AI assistants connected over MCP appear on the AI Access page under Connected assistants, showing the assistant, its developer, the permission it holds, which accounts it can read, and the connection date.
Keeping AI assistants on their own page avoids listing the same connection in two places.
Revoking access
You can revoke any app or assistant at any time:
For apps: open Connected Apps and revoke the one you want to remove.
For assistants: open AI Access and click Disconnect.
Revoking takes effect immediately. To reconnect later, you'll go through the consent screen again.
What apps and assistants never see
Sensitive identifiers are stripped before data leaves Synci, and the two kinds of connection differ:
AI assistants (MCP): IBANs and account numbers, card numbers, phone numbers, and account-holder names are always hidden. There's no way for an assistant to see them.
Third-party apps: the same identifiers are hidden by default. An app can only see your account numbers if it requests the sensitive identifiers permission and you approve the app. If it doesn't request that permission, it only ever gets the redacted version.
Financial data is read-only for both. There is no write access to your accounts or transactions.
Email notifications
For security, Synci emails you when:
You connect a new app, so an unexpected authorization is always visible.
You disconnect an app.
An app you use is suspended or removed by Synci (an access-ended notice).
If you ever get a connection email you didn't expect, revoke the app or assistant from the relevant screen and reach out to us.