[tjuscsnw]

The restraint of shipping this as "an API endpoint you may or may not point an AI client at" is the right call. The alternative — every SaaS hand-rolls a bespoke MCP surface with its own auth model — scales terribly for anyone connecting five or ten tools to one agent.

The three-tier scope split (read / write / send) is also a nice middle ground between god-mode tokens and OAuth granularity nobody actually configures.

Open question this raises: does every vendor need to hand-roll an MCP server, or does the ecosystem settle on REST→MCP auto-wrapping over OpenAPI specs? We've been exploring the latter (open source: github.com/ChronoAIProject/NyxID). Fastmail-specific nuances like JMAP pushing vs polling probably justify hand-rolling for now, but the pattern doesn't generalize.