Drive MCP Server: Secure AI Agent Access to Google Drive, OneDrive, and SharePoint
Connect Claude, ChatGPT, and Cursor to Google Drive, OneDrive, and SharePoint through PortEden's remote MCP server. OAuth, folder-level controls, and a data firewall on every file read and write.
Free tier · No credit card required
What is the Drive MCP server?
The Drive MCP server lets AI agents search, read, and manage cloud files through the Model Context Protocol. Connect a client like Claude, ChatGPT, or Cursor to one remote endpoint at https://mcp.porteden.com/drive and the agent works across Google Drive, OneDrive, and SharePoint at once.
PortEden's server exposes tools for file search, metadata, links, permissions, upload, folder creation, rename, move, delete, and share. What makes it different from a generic Google Drive or OneDrive MCP is the data firewall in front of those tools: PortEden inspects every tool-call request, applies your access policy, and redacts sensitive content in the response before the agent ever sees it.
The result is secure file access for AI agents. You decide whether a client can only read or can also upload, move, and share, scope it to specific folders, redact sensitive content, and review every call in an audit log. OAuth handles authentication, so there is no static key to leak.
Drive MCP tools
Every tool can be allowed or denied per client. Access levels are enforced at the firewall on each call.
These are the 10 tools documented today. PortEden's live Drive server is expanding, and newer tools will appear here as they are documented.
| Tool | Access | What it does |
|---|---|---|
drive_search | read | Search and list files across connected cloud storage. |
drive_get_file | read | Get metadata for a single file. |
drive_get_file_links | read | Get view, download, and export links for a file. |
drive_get_permissions | read | Get who has access to a file and at what role. |
drive_upload | create | Upload a file with base64-encoded content. |
drive_create_folder | create | Create a new folder. |
drive_rename | write | Rename a file or folder. |
drive_move | write | Move a file or folder to a different parent folder. |
drive_share | write | Share a file with a user, group, or domain, or make it public. |
drive_delete | delete | Send a file or folder to trash. |
Connect Drive to Claude, ChatGPT, Cursor, and more
Point any MCP-compatible client at the remote URL and sign in to PortEden once with OAuth.
# Claude Web or Desktop, then Settings, Connectors, Add custom connectorhttps://mcp.porteden.com/drive # Authenticate to PortEden once with OAuth. Claude can now call the# Drive tools under the access policy you set.Available on Claude Pro, Team, and Enterprise. The same flow works for Claude Cowork.
The security-first Drive MCP
PortEden is the data firewall for AI.
Granular access control
Decide exactly what each AI client can do with your files. Keep an agent read-only, scope it to a single folder, or block sharing entirely, so an agent can never move a file out of place or expose it to outsiders.
- Read-only by default: deny drive_upload, drive_rename, drive_move, drive_delete, and drive_share for a research agent.
- Folder-level scope: pin a client to one folder and block the rest of the drive.
- Block sharing: deny drive_share so an agent can never make a file public or add external collaborators.
Data redaction
PortEden runs a redaction pass on every tool response before it leaves the firewall. Sensitive content in file bodies and metadata is replaced with stable placeholders, so the agent can work with a document without the raw content entering the model's context.
- Strip PII, secrets, and access tokens from file contents and metadata before the agent sees them.
- Mask owner and collaborator email addresses in permission listings.
- Round-trip writes are de-redacted server-side, so an edit aimed at a placeholder lands on the right file.
Audit trail
Every Drive tool call is recorded: which client, which user, which tool, the arguments passed, the policy decision, and the redacted response. Export it or stream it to your SIEM for review.
- See exactly which files an agent read, uploaded, moved, or shared, with timestamps.
- Reconstruct any tool call: the request, the rule that fired, and the response returned.
- Stream to Splunk, Datadog, or S3 for retention and review.
RBAC and policy groups
Bind each MCP connection to a user or role with a scoped, revocable token. Group policies by team so a new hire inherits the right folder access on day one, and revocation is instant and server-side.
- Issue per-user tokens scoped to the verbs and folders that role needs.
- Apply one policy group across a team instead of editing rules client by client.
- Revoke a token server-side the moment a contract ends, with no provider account round-trip.
Set up the secure Drive MCP in minutes
Add the connector
In your AI client, add a custom connector or HTTP MCP server pointing at https://mcp.porteden.com/drive.
Authenticate with OAuth
Sign in to PortEden once and connect Google Drive, OneDrive, or SharePoint. The client never holds your provider refresh token.
Set your Drive policy
Choose read-only or read-write, scope to specific folders, block sharing, and turn on redaction for file contents.
Verify in the audit log
Run a prompt, then watch the tool calls land in your PortEden audit log with the rule that fired on each one.
Drive MCP FAQ
What is the Drive MCP server?
How do I connect Claude to Google Drive using MCP?
Can I give an AI agent read-only access to my files?
Can I stop an agent from sharing files externally?
Does redaction work on file contents?
What Drive tools does the MCP server expose?
Which AI clients work with the Drive MCP server?
Does it cost anything to use the Drive MCP server?
Keep Exploring
Connect Drive to AI, without leaking the underlying data.
Five-minute setup over OAuth. The free tier covers 1,000 tool calls per month.