1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens.
2 areas
SafetyCredentials & tokensScope the ClickUp API key to the intended team and review task, status, or project mutations before using it on active workspaces.
PrivacyGeneralTasks, comments, custom fields, assignees, due dates, and workspace metadata may be exposed through tool calls.
Safety notes
Scope the ClickUp API key to the intended team and review task, status, or project mutations before using it on active workspaces.
Privacy notes
Tasks, comments, custom fields, assignees, due dates, and workspace metadata may be exposed through tool calls.
Prerequisites
ClickUp account with workspace access
ClickUp Personal API Token from https://app.clickup.com/settings/apps
ClickUp Team ID (found in ClickUp workspace settings)
Node.js and npm/npx available for running the @hauptsache.net/clickup-mcp package
Internet connection for accessing ClickUp API (https://api.clickup.com endpoints)
Claude Desktop 0.7.0+ or Claude Code with MCP support
Rate limit awareness: 100 requests per minute per API token
Understanding of ClickUp workspace, spaces, lists, and tasks structure
Appropriate workspace permissions for target operations (read, write, delete as needed)
OAuth scopes (if using OAuth instead of Personal API Token) - read, write, delete permissions
ClickUp API tokens and personal access tokens must be securely stored and never exposed in client-side code or public repositories - use environment variables and secure credential management
ClickUp OAuth access tokens should be used for third-party integrations to ensure proper access control, token lifecycle management, and automatic token refresh
ClickUp workspace, space, and project IDs may expose organizational structure and team information - ensure ClickUp resource IDs are kept private and not shared in public configurations
Rate limiting and API quota management are critical for ClickUp MCP servers - implement proper rate limit handling, retry logic, and quota monitoring to prevent service disruption
ClickUp webhook configurations and payloads may contain sensitive project and task data - ensure webhook endpoints are properly secured with authentication and HTTPS encryption
Troubleshooting
Getting HTTP 429 with rate limit exceeded errors
ClickUp limits to 100 requests per minute per token. Check X-RateLimit-Reset header for reset time. Implement exponential backoff and wait specified seconds before retry.
OAuth error: team not authorized for access token
Re-authenticate to authorize workspace access. Verify OAuth scope includes required permissions and check if user revoked authorization. Generate new API token from ClickUp settings if needed.
Authorization token missing in header error
Add Authorization header with your API key to all requests. Format: Authorization: YOUR_API_KEY. Verify token is correctly copied from ClickUp API settings without extra spaces.
Cannot access tasks or spaces - permission denied
Verify your ClickUp account has access to target spaces and lists. Check workspace admin settings and ensure API token has necessary permissions for workspace and spaces.
ClickUp MCP server authentication errors with API tokens
Verify API token is valid and not expired. Check token permissions match required operations. Ensure token format is correct (Bearer token in Authorization header). For OAuth integrations, verify token refresh logic is working correctly.
ClickUp rate limit errors when managing large projects
Implement exponential backoff retry logic with jitter. Use batch operations to reduce API calls. Cache frequently accessed data. Monitor rate limit headers and adjust request frequency accordingly. ClickUp allows 100 requests per minute per API token.
ClickUp workspace or project access denied errors
Verify API token has access to the workspace, space, and projects. Check workspace permissions and project sharing settings. Ensure OAuth scopes include required workspace and project access permissions.
ClickUp MCP server connection timeouts or network errors
Check network connectivity and firewall settings. Verify ClickUp API endpoints are accessible. Increase request timeout values. Implement connection pooling and retry mechanisms with exponential backoff.
Show that Clickup MCP Server for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/mcp/clickup-mcp-server)
How it compares
Clickup MCP Server for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
3 trust signals differ across this comparison (Package trust, Source provenance, Submitter).
MCP server for Todoist task and project management, with tools for tasks, subtasks, projects, sections, labels, comments, reminders, filters, activity, backups, collaboration, bulk operations, and dry-run testing.
✓Scope the ClickUp API key to the intended team and review task, status, or project mutations before using it on active workspaces.
✓Use a least-privilege Asana token and test task or project writes in a non-critical workspace before connecting production workflows.
✓Todoist MCP Server can create, update, delete, complete, reopen, reorder, archive, and bulk-modify tasks, subtasks, projects, sections, labels, comments, reminders, filters, shared labels, and collaboration state.
Bulk create, bulk update, bulk delete, bulk complete, project deletion, section deletion, label deletion, reminder changes, and duplicate merge operations can alter many Todoist records at once.
Dry-run mode simulates mutation operations but still queries real Todoist data for validation.
Pro and Business features such as reminders, filters, shared labels, collaboration, backups, and workspace operations may expose or modify team data.
Require confirmation before deleting tasks or projects, changing due dates in bulk, completing groups of tasks, modifying shared projects, creating reminders, downloading backups, or changing collaboration state.
✓Scope the Linear token to the intended workspace and review issue or project writes before changing active roadmaps.
Privacy notes
✓Tasks, comments, custom fields, assignees, due dates, and workspace metadata may be exposed through tool calls.
✓Asana task text, project metadata, comments, assignees, due dates, and workspace details may be sent through model context.
✓Todoist API tokens, task IDs, project IDs, section IDs, label IDs, reminder IDs, comment IDs, user IDs, collaborator details, activity logs, completed tasks, backups, and productivity statistics can be exposed to the MCP client.
Task names, descriptions, comments, due dates, deadlines, labels, reminders, attachments, project notes, and completed-task history can contain private work or personal planning data.
Bulk and filter tools may reveal larger slices of a Todoist workspace than a single-task request.
Backup download tools can expose a broad historical snapshot of Todoist data.
Keep Todoist tokens in local MCP configuration only, and avoid sharing MCP logs, dry-run traces, or transcripts that include private task or project data.
✓Issue text, comments, assignees, labels, project context, customer references, and workspace metadata may be sent through tool calls.
Prerequisites
ClickUp account with workspace access
ClickUp Personal API Token from https://app.clickup.com/settings/apps
ClickUp Team ID (found in ClickUp workspace settings)
Node.js and npm/npx available for running the @hauptsache.net/clickup-mcp package
OAuth 2.0 authentication (required for MCP server via SSE transport)
Asana account with access to at least one workspace
Workspace membership with Member role or higher (Guest role insufficient for task creation)
Internet connection for accessing Asana API (https://app.asana.com)
Todoist API token from Todoist integrations developer settings.
Node.js 18 or newer for the npm stdio server.
Review of whether the token has access to personal, shared, Pro, Business, or workspace features.
Optional `DRYRUN=true` for simulating mutation tools while still validating against real Todoist data.
Linear workspace account (Member or Admin role required, not Guest)
OAuth credentials or Personal API Key (generate from Linear Security & access settings)
SSE transport support (remote MCP server at https://mcp.linear.app/sse)
Internet connection (remote Linear API access required)
Install
claude mcp add clickup --env CLICKUP_API_KEY=YOUR_KEY --env CLICKUP_TEAM_ID=YOUR_TEAM_ID -- npx -y @hauptsache.net/clickup-mcp && claude mcp list