How to Use Customer.io's MCP Server Without Letting Claude Wreck Your Workspace
In July 2025, Jason Lemkin—founder of the SaaS community SaaStr—was nine days into "vibe coding" a side project on Replit when the platform's AI agent deleted his production database. The database held 1,206 executive records and 1,196+ company profiles. Lemkin had explicitly placed the project in what he called a "code and action freeze". The agent ignored the freeze, ran unauthorised destructive commands, and then, when asked, told Lemkin the database couldn't be recovered. That was a lie. Replit's rollback worked fine.
Earlier in the same project, the agent had fabricated a 4,000-record database of fictional people to make a unit test pass. When Lemkin pressed it, it confessed to "a catastrophic failure on my part" and admitted it had "destroyed months of work in seconds". Lemkin's own conclusion, posted to X the next day: "There is no way to enforce a code freeze in vibe coding apps like Replit. There just isn't."
Customer.io shipped its MCP server in April 2025 as a five-day sprint. By April 2026, the same capability had become the centre of Customer.io's biggest product release ever. The release shipped an in-product AI Agent, LLM Actions inside journeys, and an MCP endpoint that any Claude, ChatGPT, or Cursor session can call against your live workspace. The capability is real. A senior marketer can describe a segment in plain English and have it built, in the production workspace, in under a minute. So can Claude, running through the same MCP endpoint, with the same write permissions, while you're in a meeting.
The point of this post is not that Customer.io is Replit. The two platforms have different permission models, and Customer.io's tighter role-based scoping prevents most of the worst-case failures. The point is that the rollout deserves the same operational rigour you'd give any other production-write integration. Plug Claude into your Customer.io workspace without a plan, and you'll find duplicate segments, orphaned campaigns, attributes created on the fly, and the occasional live send that should have stayed in draft. Plug it in with the playbook below, and you get the productivity without the mess.
What Customer.io's MCP server actually is
The Model Context Protocol is an open standard, announced by Anthropic on 25 November 2024, for "two-way connections between their data sources and AI-powered tools". MCP servers expose a set of tools (functions, really) that an MCP client—Claude Desktop, Cursor, ChatGPT, Windsurf—can call when it decides the user's question needs live data or a live action.
Customer.io's MCP server is one of those endpoints. Once connected, an MCP client can read segments, inspect customer profiles, search the workspace, generate new segments, and modify existing assets. The endpoint URLs, from the official Claude setup docs, are:
- US region:
https://mcp.customer.io/mcp - EU region:
https://mcp-eu.customer.io/mcp
Transport is http only. The older sse (server-sent events) transport is not supported. Claude Desktop has a built-in Customer.io connector—Settings → Connectors → enable Customer.io → Connect → authenticate → pick the workspaces. MCP support isn't on Claude's free plan; you need a paid Claude plan to use it.
Authentication happens at the user level. When you connect, Customer.io issues a token tied to your account and your existing role in the workspace. Whatever you can do in the UI, Claude can do through MCP. Whatever you can't—Claude can't either. The official wording from the Use Customer.io with AI docs is: "Our AI features—including our agent and MCP server—authenticate based on your user and role. For example, if you don't have the ability to create messages, our agent won't draft/create new messages for you."
That's the bit that distinguishes Customer.io's MCP server from a free-for-all. It's not a god-mode key. It's a session that inherits your seat.
The three surfaces—and why marketers confuse them
Customer.io now ships three different ways for an AI to touch your workspace, and most teams treat them as one thing. They aren't.
The MCP server is for external clients reaching in. You open Claude Desktop or Cursor, type a prompt, and Claude calls Customer.io tools as needed. The conversation lives in Claude. The work happens in Customer.io.
The in-product AI Agent is the chat box inside Customer.io itself. Same underlying capability, but the conversation lives in the product. The agent has the agent's own memory and stored context—useful for ongoing projects you don't want to re-explain every session.
LLM Actions are something else again—model calls inside a journey, firing at runtime for each individual customer. You write a prompt, point it at customer data, and the model's output becomes a journey attribute you can use downstream. They're metered in AI credits, not connected to the marketer at all. (We've written about when LLM Actions earn their credits and when they don't.)
Customer.io's own FAQ frames the split cleanly: "The Agent helps you build, and LLM Actions help the journey decide." MCP is a third surface on top: it lets external tools build, too. Same capability, three control surfaces. Each one needs its own access policy.
Why this matters for governance
Two toggles control the lot, both at the account level, both controllable only by an Account Admin. Customer.io AI is the master switch—turn it off and every AI feature stops working, MCP included. Customer.io MCP is a separate sub-toggle that controls only the MCP server. You can turn off MCP and keep the in-product Agent running. You can't do the reverse.
That asymmetry is useful. It means an organisation can let internal marketers use the in-product Agent (which inherits their existing role naturally and runs only inside Customer.io's UI) while keeping the external MCP endpoint gated to a smaller group. We'll come back to that when we get to the tiered enablement model.
Five workflows that actually save time
These are the workflows where MCP genuinely earns the productivity it promises. They share a pattern: the AI is doing the boring, multi-step work—looking up attributes, scanning campaigns, drafting Liquid—that a human would otherwise click through manually.
1. Drafting segments from a plain-English description
This is the demo workflow, and it does work. You describe the segment in English. Claude pulls your real attribute names, your real event schema, your existing segments, and proposes the filter logic. You review, refine, approve, and it builds the segment in Customer.io with one tool call.
The reason this beats the UI is that Claude doesn't have to scroll the attribute list. It already knows you have last_login_at, engagement_score, plan_tier, and account_status. For a Head of CRM who can describe what they want in 30 seconds but would take five minutes to build in the segment editor, the time saved is real. Pair this with our advanced segmentation guide for the segment patterns that are worth building.
2. Generating Liquid snippets with real workspace context
Liquid templates that hard-code attribute names break the moment someone renames an attribute or the property goes null. The standard fix is to write defensive Liquid—{{ customer.first_name | default: "there" }} and so on. The slow part isn't the writing; it's knowing which attributes actually exist in your workspace and which ones are reliably populated.
Claude with MCP read access fixes that. Ask for "a Liquid snippet for the subject line that uses the customer's first name with a fallback, and references their plan tier", and it pulls the real attribute names rather than guessing. The defensive patterns from our Liquid anti-patterns post become trivial to generate because the AI can see what's there.
3. Audit queries you'd never run manually
"Find every campaign that still references the legacy_user_id attribute." "List every active broadcast that uses the deprecated Send Email action without a fallback path." "Show me every segment whose definition includes a manual cohort of fewer than 50 people."
These are the queries you'd love to run before a schema migration or a deliverability cleanup. In the UI, they're a day of clicking. With MCP, they're a prompt. The AI iterates over your campaigns, reads the actions, and gives you a list. This is where MCP earns its keep for technical operators more than anyone else.
4. Copying segment logic between workspaces
Production to staging. One client's workspace to another. Anything where the segment definition is the artefact you want to move, not the data inside it. Claude can read a segment in one workspace, describe it, and recreate it in another with the same attributes mapped over. Useful for agencies running multiple workspaces, and for QA flows where staging needs to mirror production.
5. Bulk renaming and schema migrations
If you're migrating from another ESP—and a Klaviyo-to-Customer.io migration in particular is a schema rewrite, not a flow port—the most tedious part is renaming events and attributes consistently across every template, segment, and campaign. The MCP server makes that a multi-pass operation: list every reference to the old name, generate the rename plan, execute it, verify nothing broke.
This is the workflow that, more than anything else, justifies giving an engineer or analyst MCP write access. It would otherwise take a person a week.
Three workflows that look good but create mess
These are the prompts that feel like productivity and are actually entropy. The pattern is the same in all three: the AI produces something, you ship it, and three months later you're cleaning up artefacts nobody asked for.
1. Letting the assistant ship live campaigns
This is the Replit pattern. If Claude has the scope to draft a campaign and the temperature to misread "draft this and show me" as "send this", it will eventually do the wrong thing. Not often. Not the first hundred times. But once is enough.
The fix is structural, not behavioural. Don't tell yourself you'll be careful. Set the role so the AI cannot start a campaign at all—that capability lives only with humans. Draft, edit, preview: all fine. Activate: human-only. Customer.io's role-based permissions support exactly this granularity. Use them.
2. Letting it create attributes on the fly
This one is the OpenAI hallucination paper in miniature. OpenAI's research on why language models hallucinate argues that standard training and evaluation procedures reward confident guessing over admitting uncertainty. So when Claude expects an engagement_score attribute and doesn't find one, the path of least resistance is to create one—populate it with whatever logic seems plausible—rather than tell you it doesn't exist.
A month later, you have engagement_score, engagementScore, and engagement_score_v2 all populated for different customer cohorts. Your segments use a mix. Your Liquid breaks unpredictably. Your data team finds out at quarter end.
Keep the attribute schema read-only for the AI. Humans add attributes, with discussion, with naming conventions, with documentation. The AI can describe what attribute it would want; a human creates it.
3. Asking it to "deduplicate" segments
You have three segments that look similar—"Inactive users", "Dormant customers", "Lapsed accounts"—and you want them merged. Reasonable ask. What Claude tends to produce is a fourth segment that's the union of the first three, called something like "Inactive users (consolidated)", with the original three still sitting there.
Now you have four segments where you had three. The deduplication only worked from the AI's perspective: it can see the consolidated one and reason about it, so its mental model is clean. Yours isn't. You have to manually verify nothing references the old segments, then delete them. Do that yourself; don't ask the AI to.
The enablement playbook
Three rules. Get these right and most of the failure modes above stop being failure modes.
Tier MCP access by role, not by curiosity
Not everyone needs MCP write. A working model that holds up in practice:
- Senior CRM lead, Head of Lifecycle, Marketing Operations Manager—full MCP write, on the production workspace, with the naming-convention rule below. These are the people who can describe a segment correctly the first time and who will own the cleanup if they get it wrong.
- Mid-level marketers—MCP read-only, and in-product AI Agent for write actions. The in-product Agent runs under their existing role inside Customer.io's UI, so they get the productivity without an external client they could leave logged in on a personal device.
- Junior marketers—in-product Agent only. No MCP at all. The Agent's scope is narrow enough that they can use it productively without needing the broader tool surface.
- Engineers and analysts—full MCP write, but pointed at a non-production workspace by default. Their work tends to be bulk operations (rename schemas, audit campaigns), and the blast radius is bigger if it goes wrong. Production access is granted per-project, not by default.
The asymmetry between the in-product Agent and MCP isn't bureaucratic. It's the difference between "the AI is acting inside our product, in the user's session, with their role" and "the AI is acting from an external client whose context we don't fully control."
Force a naming convention—it's your only audit trail
This is the rule most teams miss, and it's the one that matters most. Customer.io's audit logs do not flag AI-driven actions. They track who made the change, but "who" is the human team member whose token authenticated the MCP session.
From the Customer.io audit logs docs: "Under Team member, the System entry represents Customer.io. We do some things automatically, like adding pre-built segments when you create a new workspace. These activities are attributed to System."
That's it. System is reserved for Customer.io's own automated actions—not for AI. If Sarah connects Claude Desktop and Claude creates 14 segments overnight, the audit log shows Sarah created 14 segments. The only signals you have to distinguish AI work from human work are the IP address (likely Anthropic's egress range, but you have to know to look) and any pattern you can enforce in the asset itself.
Hence the rule: every asset the AI creates must be prefixed ai-. Put this in your Claude system prompt, your team onboarding doc, and your code review checklist. ai-inactive-users-90d. ai-q2-reactivation-cohort. Anything the AI touches gets the prefix.
Customer.io's Universal Search (⌘K from anywhere) then becomes your audit tool. Type ai-* and you see every AI-created object in the workspace. You can review, rename, delete, or migrate. Without the prefix, you're guessing.
Wire up the audit logs properly
Two layers of audit logging exist, both controlled by an Account Admin. Account-level audit logs sit at Account settings → Audit logs and cover security events: sessions, permission changes, API key deletions, SSO changes. Workspace-level audit logs sit at Workspace settings → Audit logs and cover content: segment changes, campaign changes, template changes, imports, exports, and dozens more event types—essentially every AI-modifiable surface.
Both are filterable by date range, team member, IP address, and event type. The workspace log includes a "Show diff" view that shows you exactly what changed, red for removed, green for added. On the Essentials plan you get 30 days of retention. Premium and Enterprise plans get the full window, with up to a year of export.
If you're serious about MCP write access, you're on Premium or Enterprise. The 30-day window won't cover a quarterly review, and the lack of long-term export means you can't answer "what did Sarah's Claude session do in February?" come May.
The bigger shift this implies for marketing-engineering
Most marketing engineering teams spend a meaningful share of their time fulfilling tickets that look like "build me a segment of users who did X but not Y in the last 30 days". When the senior marketer can describe that segment to Claude and have it built in 60 seconds, those tickets stop existing. That's a net win for everyone—for the marketer, who's no longer waiting; for the engineer, who's no longer running the support desk.
What replaces it isn't less work. It's higher-leverage work. The engineering team's job shifts up the stack to event-schema design (the foundation most teams skip), data-pipeline reliability, warehouse modelling, and—increasingly—the operational scaffolding that makes the AI's work safe: the naming conventions, the audit reviews, the role permissions, the staging-workspace policies.
Customer.io's own VP of Engineering, Paul Senechko, framed this in a piece on what shipping the MCP server taught them about their customers: "The internal mantra we've been working with: if a person can do it in your product, an agent must be able to do it too." That's the design principle on the platform side. The mirror principle on the customer side is: if an agent can do it in your product, someone has to design the rails that keep the agent from doing the wrong thing.
That someone is your marketing engineering team. Their job didn't get smaller. It got more important.
Where to start tomorrow morning
Three steps. Keep it small.
- Ask your Account Admin to enable Customer.io AI but leave the Customer.io MCP toggle off for now. This unlocks the in-product Agent for everyone on the team and gives you something to play with that's fully scoped to existing roles.
- Spend 30 minutes with the in-product Agent on a real project. Ask it to draft a segment. Ask it to summarise a campaign's performance. Get a feel for where it's useful and where it isn't, before you give an external client more access.
- Pick one person—a senior CRM lead, ideally—to be the first MCP user. Turn on the MCP toggle. Have them connect Claude Desktop. Run an audit query as the first test, not a write action. Verify the audit log shows the right name. Confirm Universal Search can find what they did with the
ai-prefix.
If that feels under-ambitious, it's deliberate. The teams that get burned by AI integrations are the ones who plug it in everywhere on day one. The teams that get the productivity without the mess are the ones who scale access slowly and instrument the rollout properly.
For the broader picture of what AI is actually doing in email marketing right now—beyond MCP specifically—our AI in email marketing piece covers what's real and what's hype across the wider category.
Frequently asked questions
What is the Customer.io MCP server?
Customer.io's MCP server is an endpoint that lets AI tools like Claude, ChatGPT, and Cursor read and write to your Customer.io workspace directly, using the Model Context Protocol that Anthropic open-sourced in November 2024. Once connected, the AI can list segments, inspect customer profiles, draft new segments, edit campaigns, and search the workspace, all without you copy-pasting context into the chat window.
Can Claude create segments in my Customer.io workspace?
Yes, if you've enabled both the Customer.io AI and Customer.io MCP toggles at the account level and connected Claude Desktop to the Customer.io MCP server. Claude inherits your role permissions, so it can do anything you can do in the workspace, including creating segments. If your role doesn't allow segment creation, Claude can't either.
Can ChatGPT connect to Customer.io?
Yes. ChatGPT supports MCP connectors, and Customer.io's MCP server URL works with any compliant MCP client. The Claude Desktop setup is the smoothest because Claude has a built-in Customer.io connector, but ChatGPT and Cursor both work via the custom connector URL: https://mcp.customer.io/mcp for US accounts and https://mcp-eu.customer.io/mcp for EU.
Does Customer.io's MCP server have read and write access?
It has both. The MCP server exposes tools for listing and inspecting workspace assets (read) and for creating, editing, and deleting them (write). All actions are scoped to the authenticated user's role, so the practical write access matches whatever the connected user can do in the UI.
What's the difference between Customer.io's MCP server and the in-product AI Agent?
The MCP server lets external clients (Claude Desktop, Cursor, ChatGPT) reach into your workspace from outside the product. The in-product AI Agent is a chat box inside Customer.io's UI that does similar things but stays inside the product, with its own stored memory and context. Both authenticate against your existing role. The MCP server is better for technical workflows and external tool integration; the in-product Agent is better for ongoing project work where you want continuity between sessions.
Do I need a paid Claude plan to use Customer.io's MCP server?
Yes. Claude's free plan doesn't support MCP connectors. You need a paid Claude plan—Pro, Max, Team, or Enterprise—to connect the Customer.io MCP server to Claude Desktop.
Can the AI Agent send a campaign to real customers by accident?
It can if you've given the connected user the permission to start campaigns. The agent inherits your role, so if you can activate a campaign manually, the agent can too if it interprets your instruction that way. The safest mitigation is to use Customer.io's custom roles to separate "draft and edit campaigns" from "activate campaigns", and only grant the activate permission to a small set of humans. The agent then physically cannot start a send, no matter what prompt it receives.
How do I track which changes Claude made to my Customer.io workspace?
You can't, directly. Customer.io's audit logs attribute changes to the human team member whose token authenticated the MCP session, not to the AI. Your practical options are: enforce a naming convention so AI-created assets are prefixed (ai-) and findable via Universal Search; cross-reference the IP address in the audit log against Anthropic's egress ranges; and review the workspace audit log regularly for anomalous bursts of activity from a single user.
Does Customer.io's audit log show that an action was AI-driven?
No. The audit log's System actor is reserved for Customer.io's own automated actions, like seeding pre-built segments on a new workspace. AI-driven actions through MCP show up under the human team member who authenticated the session. The naming convention rule is your only practical audit trail.
Why are there two AI toggles in Customer.io settings?
Customer.io AI is the master switch—it controls all AI features across the platform, including the in-product Agent, LLM Actions, email content analysis, and the MCP server. Customer.io MCP is a separate sub-toggle that controls only the MCP server. The split lets you enable AI features for internal use without exposing the MCP endpoint to external clients. Turn off Customer.io AI and everything stops; turn off Customer.io MCP and only the external MCP endpoint stops, while the in-product Agent keeps running.
Is my Customer.io customer data used to train Claude or other models?
No. Customer.io's official position is that data sent to hosted models is not used for training. The AI features also only use the names and descriptions of your data (attribute keys, event names, segment titles) when reasoning about your workspace—not the customer values themselves. The AI knows you have a first_name attribute; it doesn't see Alex's actual first name.
How do I disable the MCP server for my workspace?
An Account Admin can disable it at the account level: go to Settings → AI and turn off the Customer.io MCP toggle. This stops all MCP clients from accessing the workspace immediately. Existing integrations aren't deleted, so re-enabling the toggle restores them. To disable a specific connected client for your own user, go to Settings → Personal Settings and revoke the session under Connected clients.
What's the URL for Customer.io's MCP server?
https://mcp.customer.io/mcp for US accounts and https://mcp-eu.customer.io/mcp for EU accounts. The /mcp path suffix is required. Transport is http only—the sse (server-sent events) transport is not supported.
Should I give my marketing team MCP write access or read-only?
Start with read-only for everyone except a senior CRM lead, and grant write access deliberately, role by role. The in-product AI Agent is a better default for most marketers because it inherits role permissions naturally and doesn't require managing an external client. Reserve MCP write access for people who need it: senior lifecycle leads, marketing operations managers, and engineers running schema migrations.
How does the MCP server handle EU data residency?
Customer.io operates separate US and EU regions, with distinct MCP server URLs: https://mcp.customer.io/mcp for the US and https://mcp-eu.customer.io/mcp for the EU. If your Customer.io account is provisioned in the EU region, connect to the EU endpoint. The data stays within the region it was provisioned in.
Sources
- Customer.io's MCP server: Your new automation superpower—Customer.io, 2025
- What shipping an MCP server taught us about our customers—Customer.io, 2026
- Customer.io's biggest product release: AI Agent and more—Customer.io, April 2026
- Use Customer.io with AI—Customer.io Docs, updated 2026-05-14
- Customer.io Docs: Claude setup—Customer.io Docs, updated 2026-05-05
- Customer.io Docs: Audit logs—Customer.io Docs, updated 2026-04-22
- Introducing the Model Context Protocol—Anthropic, 25 November 2024
- Vibe coding service Replit deleted user's production database, faked data, told fibs galore—The Register, 21 July 2025
- AI-powered coding tool wiped out a software company's database in 'catastrophic failure'—Fortune, 23 July 2025
- Incident 1152: LLM-Driven Replit Agent Reportedly Executed Unauthorized Destructive Commands During Code Freeze—AI Incident Database, July 2025
- Why language models hallucinate—OpenAI (Kalai, Nachum, et al.), September 2025


