Critical-risk tools in Payware MCP Server
9 of the 57 tools in Payware MCP Server are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
payware_deep_links_delete_product_linkDestructiveDelete an active deep link for a product on behalf of a merchant. Once deleted, the deep link URL will no longer redirect to the payware mobile app. **ISV Authentication:** ...
-
payware_deep_links_delete_transaction_linkDestructiveDelete an active deep link for a transaction on behalf of a merchant. Once deleted, the deep link URL will no longer redirect to the payware mobile app. **ISV Authentication:...
-
payware_operations_cancel_transactionDestructiveCancel an active transaction as an ISV on behalf of a merchant. Requires ISV authentication with merchant partner ID and OAuth2 token. Only ACTIVE transactions can be cancelled.
-
payware_poi_cancel_priceDestructiveCancel a pending price on a POI, resetting it to IDLE state. **ISV Authentication:** Uses ISV JWT with merchant partner ID and OAuth2 token. **Endpoint:** DELETE /poi/{poiId...
-
payware_products_delete_audioDestructiveDelete an audio file from a merchant
-
payware_products_delete_productDestructiveDelete a product from a merchant account (ISV operation). This action cannot be undone.
-
payware_products_delete_scheduleDestructiveDelete a price schedule (ISV operation). This action cannot be undone.
-
payware_operations_create_transactionFinancialCreate a new transaction through payware as an ISV on behalf of a merchant. ISV partners can create transactions for merchants they have authorization for via OAuth2. Requir...
-
payware_operations_process_transactionFinancialProcess (finalize) a transaction as an ISV on behalf of a merchant. Allows confirming or declining a transaction. Only ACTIVE transactions can be processed. Requires ISV authen...
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.