View Categories

The MCP server

2 minutes

Introduction #

Kafinea’s MCP (Model Context Protocol) server allows external AI clients (Claude Desktop, Cursor, Windsurf, VS Code, JetBrains, etc.) to connect to the ERP instance and query data via a standardized protocol.

This page describes the technical architecture, security, and configuration of the MCP server for administrators.

1. Architecture #

The Kafinea MCP server consists of several components:

Component Role
HTTP entry point Receiving MCP requests (Streamable HTTP protocol)
Tools Features available to AI clients (search, read, browse)
Resources Context data accessible to the AI client
Authentication User authentication with every request
Security Enforcement of access rights and security controls
Configuration Server activation and restriction settings

2. Authentication #

Authentication is performed via the HTTP header X-Kafinea-Credentials in the following format:

X-Kafinea-Credentials: username:accesskey
  • The username is Kafinea
  • The access key is the user's access key (visible in My Preferences)

The server validates the credentials and sets the user context for the request.

3. Safety #

Access rights #

Each MCP request is executed in the context of the authenticated user. Access rights to modules, records, and fields are enforced.

Additional security checks #

In addition to user access rights, the MCP server enforces additional controls:

  • Validation of input parameters
  • Filtering sensitive modules and fields
  • Protection against injection attacks

Recommendations #

  • Deploy the MCP server only over HTTPS connections
  • Never publish credentials in a public repository
  • Monitor access logs to detect unusual activity
  • Use dedicated access keys for MCP integrations whenever possible

4. Featured Tools #

The tools provided by the MCP server allow AI clients to:

  • Search for records in Kafinea modules
  • View the details of a specific entry
  • Navigate the relationships between records
  • List the available modules and fields

Each tool respects the access rights of the logged-in user.

5. Featured Resources #

The resources provide contextual data that the AI client can access:

  • Information about the Kafinea instance
  • Structure of Available Modules
  • Field metadata

6. Configuration #

The MCP server configuration is managed by the server administrator. Settings include:

  • Enable/Disable the server
  • List of modules on display
  • Request limits

Note: Contact your server administrator if you want to change the list of exposed modules or the request limits.

7. Activation #

The MCP server is enabled via Kafinea's feature flags. To enable it:

  1. Make sure the MCP feature flag is enabled in the configuration
  2. Make sure the endpoint mcp/index.php is accessible from outside (or from the user network)
  3. Let users know that they can restore their settings from My Preferences > MCP Settings

8. Diagnosis #

If you have trouble connecting:

  1. Verify that the MCP endpoint is accessible from the user's workstation
  2. Verify the user credentials (valid username and access key)
  3. Make sure the MCP feature flag is enabled
  4. Use the AI Agent Explorer to identify any errors

FAQ #

Is the MCP server compatible with all AI clients?
The server implements the standard MCP protocol (Streamable HTTP). Any MCP-compatible client can connect to it.

Can I limit the modules accessible via the MCP?
Yes, through user profile access rights in Kafinea. The server administrator can also restrict the list of exposed modules in the server configuration.

Are MCP requests logged?
Yes, MCP activity can be viewed in the AI Agent Explorer in Kafinea.

Related references #