MCP4Acumatica
БесплатноНе проверенEnables Claude to securely interact with Acumatica ERP 2025 R2 via per-user OAuth, role-based access, and sensitive field redaction, providing 48 tools for data
Описание
Enables Claude to securely interact with Acumatica ERP 2025 R2 via per-user OAuth, role-based access, and sensitive field redaction, providing 48 tools for data lookup, utility, and schema discovery.
README
Disclaimer: This project is an independent, community-built integration and is not affiliated with, endorsed by, or supported by Acumatica, Inc. "Acumatica" is a registered trademark of Acumatica, Inc. Use of the Acumatica name and API is for interoperability purposes only.
A remote Model Context Protocol (MCP) server that connects Claude to Acumatica ERP 2025 R2. Runs on Cloudflare Workers with per-user OAuth authentication against your Acumatica instance.
Each user authenticates with their own Acumatica credentials. Their Acumatica role controls which records they can access. The MCP server additionally requires a specific Acumatica role for access, shows a consent interstitial, and automatically redacts sensitive fields before data reaches the AI model.
Features
- 48 tools -- 38 read-only lookups + 6 utility/discovery + 4 schema-knowledge tools (see Available Tools)
- Per-user OAuth -- users log in with their Acumatica credentials (or SSO)
- Role-based access -- Acumatica's security model governs what each user sees
- Role gate -- only users with a designated Acumatica role (e.g.,
MCP Access) can connect - Consent interstitial -- users must acknowledge AI data processing before accessing tools
- Sensitive field redaction -- SSN, bank accounts, salary, and other PII fields are automatically redacted before data leaves the server
- Rate limiting -- 3 concurrent requests, 40 requests/minute per user
- Pagination refusal -- list/query tools return a structured
{ truncated, paginationSupported: false, actionRequired }envelope when results hit the record cap, instructing the AI to ask the user for a narrower filter rather than calling the tool again - Structured audit logging -- all tool invocations, auth events, and field redactions are logged
- Admin console -- web-based admin interface at
/docs/adminfor viewing logs and managing runtime settings without redeploying - Long-term log retention -- R2-backed log storage via Cloudflare Logpush with searchable log viewer
Architecture
Claude (claude.ai / Desktop / API)
|
v MCP over streamable-http
+----------------------------------+
| Cloudflare Worker |
| OAuth 2.1 Provider |
| /authorize -> Acumatica login |
| /callback <- Acumatica |
| (role gate + OIDC userinfo) |
| /consent -> AI data consent |
| /token, /register (DCR) |
| /mcp -> McpAgent DO (48 tools)|
+---------------+------------------+
| Bearer token (per-user)
v
Acumatica 25R2 SaaS
Contract-Based REST API
Default/25.200.001
Prerequisites
- Node.js >= 18
- A Cloudflare account (Workers paid plan for Durable Objects)
- An Acumatica 2025 R2 instance with:
- A Connected Application configured in SM303010 with the Authorization Code OAuth 2.0 flow (scopes are sent by the server in the request, not configured on the app)
- A redirect URI pointing to your worker's
/callbackendpoint - An
MCP Accessrole (SM201005) -- a marker role with no permissions required - An
MCPAccessGeneric Inquiry (SM208000) -- a trivial GI assigned only to theMCP Accessrole, with Expose via OData enabled (see Architecture docs for details)
Setup
There are three install paths. All three rely on the same Acumatica-side prerequisites — finish those first (see "Acumatica-side configuration" below) regardless of which path you pick.
| Path | Best for | Terminal needed? |
|---|---|---|
| A. Deploy to Cloudflare button | Adopters who want a fully GUI install | No |
| B. One-line installer | Developers who already have git / node / npm |
Yes (one command) |
| C. Manual setup | Anyone who wants to inspect each step | Yes |
Path A — Deploy to Cloudflare button (no terminal)
The button forks this repo to your GitHub account, reads wrangler.jsonc, auto-creates the KV namespace and R2 bucket, prompts for secrets, and deploys. Step-by-step:
Click the button. Cloudflare will ask you to sign in (or create an account) and authorize a GitHub fork.
Confirm bindings. You'll be prompted to create KV namespaces twice — once for the
TOKEN_STOREbinding (app data: tokens, OAuth state, cache, config, admin sessions) and once forOAUTH_KV(used internally by the OAuth library). This is expected: they're two separate bindings and never share keys.⚠️ Give the two namespaces different names (e.g.
mcp4acumatica-appforTOKEN_STOREandmcp4acumatica-oauthforOAUTH_KV). Cloudflare auto-provisioning derives the default title from the Worker name, so both fields default tomcp4acumatica— and creating two namespaces with the same title fails with "Cannot provision a KV Namespace with the title … because it already exists." If you already hit that error, a half-finished namespace was left behind: go to Storage & Databases → KV and delete the orphanedmcp4acumaticanamespace, then retry with two distinct names. (Cloudflare's GUI auto-provisioning can't point both bindings at one namespace, and config can't pre-set distinct titles — so two separate namespaces with distinct names is the way. If the GUI keeps failing, use a terminal install path below:setup.shcreates one namespace and binds both to it.)The R2 buckets (
mcp4acumatica-logs,mcp4acumatica-index) are created the same way, but their names are fixed inwrangler.jsoncso they don't collide.Set secrets. When prompted, paste:
ACUMATICA_CLIENT_ID— from your Connected Application (SM303010)ACUMATICA_CLIENT_SECRET— from the same screenCOOKIE_ENCRYPTION_KEY— open your browser console on any page and run:
Copy the resulting 64-character hex string.[...crypto.getRandomValues(new Uint8Array(32))].map(b => b.toString(16).padStart(2,'0')).join('')ADMIN_SECRET— any password you'll remember (protects the/docs/adminconsole). Generate one with[...crypto.getRandomValues(new Uint8Array(24))].map(b => b.toString(16).padStart(2,'0')).join('')if you don't have a preference.
Deploy. Cloudflare connects the fork to Workers Builds and pushes the first deployment.
Update the Acumatica vars. After the deploy completes, open
Workers & Pages → mcp4acumatica → Settings → Variables and Secretsin the Cloudflare dashboard and edit:ACUMATICA_URL(e.g.https://yourcompany.acumatica.com)ACUMATICA_TENANT(your login company)- Optionally
ACUMATICA_MAX_RECORDS,ACUMATICA_MCP_ROLE,REDACT_PATTERNS,REDACT_SKIPClick Save and Deploy — Cloudflare redeploys with the new values.
Add a redirect URI to your Connected Application. Your worker is now reachable at
https://mcp4acumatica.<your-account>.workers.dev. Addhttps://<that-host>/callbackto the redirect URIs in Acumatica's SM303010 screen. (To use a custom domain instead, see "Custom domain" below.)Test the deploy. Visit
https://<your-host>/docs/admin/preflight, log in with yourADMIN_SECRET, and run the preflight diagnostic. It probes Acumatica connectivity, the OIDC discovery endpoint, the Connected App credentials, the tenant path, and the contract API version — any misconfiguration is called out by name.
After this point Claude can connect (see "Connecting Claude" below).
Path B — One-line installer (terminal)
If you already have git, node, and npm, run:
curl -fsSL https://mcp4acumatica.hallboys.com/install.sh | bash
This clones the repo, installs dependencies, and runs ./setup.sh. The setup script prompts for the Acumatica values you must supply (URL, tenant, Connected App client ID and secret), auto-generates the crypto secrets, creates the KV namespace and R2 bucket, uploads secrets, deploys, and then runs the preflight check.
If you prefer to inspect the script first:
curl -fsSL https://mcp4acumatica.hallboys.com/install.sh -o install.sh
less install.sh # read it
bash install.sh # then run
Path C — Manual setup (terminal)
1. Clone and install
git clone https://github.com/hallboys/MCP4Acumatica.git
cd MCP4Acumatica
npm install
2. Create KV namespace
npx wrangler kv namespace create TOKEN_STORE
Note the namespace ID from the output — you'll paste it into wrangler.jsonc next. The same ID is used for both the TOKEN_STORE and OAUTH_KV bindings.
3. Configure wrangler
wrangler.jsonc is tracked in the repo as the deploy template. Edit it in place and fill in:
- The KV namespace ID from step 2 (both
TOKEN_STOREandOAUTH_KVbindings — same id) ACUMATICA_URL— your Acumatica instance URL (e.g.https://yourcompany.acumatica.com)ACUMATICA_TENANT— your Acumatica company/tenant name
To keep your local values out of git status (so you can still pull updates without conflicts):
git update-index --skip-worktree wrangler.jsonc
4. Set secrets
npx wrangler secret put ACUMATICA_CLIENT_ID
npx wrangler secret put ACUMATICA_CLIENT_SECRET
npx wrangler secret put COOKIE_ENCRYPTION_KEY # use `openssl rand -hex 32`
npx wrangler secret put ADMIN_SECRET # any password — protects /docs/admin
5. Deploy
npx wrangler deploy
6. Local development (optional)
cp .dev.vars.example .dev.vars
# Edit .dev.vars with your Acumatica credentials
npx wrangler dev
Acumatica-side configuration
These steps are required regardless of which install path you pick. They can't be automated — Acumatica's API doesn't expose them.
Connected Application (SM303010)
- In Acumatica: System > Integration > Connected Applications (SM303010).
- Create a new Connected Application.
- Set the OAuth 2.0 Flow to Authorization Code.
- Add a redirect URI:
https://<your-worker-url>/callback(use the*.workers.devhostname or your custom domain). - Note the Client ID and Client Secret — you'll provide these as secrets during deploy.
There is no scope field to configure here. OAuth scopes (
api openid profile email offline_access, including theoffline_accessthat makes Acumatica issue refresh tokens) are sent by the MCP server in the authorization request — they aren't set on the Connected Application.
Role and Generic Inquiry (SM201005, SM208000)
The MCP server requires users to have a specific Acumatica role before they can access AI tools. This is enforced via a canary Generic Inquiry (GI) that is assigned only to that role.
- Create role: System > Access Rights > User Roles (SM201005) → create a role named
MCP Access. No screen permissions are needed — it's purely a marker role. - Create Generic Inquiry: System > Customization > Generic Inquiry (SM208000) → create a GI named
MCPAccesswith any trivial query (a single column from any table is fine). Assign it only to theMCP Accessrole. Enable Expose via OData. - Assign role to users: Assign the
MCP Accessrole to each Acumatica user who should have AI assistant access.
The role name is configurable via the
ACUMATICA_MCP_ROLEvariable. Edit it in the Cloudflare dashboard (Variables and Secrets) or inwrangler.jsonc.
Generic Inquiry exposure to AI (strongly recommended)
A mature Acumatica instance can have hundreds of Generic Inquiries, most built for human screens (wide report grids, dashboards, ad-hoc queries). Exposing all of them to the assistant floods its context and makes it pick the wrong inquiry — and, worse, a parameterized GI exposed via OData returns silently wrong data: queried without its parameters, Acumatica returns default/unfiltered rows with no error, which the model cannot detect. The GI exposure gate flips this to opt-in: you tag the GIs that are genuinely useful and correct for an AI agent to query (ExposedToMCP), and the model sees only those.
The gate is inactive until you configure it — the server runs, but with no registry the assistant cannot discover GIs (acumatica_list_generic_inquiries returns nothing; a user can still run a GI by exact name). Configuring it gives the assistant a curated set it can safely discover. Enabling it is a one-time Acumatica customization project — bundled in acumatica/, it adds the custom fields UsrExposedToMCP / UsrAIDescription (GIDesign) and UsrResAIDescription (GIResult) plus the SM208000 form changes — followed by the MCPGIs / MCPGIFields feed GIs, read access on the feeds for the MCP Access role, and tagging the GIs you want exposed. See docs/generic-inquiries.md.
See Generic Inquiries for the full rationale, how to decide which GIs to expose, and step-by-step setup.
Custom domain (optional)
The deploy gives you a *.workers.dev hostname out of the box. To attach a branded hostname:
- Via the Cloudflare dashboard:
Workers & Pages → mcp4acumatica → Settings → Domains & Routes → Add. The domain's zone must be on your Cloudflare account. - Via
wrangler.jsonc: uncomment theroutesblock at the top of the file, editpatternandzone_name, redeploy.
If you change hostnames, remember to add the new https://<host>/callback to your Connected Application's redirect URIs in SM303010.
Connecting Claude
Claude.ai / Claude Desktop
- Go to Settings > Connectors
- Click Add Connector and enter the URL:
https://<your-worker-url>/mcp - On first use, you'll be redirected to your Acumatica login page
- If your account has the
MCP Accessrole, you'll see a consent page explaining AI data processing - After acknowledging consent, Claude will have access to all 48 tools
Claude Code (CLI)
claude mcp add acumatica-erp --transport streamable-http https://<your-worker-url>/mcp
API (via Anthropic SDK)
When using the Anthropic API with MCP, point the MCP client to https://<your-worker-url>/mcp. The server supports OAuth 2.1 with Dynamic Client Registration at /register.
Available Tools
Core
| Tool | Description |
|---|---|
acumatica_get_customer |
Customer record with contacts, credit rules, balance |
acumatica_get_vendor |
Vendor record with contacts, terms, tax info |
acumatica_get_sales_order |
Sales order with line items, totals, shipping |
Financial / Accounting
| Tool | Description |
|---|---|
acumatica_get_invoice |
AR invoice with line items and tax details |
acumatica_get_bill |
AP bill with line items and PO linkage |
acumatica_get_journal_transaction |
GL journal batch with debit/credit details |
acumatica_get_payment |
AR payment with applied documents and orders |
acumatica_get_account |
GL chart of accounts lookup |
acumatica_get_check |
AP check/vendor payment with history |
Inventory & Warehouse
| Tool | Description |
|---|---|
acumatica_get_stock_item |
Stock item with pricing, warehouse qty, vendors |
acumatica_get_non_stock_item |
Non-stock item (service, labor, expense) |
acumatica_get_inventory_quantity_available |
Real-time available quantity across warehouses |
acumatica_get_inventory_summary |
Aggregated inventory balances by warehouse |
acumatica_get_warehouse |
Warehouse with locations and settings |
acumatica_get_item_class |
Item classification defaults |
Purchasing
| Tool | Description |
|---|---|
acumatica_get_purchase_order |
PO with line items, vendor, totals |
acumatica_get_purchase_receipt |
Receipt with received qty and PO linkage |
Projects
| Tool | Description |
|---|---|
acumatica_get_project |
Project header, status, financials |
acumatica_get_project_task |
Task within a project |
acumatica_get_project_budget |
Budget line with actuals vs budgeted |
acumatica_get_project_transaction |
Project cost/revenue transaction details |
Service & Field
| Tool | Description |
|---|---|
acumatica_get_case |
Support case with SLA, priority, time tracking |
acumatica_get_service_order |
Field service order with details and appointments |
acumatica_get_appointment |
Scheduled/actual times, staff, cost/profit |
Sales & CRM
| Tool | Description |
|---|---|
acumatica_get_contact |
CRM contact with address, phone, owner |
acumatica_get_business_account |
Unified prospect/customer/vendor record |
acumatica_get_opportunity |
Sales pipeline deal with products and amounts |
acumatica_get_lead |
Marketing lead with status and source |
acumatica_get_salesperson |
Sales rep with commission settings |
Shipping & Fulfillment
| Tool | Description |
|---|---|
acumatica_get_shipment |
Shipment with packages, tracking, freight |
acumatica_get_sales_invoice |
Invoice with SO/shipment linkage |
HR & Payroll
| Tool | Description |
|---|---|
acumatica_get_employee |
Employee with contact and financial settings |
acumatica_get_expense_claim |
Expense report with line items and approval |
acumatica_get_time_entry |
Time tracking with project, billable/overtime |
CRM Activities
| Tool | Description |
|---|---|
acumatica_get_email |
Email activity with from/to/body |
acumatica_get_event |
Calendar event with attendees |
acumatica_get_activity |
General CRM activity |
acumatica_get_task |
CRM task with related activities |
Utility / Discovery
| Tool | Description |
|---|---|
acumatica_run_inquiry |
Execute any configured Generic Inquiry (GI) with filtering |
acumatica_list_entities |
List/search any entity with OData filtering, sorting, field selection |
acumatica_describe_entity |
Discover fields, types, and sub-entities for any entity |
acumatica_list_generic_inquiries |
List available GIs exposed via OData |
acumatica_describe_inquiry |
Infer field schema for a GI before running it |
acumatica_clear_cache |
Clear cached metadata when schemas change |
Tip: Use
acumatica_describe_entityfirst to discover available fields, thenacumatica_list_entitiesto search/filter. For Generic Inquiries, useacumatica_list_generic_inquiriesto find GI names andacumatica_describe_inquiryto see available fields. See docs/example-prompts.md for usage patterns.
Documentation
Detailed documentation is available in the docs/ folder:
- Tool Reference -- Complete specification for all 48 tools with parameters and endpoints
- Example Prompts -- Example prompts for Claude and other MCP clients organized by use case
- OData Filtering Guide -- Guide to
$filter,$orderby,$select,$expand, and$topquery parameters - Generic Inquiries -- Why GIs are gated for AI use, which GIs to expose, and how to enable the opt-in registry
- Schema Knowledge -- Offline schema-discovery tools for building integrations/customizations, and how the schema index is built
- Architecture -- Detailed architecture, OAuth flow, security model, and design decisions
- Self-Hosting Guide -- How to run the MCP server on Node.js or other platforms outside Cloudflare
- Upgrading Acumatica -- Steps to take when changing or upgrading the connected Acumatica version
Security
- No stored credentials. The MCP server does not store Acumatica passwords. It uses OAuth 2.0 authorization code flow -- users authenticate directly with Acumatica.
- Per-user tokens. Each user's Acumatica access token is stored in the platform key-value store (Cloudflare KV on the default deployment), scoped to their username. Tokens are automatically refreshed when expired. If a refresh token expires, the connection re-authenticates automatically instead of requiring a manual reconnect.
- Role gate. Only users with the
MCP Accessrole (configurable) can connect. This is enforced via a canary Generic Inquiry check during login -- users without the role see an access denied page. - Consent interstitial. After passing the role check, users must acknowledge that their data will be processed by an external AI model before the MCP session activates.
- Sensitive field redaction. Tool responses are automatically scanned for sensitive field names (SSN, bank accounts, salary, credit card, etc.) and matched values are replaced with
[REDACTED]. Patterns are configurable viaREDACT_PATTERNSandREDACT_SKIPenvironment variables. - Role-based access. The user's Acumatica role determines which records they can read. If a user doesn't have access to a record in Acumatica, they won't be able to access it through the MCP server either.
- Read-only. All current tools are read-only lookups. No data is created, modified, or deleted.
- Rate limiting. 3 concurrent requests, 40 requests per minute, and a configurable record cap per query to protect your Acumatica instance.
- Pagination refusal. The list/query tools (
acumatica_list_entities,acumatica_run_inquiry,acumatica_list_generic_inquiries) do not support pagination. When a response hitsACUMATICA_MAX_RECORDS, the tool returns a structured envelope (truncated: true,paginationSupported: false,actionRequired: "...") instructing the AI to stop and ask the user for a narrower filter rather than retrieving more records. - Audit logging. All tool invocations, auth events (login success/denied, consent accepted), and field redaction events are logged as structured JSON. View with
npx wrangler tail.
Platform Portability
While the default deployment targets Cloudflare Workers, the tool handlers and core libraries are platform-agnostic. A storage abstraction (IKeyValueStore interface + AppEnv type) decouples tool logic from Cloudflare-specific APIs, enabling self-hosted deployments on Node.js with Redis, SQLite, or other storage backends. See the Self-Hosting Guide for details.
Tech Stack
- Runtime: Cloudflare Workers + Durable Objects
- MCP: agents SDK (McpAgent), @modelcontextprotocol/sdk
- Auth: @cloudflare/workers-oauth-provider
- HTTP routing: Hono
- Language: TypeScript
- Validation: Zod
Development
npx wrangler dev # Start local dev server
npx tsc --noEmit # Type check
npx wrangler tail # Stream live logs from deployed worker
License
Apache 2.0 -- Copyright 2026 Hall Boys, Inc.
Установка MCP4Acumatica
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/cchesebro-prog/mcp4acumatica1FAQ
MCP4Acumatica MCP бесплатный?
Да, MCP4Acumatica MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для MCP4Acumatica?
Нет, MCP4Acumatica работает без API-ключей и переменных окружения.
MCP4Acumatica — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить MCP4Acumatica в Claude Desktop, Claude Code или Cursor?
Открой MCP4Acumatica на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
автор: modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
автор: xuzexin-hzCompare MCP4Acumatica with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории ai
