Skip to content
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 14 additions & 3 deletions guides/protocols/mcp.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,11 @@ synopsis: >

# MCP Protocol Adapter <Beta />


> [!warning]
> The CAP MCP adapter is in **Beta** status and is **not intended for production use**. It is provided for exploration and early feedback only. Do not use this adapter in production systems or to expose business-critical data to agents.
>
> The CAP MCP adapter is designed exclusively to expose custom CAP application services via MCP.
> It is not an endorsed pathway for exposing SAP APIs directly via MCP to agents, since it lacks the required governance, authentication, and compliance controls. For endorsed architectures covering agentic access to SAP APIs, please refer to the reference architectures published on the **[SAP Architecture Center](https://architecture.learning.sap.com/docs/ref-arch/98efa0)**.

The [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) is an open-source standard that enables direct integration between large language model (LLM) applications and external data sources. Any CAP service can be turned into an MCP server, allowing AI agents and LLM-powered tools to interact with the service without additional implementation work. All that is required is annotating it with [ `@mcp`](#serving-mcp). From CAP perspective MCP is just another protocol which we serve similar to _OData_, _GraphQL_, _REST_, or _HCQL_.

Expand Down Expand Up @@ -491,5 +495,12 @@ Future versions of the adapter may add support for data changes using CREATE, UP
### Prompt Injection Attacks

> [!caution]
> The MCP adapter does not perform any input validation or output validation regarding prompt injections.
> Hence, for production use cases ensure you use infrastructure and practices that mitigate prompt injection risks and connect only to trusted MCP agents (for example, Joule).
> The MCP adapter does not perform any input or output validation regarding prompt injection attacks.
> Agents can potentially be manipulated by data returned from the service to execute unintended actions. For any deployment ensure you use infrastructure and practices that mitigate prompt injection risks and connect only to trusted MCP agents (e.g., Joule).

### Missing Governance Controls

> [!caution]
> The adapter provides no built-in governance features: there is no rate limiting, no audit logging of agent actions, no approval workflows for sensitive operations, and no policy enforcement layer. Before using MCP in any environment beyond local development, put appropriate controls in place at the infrastructure or application level.
>
> In particular, the CAP MCP adapter must not be used as a gateway or proxy for SAP APIs, as doing so bypasses the governance, authentication, and compliance controls those APIs require. Any use of SAP APIs must be in accordance with the [SAP API Policy](https://help.sap.com/docs/business-accelerator-hub/sap-business-accelerator-hub/sap-api-policy). For endorsed patterns on agentic access to SAP APIs, consult the [SAP Architecture Center](https://architecture.learning.sap.com/docs/ref-arch/98efa0) reference architectures.