What you are building
An MCP server is a governed interface layer that sits between AI agents and your SaaS stack. It exposes standardized tools through the Model Context Protocol, enforces scoped permissions, routes write operations through approval gates, and logs every execution for audit and compliance.
The MCP server translates unstructured agent requests into structured API calls, applies governance rules, and returns results in a format agents can reason about.
Key components of an MCP server:
- Protocol layer. Implements the MCP specification so agents can discover tools, read schemas, and propose operations.
- Authentication layer. Handles OAuth flows, API key management, and token refresh for the target SaaS stack.
- Tool definitions. Exposes operations like read, write, search, and metadata retrieval as standardized tools with input schemas.
- Governance layer. Enforces permissions, routes write operations through approval queues, and blocks unauthorized actions.
- Audit logging. Captures every operation with timestamp, agent ID, tool used, input, output, and approval decision.
Prerequisites for building an MCP server
Before you start building, you need:
- Access to the target stack. Admin or developer credentials for the SaaS platform you are building the MCP server for (e.g., Salesforce, Zendesk, Slack).
- Understanding of the stack's API. Know which objects, fields, and operations agents will need. Review the API documentation for auth patterns and rate limits.
- Governance requirements. Define which operations require approval, who approves them, and what audit data must be logged.
- Agent deployment plan. Know which agents will use the MCP server and what workflows they will automate. This determines which tools to enable.
Choose your approach: builder or custom implementation
| Factor | Use a builder | Build from scratch |
|---|---|---|
| Time to deploy | 30 minutes to 2 hours | 2-3 weeks for production-ready implementation |
| Target stack | Best for Salesforce, Zendesk, Slack, Notion, QuickBooks, Jira, HubSpot, Shopify | Required for custom internal APIs or niche SaaS |
| Governance needs | Approval gates and audit logging built in | Build approval routing and logging infrastructure |
| Technical skills required | Operator-level: configure permissions and approval rules through UI | Engineering-level: implement MCP protocol, OAuth, tool schemas |
| Maintenance | Builder handles protocol updates and stack API changes | You own all updates, compatibility fixes, and error handling |
Most technical teams should use a builder for common SaaS stacks. Reserve custom implementation for specialized internal systems or when you need full control over the protocol layer.
Implementation steps: building with a builder
This section covers how to build an MCP server using a builder like Pinksheep. The process is UI-driven and takes under an hour.
Select the target stack
Choose which SaaS platform to build the MCP server for. For this guide, we'll use Zendesk as the example.
Authenticate and authorize
Complete the OAuth flow. Grant access to the objects agents will need: tickets, users, organizations, custom fields. The builder handles token storage and refresh.
Enable tools
Select which MCP tools to enable: query tickets, get ticket details, update ticket status, add comments, escalate to tier 2, search users, retrieve metadata.
Set object-level permissions
Define which Zendesk objects the MCP server can access. For example, allow ticket and user access, but block access to billing data.
Configure operation-level permissions
Decide which operations require approval. For example, allow read and search without approval, but require approval for status updates and escalations.
Set approval routing
Designate who receives approval requests. For Zendesk, route ticket status changes to the support lead and escalations to the support manager.
Configure audit logging
Enable structured logging. Capture agent ID, tool used, input, output, timestamp, and approval decision for every operation.
Deploy the MCP server
Review the configuration and deploy. The MCP server is now live and agents can discover the tools through the protocol.
Governance setup: permissions, approvals, and audit
Governance is what makes an MCP server safe for production agent deployments. Set clear permissions, enforce approval gates, and log every operation.
- Role-based access control. Define which users or teams can configure the MCP server, manage permissions, and review approvals.
- Tool-level permissions. Enable or disable specific MCP tools. For example, allow queryTickets but block updateTicketStatus unless approved.
- Approval gates. Route write operations through an approval queue. The approver sees the proposed change, the reason, and the context. Approve or reject before execution.
- Audit trail. Every operation logged with timestamp, agent ID, tool used, input, output, and approval decision. Export for compliance review.
- Usage monitoring. Dashboard shows which agents use which tools, frequency, success rate, error patterns, and approval turnaround time.
Testing and deployment
Before deploying the MCP server to production agents, test it in a sandbox environment. Verify that tools are discoverable, permissions are enforced, and audit logs capture all required data.
Test checklist:
- Tool discovery. Confirm that a test agent can discover all enabled tools through the MCP protocol.
- Permission enforcement. Verify that blocked operations are rejected and that approval-required operations are routed to the queue.
- Approval workflow. Test the approval queue. Confirm that approvers receive requests, can review context, and can approve or reject.
- Audit logging. Check that every operation is logged with complete context. Export a sample log and verify it meets compliance requirements.
- Error handling. Test failure scenarios: invalid input, rejected approvals, API errors. Confirm that the MCP server returns actionable error messages.
Once testing is complete, deploy to production. Monitor the dashboard for the first week to ensure agents are using tools as expected and approval turnaround times are acceptable.
Frequently asked questions
How long does it take to build an MCP server for Salesforce?
Using a builder like Pinksheep, setup takes 30 minutes to an hour. Building from scratch with the MCP protocol spec takes 2-3 weeks for a production-ready implementation with governance.
Do I need to be an engineer to build an MCP server?
Not with a builder. Technical enablers (IT leads, ops managers, solutions engineers) can configure and deploy MCP servers through a UI. Custom implementation requires engineering knowledge of the MCP protocol.
Can I build one MCP server for multiple stacks?
Yes, but it's better to build one MCP server per stack. Each stack has different auth patterns, object models, and permission systems. Separate servers are easier to govern and audit.
How do I test an MCP server before deploying it to production agents?
Use a test agent in a sandbox environment. Verify that tools are discoverable, permissions are enforced, approval gates work as expected, and audit logs capture all required context.