Connectors

Connectors

Connectors are the bridge between ApexMCP and your data sources. Each connector you add automatically generates a set of MCP tools that AI agents can call.

Supported Connector Types

Relational databases

TypeDescription
PostgreSQLQuery tables, views, and stored functions
MySQLQuery tables and views
OracleQuery tables and views (thin client)
MSSQLQuery tables, views, and procs (Azure SQL + on-prem)

Data warehouses & big data

TypeDescription
SnowflakeQuery warehouses, databases, and schemas
DatabricksQuery Delta tables via SQL warehouse endpoints
Hadoop (Hive)Query Hive tables via HiveServer2

Document & object stores

TypeDescription
MongoDBQuery collections; auto-discover schemas via sampling
S3List + read objects from AWS S3 buckets
GCSList + read objects from Google Cloud Storage buckets

APIs & web protocols

TypeDescription
RESTCall any HTTP endpoint; define operations as tools. Variants for Basic, OAuth2, and JWT auth
GraphQLSchema-discovery introspection over GraphQL endpoints
gRPCCall gRPC services (provide .proto schema)
WebhookReceive inbound webhook calls and expose as agent-readable events

Spreadsheets

TypeDescription
Google SheetsRead and write spreadsheet ranges
Excel (OneDrive)Read and write Excel workbooks via Microsoft Graph

MCP proxy

TypeDescription
External MCPMount any external MCP server as a connector. ApexMCP becomes a governance layer in front of it — adds API-key auth, per-org rate-limit, audit log, credential injection, and per-tool blocklist. See External MCP Connector.

Adding a Connector

  1. Go to Connectors → New Connector in the dashboard
  2. Select the connector type
  3. Fill in connection details (host, port, credentials, etc.)
  4. Click Test Connection to verify
  5. Click Save — schema discovery runs automatically

PostgreSQL Example

Type:     PostgreSQL
Host:     db.example.com
Port:     5432
Database: mydb
Username: apexmcp_ro
Password: ••••••••••
SSL:      Required

For least-privilege, create a dedicated read-only database user:

CREATE USER apexmcp_ro WITH PASSWORD 'strongpassword';
GRANT CONNECT ON DATABASE mydb TO apexmcp_ro;
GRANT USAGE ON SCHEMA public TO apexmcp_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO apexmcp_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO apexmcp_ro;

Credential Storage

All connector credentials are encrypted at rest using AES-256-GCM inside the Credential Vault service. The encryption key is stored separately from the ciphertext. Credentials are:

  • Never returned via API after initial save
  • Decrypted in-memory only when executing a tool call
  • Rotatable — update credentials without changing the connector ID or regenerating tools

Schema Discovery

After saving a connector, ApexMCP introspects the data source and generates MCP tool definitions:

  • SQL databases: one tool per table/view with a sql parameter for safe parameterised queries
  • REST APIs: one tool per defined operation
  • Google Sheets: read_range and write_range tools per spreadsheet
  • gRPC: one tool per service method

Tools are named {action}_{connector_type}_{resource}, e.g.:

  • query_postgres_orders
  • read_sheets_q1_pipeline
  • call_grpc_user_service_get_user

Re-run schema discovery at any time via Connectors → [name] → Refresh Schema.

Connector-Level Scope Restriction

Limit an API key or OAuth client to a specific connector using the scoped format:

mcp:call:<connector-id>

Example: restrict an agent to only the reporting database:

# OAuth token scoped to one connector
curl -X POST https://gateway.apexmcp.ai/oauth/token \
  -d "grant_type=client_credentials" \
  -d "client_id=apx_client_xxxxxxxx" \
  -d "client_secret=apx_secret_xxxxxxxx" \
  -d "scope=mcp:call:conn_01j9x8k2m3n4p5q6r7s8t9u0v1"

The returned token can only call tools from that specific connector. All other tools return a 403 with error code -32003 (insufficient scope).

Connector Status

Connectors show real-time health in the dashboard:

StatusMeaning
healthyLast connection test passed
degradedIntermittent errors in last 5 minutes
unreachableCannot connect; check credentials and network
discoveringSchema discovery in progress
Connect to Claude.aiExternal MCP Connector