@mcp-abap-adt/proxy
Provides a proxy for MCP requests to SAP ABAP ADT, adding JWT authentication via SAP BTP destinations and service keys, enabling local MCP clients to interact with remote MCP servers in SAP environments.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@@mcp-abap-adt/proxylist ABAP classes in package ZTEST"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
@mcp-abap-adt/proxy
MCP proxy server for SAP ABAP ADT - proxies local requests to MCP servers with JWT authentication.
Overview
This package acts as a simple proxy between local MCP clients (like Cline) and any MCP server. It intercepts MCP requests, adds JWT authentication tokens, and forwards them to the target MCP server. The MCP server URL is obtained from the service key for the BTP destination.
Related MCP server: ABAP-ADT-API MCP-Server
Purpose
Enable local MCP clients to connect to remote MCP servers with automatic JWT token management via @mcp-abap-adt/auth-broker. The proxy adds authentication headers and forwards requests transparently.
Features
✅ JWT Token Management - Automatic token retrieval, caching, and refresh via auth-broker
✅ Service Key Based - MCP server URL is obtained from service key for BTP destination
✅ Error Handling - Retry logic, circuit breaker, and comprehensive error handling
✅ Multiple Transport Modes - HTTP, SSE, and stdio support
✅ Configuration Flexibility - Environment variables, config files, or defaults
Quick Start
Installation
npm install -g @mcp-abap-adt/proxyBasic Usage
# Start proxy server (in-memory session storage, secure)
mcp-abap-adt-proxy
# With BTP destination
mcp-abap-adt-proxy --btp=ai
# Enable file-based session storage (persists tokens to disk)
mcp-abap-adt-proxy --btp=ai --unsafeConfiguration
The proxy supports multiple configuration methods:
Command-line parameters (highest priority)
YAML/JSON configuration files - See YAML Configuration Guide
Environment variables
Default values (lowest priority)
Quick Example (YAML config):
# Copy example config from documentation
cp docs/mcp-proxy-config.example.yaml mcp-proxy-config.yaml
# Edit mcp-proxy-config.yaml with your settings
# Run with config file
mcp-abap-adt-proxy --config=mcp-proxy-config.yaml
# Or short form:
mcp-abap-adt-proxy -c mcp-proxy-config.yamlClient Configuration
For detailed setup instructions for Cline and GitHub Copilot, see the Client Setup Guide.
Quick Example (Cline):
{
"mcpServers": {
"mcp-abap-adt-proxy": {
"disabled": false,
"timeout": 60,
"type": "streamableHttp",
"url": "http://localhost:3001/mcp/stream/http",
"headers": {
"x-sap-destination": "btp-cloud"
}
}
}
}Required Headers:
x-sap-destination- Destination name for BTP Cloud authorization token and MCP server URL
Command Line Overrides:
--btp=<destination>- Overridesx-sap-destinationheader (takes precedence)--url=<url>- Overrides MCP server URL (required if service key lacks URL)--browser=<browser>- Browser to use:system(default),chrome,edge,firefox,headless--browser-auth-port=<port>- Port for OAuth2 callback (default: 3333)--unsafe- Enables file-based session storage (persists tokens to disk). By default, sessions are stored in-memory (secure, lost on restart)
Default Headers:
MCP clients like Cline and Claude Code cannot set arbitrary request headers. Use default headers to inject SAP-specific headers (e.g. x-sap-destination, x-sap-client) that the target MCP server requires.
Precedence: client-supplied request headers always win over defaultHeaders. Authorization is the exception — it is always managed by the proxy (replaced with the destination JWT) and cannot be set via defaultHeaders.
Via YAML config (defaultHeaders map):
btpDestination: mcp
targetUrl: https://example.com
defaultHeaders:
x-sap-destination: S4HANA_E19
x-sap-client: "100"Per-user ABAP credentials. defaultHeaders is the supported place to supply your own SAP login/password for on-premise / NoAuthentication destinations. The upstream cloud-llm-hub is a shared server with no default service user, so it expects each caller's own x-sap-login / x-sap-password on every request. Because the proxy runs locally on each user's machine, it carries your identity.
Do not hardcode secrets. Reference environment variables with ${VAR} (or ${VAR:-default}); values are resolved from process.env or an explicitly-pointed .env file:
btpDestination: mcp
envFile: secrets.env # resolved relative to this config file's dir
defaultHeaders:
x-sap-destination: S4HANA_E19
x-sap-login: ${SAP_USER}
x-sap-password: ${SAP_PASSWORD}secrets.env (user-local, chmod 600, never committed):
SAP_USER=MY_SAP_USER
SAP_PASSWORD=my-sap-passwordResolution order is process.env → .env → ${VAR:-default}. process.env wins; an unresolved ${VAR} without a default fails the proxy at startup. Override the .env path at launch with --env-file <path>. This closes both auth layers from one local config: the service layer (Authorization: Bearer <JWT>, from the destination service key) and the ABAP layer (x-sap-login / x-sap-password).
Via CLI (--header, repeatable):
mcp-abap-adt-proxy --btp=mcp --url=https://example.com \
--header x-sap-destination=S4HANA_E19 \
--header x-sap-client=100How It Works:
The proxy uses BTP/XSUAA authentication:
BTP Authentication (if
--btporx-sap-destinationis present):Uses
AuthorizationCodeProvider(browser-based OAuth2 flow)Eager Authentication: Opens browser immediately on startup to get token
Injects/overwrites
Authorization: Bearer <token>headerMCP server URL obtained from BTP destination service key OR injected via
--urlService key format: contains
uaa(url, clientid, clientsecret)
BTP Authentication Mode (with --btp):
Proxy starts → Opens browser for login (Eager Auth) → Gets/Refreshes JWT token
x-sap-destination(or--btp) → AddsAuthorization: Bearer <token>headerMCP server URL obtained from service key OR
--urlparameter
Documentation
Client Setup Guide - Step-by-step setup for Cline and GitHub Copilot
Configuration Guide - Complete configuration reference
YAML Configuration Guide - Using YAML/JSON configuration files
Usage Examples - Practical usage examples and patterns
API Documentation - API reference and interfaces
Architecture - System architecture and design
Troubleshooting - Common issues and solutions
Routing Logic Specification - Detailed routing logic and scenarios
Roadmap - Development roadmap and progress
How It Works
The proxy performs the following steps for each request:
Extract Headers: Reads
x-sap-destinationheaderApply Command Line Overrides:
--btpparameter overrides header (if provided)Validate Routing Requirements: Requires
x-sap-destination/--btpBTP Authentication (if
x-sap-destinationor--btpis provided):Uses
AuthorizationCodeProvider(browser-based login)Eagerly obtains token on startup (if configured via
--btp)Retrieves JWT token using cached refresh token or opens browser
Injects/overwrites
Authorization: Bearer <token>header
Get MCP Server URL:
From service key for
x-sap-destination
Forward Request: Sends request to MCP server URL with all injected headers
Return Response: Forwards the response back to the client
Example Request Flow
Cline → Proxy (adds BTP token) → Target MCP Server → Proxy → ClineThe proxy is transparent - it only adds authentication headers and forwards requests.
Configuration
Configuration
Environment Variables
export MCP_HTTP_PORT=3001
export LOG_LEVEL=info
export MCP_PROXY_UNSAFE=true # Enable file-based session storage (optional)
export AUTH_BROKER_PATH=~/.config/mcp-abap-adt # Optional base path for service-keys/sessionsAUTH_BROKER_PATH is treated as a base directory. The proxy resolves:
service-keysfrom<AUTH_BROKER_PATH>/service-keyssessionsfrom<AUTH_BROKER_PATH>/sessions
Defaults when AUTH_BROKER_PATH is not set:
Unix/Linux/macOS:
~/.config/mcp-abap-adt/service-keysand~/.config/mcp-abap-adt/sessionsWindows:
%USERPROFILE%\\Documents\\mcp-abap-adt\\service-keysand%USERPROFILE%\\Documents\\mcp-abap-adt\\sessions
Configuration File
Create mcp-proxy-config.json:
{
"httpPort": 3001,
"logLevel": "info",
"maxRetries": 3,
"circuitBreakerThreshold": 5,
"unsafe": false
}Session Storage:
unsafe: false(default) - Session data stored in-memory (secure, lost on restart)unsafe: true- Session data persisted to disk (tokens saved under the session store path)
See Configuration Guide for complete options.
Error Handling & Resilience
Retry Logic - Exponential backoff for failed requests
Circuit Breaker - Prevents cascading failures
Token Refresh - Automatic token refresh on expiration
Connection Pooling - Efficient resource management
Request Timeouts - Configurable timeout handling
Requirements
Node.js >= 18.0.0
npm >= 9.0.0
Testing Tools
Verify a BTP destination's service key and token retrieval:
npm run test-destinationSee tools/README.md for the available scripts.
Development Status
✅ Core Features Complete
✅ Project Setup & Foundation
✅ Request Interception & Analysis
✅ JWT Token Management & Proxy Forwarding
✅ Configuration & Environment
✅ Error Handling & Resilience
✅ Testing Tools (
tools/)✅ Documentation
🚧 Future Work
⏳ Unit Tests
⏳ Performance & Optimization
⏳ Deployment & Publishing
See ROADMAP.md for details.
License
MIT
Links
This server cannot be installed
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/fr0ster/mcp-abap-adt-proxy'
If you have feedback or need assistance with the MCP directory API, please join our Discord server