/projects/Nov 1, 2025

T4A MCP Server

Model Context Protocol server exposing 15+ live ERP tools and a RAG knowledge base to AI clients — secured by Auth0 JWT with role-based access control.

pythonmcpfastapichromadbauth0

The shape of the problem

The AI chat platform needed to reach into live company data — product stock, order status, partner permissions, pricelist lookups — without hallucinating or going stale. Building a tool per endpoint and maintaining separate auth for each one wasn't viable at scale.

What I built

A FastAPI server that speaks MCP over SSE. Two subsystems share the same process:

ERP tools — 15+ tools backed by MetaKocka REST API endpoints: product identification via semantic vector search, stock levels, pricing by pricelist, order lookups, warehouse queries. Each tool maps to an Auth0 permission scope; the JWT is validated on every request and RBAC is enforced at the tool level.

Knowledge base — a RAG pipeline that ingests company documents, embeds them into ChromaDB, and serves hybrid BM25 + dense vector search with a cross-encoder reranker. Staff upload sources via an admin API; the MCP knowledge tool makes the results available to any connected AI client.

The server runs at mcp.time-4-action.com behind nginx and powers both the chat platform and any future MCP-compatible client.

Lessons

  • MCP over SSE is the right transport for web workloads — no subprocess management, straightforward reverse-proxy setup.
  • Auth0 RBAC at the tool level (not just the endpoint) means a restricted client literally cannot call tools it isn't scoped for, regardless of what the AI decides to try.
  • Hybrid search (BM25 + dense) with a reranker consistently outperforms either method alone, especially on product names where exact-match matters.