@mcp-abap-adt/proxy
v1.6.2
Published
MCP proxy server for SAP ABAP ADT - proxies local requests to cloud-llm-hub with JWT authentication
Maintainers
Readme
@mcp-abap-adt/proxy
MCP proxy server for SAP ABAP ADT - proxies local requests to MCP servers with JWT authentication.
Overview
This package acts as a simple proxy between local MCP clients (like Cline) and any MCP server. It intercepts MCP requests, adds JWT authentication tokens, and forwards them to the target MCP server. The MCP server URL is obtained from the service key for the BTP destination.
Purpose
Enable local MCP clients to connect to remote MCP servers with automatic JWT token management via @mcp-abap-adt/auth-broker. The proxy adds authentication headers and forwards requests transparently.
Features
- ✅ JWT Token Management - Automatic token retrieval, caching, and refresh via auth-broker
- ✅ Service Key Based - MCP server URL is obtained from service key for BTP destination
- ✅ Error Handling - Retry logic, circuit breaker, and comprehensive error handling
- ✅ Multiple Transport Modes - HTTP, SSE, and stdio support
- ✅ Configuration Flexibility - Environment variables, config files, or defaults
Quick Start
Installation
npm install -g @mcp-abap-adt/proxyBasic Usage
# Start proxy server (in-memory session storage, secure)
mcp-abap-adt-proxy
# With BTP destination
mcp-abap-adt-proxy --btp=ai
# Enable file-based session storage (persists tokens to disk)
mcp-abap-adt-proxy --btp=ai --unsafeConfiguration
The proxy supports multiple configuration methods:
- Command-line parameters (highest priority)
- YAML/JSON configuration files - See YAML Configuration Guide
- Environment variables
- Default values (lowest priority)
Quick Example (YAML config):
# Copy example config from documentation
cp docs/mcp-proxy-config.example.yaml mcp-proxy-config.yaml
# Edit mcp-proxy-config.yaml with your settings
# Run with config file
mcp-abap-adt-proxy --config=mcp-proxy-config.yaml
# Or short form:
mcp-abap-adt-proxy -c mcp-proxy-config.yamlClient Configuration
For detailed setup instructions for Cline and GitHub Copilot, see the Client Setup Guide.
Quick Example (Cline):
{
"mcpServers": {
"mcp-abap-adt-proxy": {
"disabled": false,
"timeout": 60,
"type": "streamableHttp",
"url": "http://localhost:3001/mcp/stream/http",
"headers": {
"x-sap-destination": "btp-cloud"
}
}
}
}Required Headers:
x-sap-destination- Destination name for BTP Cloud authorization token and MCP server URL
Command Line Overrides:
--btp=<destination>- Overridesx-sap-destinationheader (takes precedence)--url=<url>- Overrides MCP server URL (required if service key lacks URL)--browser=<browser>- Browser to use:system(default),chrome,edge,firefox,headless--browser-auth-port=<port>- Port for OAuth2 callback (default: 3333)--unsafe- Enables file-based session storage (persists tokens to disk). By default, sessions are stored in-memory (secure, lost on restart)
Default Headers:
MCP clients like Cline and Claude Code cannot set arbitrary request headers. Use default headers to inject SAP-specific headers (e.g. x-sap-destination, x-sap-client) that the target MCP server requires.
Precedence: client-supplied request headers always win over defaultHeaders. Authorization is the exception — it is always managed by the proxy (replaced with the destination JWT) and cannot be set via defaultHeaders.
Via YAML config (defaultHeaders map):
btpDestination: mcp
targetUrl: https://example.com
defaultHeaders:
x-sap-destination: S4HANA_E19
x-sap-client: "100"Per-user ABAP credentials. defaultHeaders is the supported place to supply your own SAP login/password for on-premise / NoAuthentication destinations. The upstream cloud-llm-hub is a shared server with no default service user, so it expects each caller's own x-sap-login / x-sap-password on every request. Because the proxy runs locally on each user's machine, it carries your identity.
Do not hardcode secrets. Reference environment variables with ${VAR} (or ${VAR:-default}); values are resolved from process.env or an explicitly-pointed .env file:
btpDestination: mcp
envFile: secrets.env # resolved relative to this config file's dir
defaultHeaders:
x-sap-destination: S4HANA_E19
x-sap-login: ${SAP_USER}
x-sap-password: ${SAP_PASSWORD}secrets.env (user-local, chmod 600, never committed):
SAP_USER=MY_SAP_USER
SAP_PASSWORD=my-sap-passwordResolution order is process.env → .env → ${VAR:-default}. process.env wins; an unresolved ${VAR} without a default fails the proxy at startup. Override the .env path at launch with --env-file <path>. This closes both auth layers from one local config: the service layer (Authorization: Bearer <JWT>, from the destination service key) and the ABAP layer (x-sap-login / x-sap-password).
Via CLI (--header, repeatable):
mcp-abap-adt-proxy --btp=mcp --url=https://example.com \
--header x-sap-destination=S4HANA_E19 \
--header x-sap-client=100How It Works:
The proxy uses BTP/XSUAA authentication:
- BTP Authentication (if
--btporx-sap-destinationis present):- Uses
AuthorizationCodeProvider(browser-based OAuth2 flow) - Eager Authentication: Opens browser immediately on startup to get token
- Injects/overwrites
Authorization: Bearer <token>header - MCP server URL obtained from BTP destination service key OR injected via
--url - Service key format: contains
uaa(url, clientid, clientsecret)
- Uses
BTP Authentication Mode (with --btp):
- Proxy starts → Opens browser for login (Eager Auth) → Gets/Refreshes JWT token
x-sap-destination(or--btp) → AddsAuthorization: Bearer <token>header- MCP server URL obtained from service key OR
--urlparameter
Documentation
- Client Setup Guide - Step-by-step setup for Cline and GitHub Copilot
- Configuration Guide - Complete configuration reference
- YAML Configuration Guide - Using YAML/JSON configuration files
- Usage Examples - Practical usage examples and patterns
- API Documentation - API reference and interfaces
- Architecture - System architecture and design
- Troubleshooting - Common issues and solutions
- Routing Logic Specification - Detailed routing logic and scenarios
- Roadmap - Development roadmap and progress
How It Works
The proxy performs the following steps for each request:
- Extract Headers: Reads
x-sap-destinationheader - Apply Command Line Overrides:
--btpparameter overrides header (if provided) - Validate Routing Requirements: Requires
x-sap-destination/--btp - BTP Authentication (if
x-sap-destinationor--btpis provided):- Uses
AuthorizationCodeProvider(browser-based login) - Eagerly obtains token on startup (if configured via
--btp) - Retrieves JWT token using cached refresh token or opens browser
- Injects/overwrites
Authorization: Bearer <token>header
- Uses
- Get MCP Server URL:
- From service key for
x-sap-destination
- From service key for
- Forward Request: Sends request to MCP server URL with all injected headers
- Return Response: Forwards the response back to the client
Example Request Flow
Cline → Proxy (adds BTP token) → Target MCP Server → Proxy → ClineThe proxy is transparent - it only adds authentication headers and forwards requests.
Configuration
Configuration
Environment Variables
export MCP_HTTP_PORT=3001
export LOG_LEVEL=info
export MCP_PROXY_UNSAFE=true # Enable file-based session storage (optional)
export AUTH_BROKER_PATH=~/.config/mcp-abap-adt # Optional base path for service-keys/sessionsAUTH_BROKER_PATH is treated as a base directory. The proxy resolves:
service-keysfrom<AUTH_BROKER_PATH>/service-keyssessionsfrom<AUTH_BROKER_PATH>/sessions
Defaults when AUTH_BROKER_PATH is not set:
- Unix/Linux/macOS:
~/.config/mcp-abap-adt/service-keysand~/.config/mcp-abap-adt/sessions - Windows:
%USERPROFILE%\\Documents\\mcp-abap-adt\\service-keysand%USERPROFILE%\\Documents\\mcp-abap-adt\\sessions
Configuration File
Create mcp-proxy-config.json:
{
"httpPort": 3001,
"logLevel": "info",
"maxRetries": 3,
"circuitBreakerThreshold": 5,
"unsafe": false
}Session Storage:
unsafe: false(default) - Session data stored in-memory (secure, lost on restart)unsafe: true- Session data persisted to disk (tokens saved under the session store path)
See Configuration Guide for complete options.
Error Handling & Resilience
- Retry Logic - Exponential backoff for failed requests
- Circuit Breaker - Prevents cascading failures
- Token Refresh - Automatic token refresh on expiration
- Connection Pooling - Efficient resource management
- Request Timeouts - Configurable timeout handling
Requirements
- Node.js >= 18.0.0
- npm >= 9.0.0
Testing Tools
Verify a BTP destination's service key and token retrieval:
npm run test-destinationSee tools/README.md for the available scripts.
Development Status
✅ Core Features Complete
- ✅ Project Setup & Foundation
- ✅ Request Interception & Analysis
- ✅ JWT Token Management & Proxy Forwarding
- ✅ Configuration & Environment
- ✅ Error Handling & Resilience
- ✅ Testing Tools (
tools/) - ✅ Documentation
🚧 Future Work
- ⏳ Unit Tests
- ⏳ Performance & Optimization
- ⏳ Deployment & Publishing
See ROADMAP.md for details.
License
MIT
Links
- Repository: https://github.com/fr0ster/mcp-abap-adt-proxy
- Issues: https://github.com/fr0ster/mcp-abap-adt-proxy/issues
- Related Packages:
