If your SaaS product has a REST API but no MCP server, AI agents can’t find you. They can’t act on your data, trigger your workflows, or route tasks through your product — not without someone writing a custom integration from scratch every single time. In 2026, that’s a distribution problem disguised as a technical one.
This guide shows you exactly how to build an MCP server for your SaaS product — from designing your tool surface to securing multi-tenant access to getting listed in the registries where AI agents look. You’ll walk away with a concrete implementation plan, not another overview of what MCP is.
Why SaaS Teams Can’t Afford to Wait on MCP — The 2026 Urgency Case
MCP reached 97 million monthly SDK downloads by March 2026, crossing that threshold in 16 months — faster than React’s adoption curve, which took roughly three years to reach the same milestone. Server downloads surged from 100,000 in November 2024 to over 8 million by April 2025 — an 8,000% increase in six months.
Forrester predicts 30% of enterprise app vendors will ship their own MCP servers this year. Gartner projects 75% of API gateway vendors will add MCP features by 2026. In December 2025, Anthropic donated the protocol to the Linux Foundation’s Agentic AI Foundation, co-founded with OpenAI, Block, Google, Microsoft, AWS, and Cloudflare. This is no longer a fringe experiment.
The first-mover window is real but finite. Stripe, HubSpot, and Amazon Ads already have MCP servers in production. When an AI agent needs to send an invoice or look up a deal, it reaches for the tool that’s already registered and tested — not the one that requires a custom integration someone hasn’t written yet. Every month you wait, the default list gets longer without you on it.
Consumer vs. Publisher — The Distinction Most MCP Articles Get Wrong
Search for “MCP tutorial” and you’ll find hundreds of guides explaining how to connect Claude Desktop to an existing server. Those guides are for consumers — developers who want their AI client to talk to someone else’s server. That’s not what you need.
You need to be the publisher.
A consumer configures an MCP client to call a server that already exists. A publisher operates the server — you define the tools, expose the data, and decide what AI agents can do inside your product. Your server is what other people’s agents connect to.
The distinction matters because the architecture, security model, and business considerations are completely different. A consumer worries about rate limits and API keys. A publisher worries about tenant isolation, data scoping, OAuth flows, and registry discoverability. Almost no existing tutorial addresses this side of the equation — which is exactly the gap this guide fills.
Design Your MCP Server Surface Area Before Writing a Line of Code
The Model Context Protocol gives you three primitives:
- Tools — actions an agent can invoke that change state or trigger side effects. Think of these as your POST/PUT/DELETE endpoints wrapped in MCP.
- Resources — read-only context the agent can pull to inform its reasoning. Think GET endpoints, database views, or document stores.
- Prompts — reusable templates that package a specific task pattern, combining tools and resources into a guided workflow.
The practical rule of thumb: if an action does something, it’s a Tool. If it returns data for reasoning, it’s a Resource. If it packages a repeatable workflow, it’s a Prompt.
Real SaaS examples
| Your existing endpoint | MCP primitive | Why |
|---|---|---|
POST /invoices |
Tool | Creates state — an invoice is issued |
GET /invoices?tenant=acme |
Resource | Read-only context for agent reasoning |
GET /arr-summary?segment=enterprise |
Prompt | Packages multiple reads into a workflow |
DELETE /subscription/:id |
Tool | Destructive action — must be explicitly invoked |
GET /customers |
Resource | Context only, no side effects |
Spend time on this mapping exercise before opening your IDE. A surface area that’s too broad creates a security audit nightmare. Too narrow and agents won’t find your server useful enough to include in their workflows.
A good starting point for most SaaS products: 5–10 Tools covering your core write operations, 3–5 Resources covering the read queries agents need most, and 1–3 Prompts packaging your most common agent-assisted workflows.
Build Your First MCP Server — Python vs. TypeScript SDK
Once your surface area is designed, the actual code is surprisingly compact. Here’s what a minimal working server looks like in both major SDKs.
Python with FastMCP
FastMCP is the fastest path from zero to a working server. A single decorator turns a Python function into an MCP tool:
from fastmcp import FastMCP
mcp = FastMCP("invoicing-service")
@mcp.tool()
def create_invoice(tenant_id: str, customer_id: str, amount: float) -> dict:
"""Create a new invoice for a customer."""
# Your existing business logic here
return {"invoice_id": "inv_123", "status": "created"}
@mcp.resource("invoices://{tenant_id}/all")
def list_invoices(tenant_id: str) -> list:
"""Return all invoices for a tenant."""
return fetch_invoices_from_db(tenant_id)
if __name__ == "__main__":
mcp.run(transport="streamable-http", host="0.0.0.0", port=8000)
For rapid prototyping or internal tooling, FastMCP gets you to a working demo in an afternoon.
TypeScript with @modelcontextprotocol/sdk
For production SaaS where you need type safety and long-term maintainability, the official TypeScript SDK is the right call:
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
import { z } from "zod";
const server = new McpServer({ name: "invoicing-service", version: "1.0.0" });
server.tool(
"create_invoice",
{ tenant_id: z.string(), customer_id: z.string(), amount: z.number() },
async ({ tenant_id, customer_id, amount }) => {
const invoice = await createInvoice(tenant_id, customer_id, amount);
return { content: [{ type: "text", text: JSON.stringify(invoice) }] };
}
);
const transport = new StreamableHTTPServerTransport({ port: 8000 });
await server.connect(transport);
Notice both examples use Streamable HTTP transport — not SSE. The June 2025 spec revision deprecated HTTP+SSE for remote servers. If you’re building anything that handles multiple users or runs remotely, Streamable HTTP is the only correct choice for new projects. Tutorials still showing SSE are teaching you a pattern you’ll have to rip out.
Test locally with MCP Inspector
Before deploying anything, run MCP Inspector against your local server:
npx @modelcontextprotocol/inspector http://localhost:8000/mcp
Inspector gives you a visual interface to call tools, inspect resources, and validate your schema. Catch problems here, not in production.
Multi-Tenant Security Is Not Optional — Architecture for Production SaaS
This is where most MCP tutorials leave you stranded, and where real-world incidents have already occurred.
Asana’s MCP layer had a tenant isolation flaw that affected up to 1,000 enterprises in a single documented incident. A separate class of prompt injection attacks — where malicious content in user-generated data like support tickets manipulates the agent into exposing data from other tenants — has exposed private database tables in production cases.
43% of analyzed MCP servers are currently vulnerable to command injection attacks. That’s not theoretical — it’s the current state of the ecosystem.
Here’s the security architecture every production SaaS MCP server requires:
OAuth 2.1 with PKCE — non-negotiable for remote servers
The 2025-03-26 MCP spec mandates OAuth 2.1 with PKCE for any remote server. Every tool call must arrive with a token that encodes both tenant identity and the user’s role. Your server must validate this token before executing any operation.
Do not fall back to static API keys for remote deployments. They can’t carry tenant context, they can’t be scoped to specific tools, and they create a compliance liability.
Tenant and role context on every tool call
Every tool handler needs to extract and validate tenant context before touching your database:
server.tool("list_invoices", { ... }, async (args, context) => {
const { tenant_id, role } = validateToken(context.authToken);
if (role !== "billing_admin") {
throw new Error("Insufficient permissions");
}
// Now safe to query — scoped to the validated tenant only
return await db.invoices.findAll({ where: { tenant_id } });
});
Never trust tenant IDs passed as tool arguments. Derive them from the validated auth token only.
Input validation and structured logging
Sanitize every input — agents can pass unexpected values, and prompt injection through tool arguments is a real attack vector. Use strict schema validation (Zod in TypeScript, Pydantic in Python) on all inputs.
Instrument every tool call with structured logs: tenant ID, tool name, input schema (not raw values), duration, and outcome. OpenTelemetry works well here and keeps you compatible with your existing observability stack.
Deploy and Host Your MCP Server
The infrastructure story for MCP servers is genuinely good news: a server handling 10,000 daily requests costs $0–$50/month depending on your platform. You don’t need a dedicated server farm.
Platform decision matrix
| Platform | Best for | Cold start | Cost at 10K req/day |
|---|---|---|---|
| Cloudflare Workers | Global edge latency, stateless tools | ~0ms | Free–$5/month |
| Vercel Functions | Teams already on Next.js/Vercel | ~200ms | Free–$20/month |
| Google Cloud Run | Stateful workloads, existing GCP | ~1–3s | $10–$50/month |
| Docker + VPS | Full control, existing infra | None | $5–$20/month |
Cloudflare Workers is the default recommendation for new greenfield MCP servers. Zero cold start, global distribution, and the free tier handles meaningful traffic. If your server needs persistent database connections or session state, Cloud Run gives you container-level flexibility.
Remote MCP server deployment grew 400% since May 2025, and 80% of the most searched-for MCP servers now offer Streamable HTTP options rather than local-only stdio. If you’re building for external users, a remote deployment is the expectation — not the exception.
Get Discovered — Publishing to the MCP Registry, Smithery, and mcp.so
Building the server is only half the work. If agents can’t find it, it doesn’t exist.
There are three registries worth targeting:
Official MCP Registry (backed by Anthropic, GitHub, and PulseMCP) — The canonical source. List here first. Submit via pull request to the registry repository with your server metadata: name, description, transport URL, supported tools, and authentication requirements.
Smithery (7,000+ servers) — Smithery provides a discovery layer with quality ratings and usage metrics. Publish your npm package or Docker image first, then submit via their web form. Agents using Smithery-powered clients will automatically discover your server.
mcp.so (19,600+ servers) — The largest MCP marketplace by server count. Submit through their web interface with your GitHub repo URL and server metadata.
Metadata that gets your server discovered
Agents use your server description and tool schemas to decide whether to invoke your server for a given task. Write tool descriptions as if you’re writing a docstring for an AI reader:
server.tool(
"create_invoice",
"Creates a new invoice and sends it to the specified customer. " +
"Use this when a user asks to bill a customer, issue an invoice, " +
"or charge for services rendered.",
{ ... }
)
Include domain-specific terms. An agent helping with “billing workflows” needs to match your tools to that intent. Vague descriptions lose to specific ones that name the workflow context.
For distribution: TypeScript servers go to npm (npm publish), Python servers go to PyPI (poetry publish), and either can ship a Docker image to Docker Hub or GitHub Container Registry for self-hosted deployments.
Turn MCP Into a Business Moat — Monetization and Competitive Strategy
Here’s the business argument almost no one is making yet: MCP doesn’t only make your product more accessible to AI agents — it creates a new pricing and distribution surface.
Usage-based billing tiers mapped to MCP primitives
MCP’s tool-call granularity maps cleanly onto three monetization tiers:
- View tier — Read-only Resource access. Basic plan customers can give agents context from your product, but agents can’t take action.
- Operate tier — Tool access for standard operations. Mid-tier customers unlock agent-driven workflows.
- Automate tier — Full Tool + Prompt access with higher rate limits. Enterprise customers get autonomous agent workflows.
Each tier maps to a set of MCP primitives you enable for that customer’s token scope. This extends your existing OAuth scopes with MCP-specific permissions — no new pricing infrastructure required.
The compounding distribution advantage
Stripe and HubSpot didn’t ship MCP servers as a technical curiosity. They shipped them because every AI agent workflow that uses Stripe for payments or HubSpot for CRM reinforces their position as the default. When a developer builds an AI-native product and reaches for an API, they reach for the one their agent already knows how to call.
“Write once, distribute everywhere” — a single MCP server makes your product callable from Claude, Cursor, and any agent built on LangChain, CrewAI, or a custom SDK. The integration you build once keeps compounding.
Integrating MCP cuts integration costs by an average of 30%, reducing the combinatorial N×M custom pipeline problem to N+M standardized connections. That’s a cost argument for your CFO and a distribution argument for your growth team in the same conversation.
The 10,000+ active public MCP servers today represent both the opportunity — the ecosystem is large enough to matter — and the urgency — the default list is forming now. Teams that ship in the next two quarters will be the reference implementations that agents reach for by default. The decision to build an MCP server for your SaaS product isn’t a roadmap debate anymore. It’s a distribution strategy.
Start with your five most-called API endpoints. Map them to Tools. Secure them with OAuth 2.1. Deploy to Cloudflare Workers. List on the official registry. That’s a full week of work — and it puts your product on the map for every AI agent workflow built this year.