SAP API Hub MCP Server

TypeScript MCP server for read-only SAP Business Accelerator Hub catalog access.

The server logs in to api.sap.com through Playwright, caches browser cookies, then exposes MCP tools for catalog categories, search, metadata, resources, specs, and packages. Authentication can use SAP username/password or SAP Passport/PFX certificate auth. In AUTH_METHOD=auto, username/password is preferred when both password and PFX are configured, matching mcp-sap-notes. The browser is used only to authenticate and collect SAP session cookies; all API Hub data retrieval uses HTTP catalog/spec endpoints.

Important Warning

This project is unofficial and is not endorsed by SAP. It uses authenticated SAP Business Accelerator Hub web/catalog endpoints and browser session cookies in ways that may be restricted by SAP terms of service, SAP account terms, or your organization's policies. Publishing, installing, or using this package does not grant permission to automate SAP services.

Use this MCP server only at your own risk. You are responsible for checking whether this usage is allowed for your SAP account, tenant, data, and jurisdiction. Do not use it for production, broad distribution, or shared access unless you have explicit approval.

Install From npm

npm install -g sap-api-hub-mcp
npx playwright install chromium

Copy the example env file to a path outside node_modules (for example ~/.sap-mcp/sap-api-hub.env) and point the MCP client at it with ENV_FILE.

Setup (development)

npm install
npx playwright install chromium
cp env.example .env

Fill .env:

SAP_USERNAME=your-user
SAP_PASSWORD=your-password
AUTH_METHOD=auto

Optional SAP Passport/PFX fallback:

PFX_PATH=/absolute/path/to/sap-passport.pfx
PFX_PASSPHRASE=your-passphrase

AUTH_METHOD=auto chooses auth in this order:

1. SAP_USERNAME + SAP_PASSWORD
2. PFX_PATH + PFX_PASSPHRASE

Set AUTH_METHOD=password or AUTH_METHOD=certificate to force one path.

The default is headless browser login (HEADFUL=false). If SAP requires MFA or manual login, set:

HEADFUL=true

The cookie cache is stored in api-hub-token-cache.json in the server working directory and expires after MAX_COOKIE_AGE_H hours.

API Hub auth first opens the shared SAP login start URL (SAP_LOGIN_URL, default https://me.sap.com/home) to establish SAP SSO, then opens api.sap.com to mint API Hub-specific cookies. Set SAP_SSO_STORAGE_STATE, for example ~/.sap-mcp/sso-storage-state.json, if you want SAP MCP servers to reuse the same accounts.sap.com browser SSO cookies. Each app still keeps its own app-specific token cache.

For installed/package usage you can point the server at an explicit env file and token cache path:

ENV_FILE=/absolute/path/to/.env
API_HUB_TOKEN_CACHE_FILE=/absolute/path/to/api-hub-token-cache.json

Browser And API Boundary

• Browser automation is limited to src/auth.ts, where Playwright opens SAP login and collects cookies. It runs headless unless HEADFUL=true.
• API Hub tools do not scrape pages or inspect DOM content.
• API Hub data comes from HTTP calls in src/api-hub-client.ts, including /api/1.0/containergroup/ContentTypes, /api/1.0/searchservice, /odata/1.0/catalog.svc/..., and $value spec endpoints.

Build

npm run build

Run

Local stdio mode, for desktop MCP clients:

npm run serve:stdio

Streamable HTTP mode:

MCP_TRANSPORT=streamable-http MCP_PORT=3001 npm run serve:http

Default HTTP endpoint:

http://127.0.0.1:3001/mcp

Config knobs:

MCP_TRANSPORT=stdio          # stdio | streamable-http
MCP_HOST=127.0.0.1
MCP_PORT=3001
MCP_HTTP_PATH=/mcp

Stdio MCP client config (global npm install):

{
  "mcpServers": {
    "sap-api-hub": {
      "command": "sap-api-hub-mcp",
      "env": {
        "ENV_FILE": "/absolute/path/to/sap-api-hub.env",
        "API_HUB_TOKEN_CACHE_FILE": "/absolute/path/to/api-hub-token-cache.json"
      }
    }
  }
}

Local development (repo checkout):

{
  "mcpServers": {
    "sap-api-hub": {
      "command": "node",
      "args": ["/absolute/path/to/sap-api-hub-mcp/dist/mcp-server.js"],
      "env": {
        "ENV_FILE": "/absolute/path/to/.env"
      }
    }
  }
}

Streamable HTTP MCP client config:

{
  "mcpServers": {
    "sap-api-hub": {
      "url": "http://127.0.0.1:3001/mcp"
    }
  }
}

Tools

• categories - list API Hub content categories and counts.
• search - search catalog artifacts, optionally constrained by category or artifact type.
• fetch - fetch normalized metadata for APIs, Events, CDS Views, generic artifacts, or packages.
• resources - summarize API paths, Event channels, CDS fields, or generic artifact sections.
• spec - return full OpenAPI, AsyncAPI, EDMX, CDS JSON, or raw artifact values on explicit request.
• package - fetch package metadata, docs, and artifacts grouped by type/subtype.

Safety Boundaries

• This server is read-only.
• It does not call business or sandbox API endpoints.
• It does not retrieve or expose the user's SAP API key.
• Full specifications are returned only by the explicit spec tool.

Publishing Safety

Before publishing or sharing a package, run:

npm run publish:check

The npm package is allowlisted to built code, this README, env.example, LICENSE, and package.json. Never publish .env, token cache files, Playwright traces, screenshots, or generated customer-specific exports.

See PUBLISHING.md for the full npmjs release checklist.

Examples

Search APIs:

{
  "q": "sales order",
  "categoryKey": "API",
  "artifactType": "API",
  "top": 5
}

Fetch API overview:

{
  "id": "salesorder",
  "kind": "api"
}

Get API resources:

{
  "id": "salesorder",
  "kind": "api"
}

Get OpenAPI JSON:

{
  "id": "salesorder",
  "kind": "api",
  "format": "json"
}