OPEN STANDARDJSON-RPC 2.0 TRANSPORTENTERPRISE-HARDENED

The protocol that makes AI agents enterprise-ready.

MCP is the universal handshake between AI agents and your business tools. OHY LABS builds production MCP infrastructure — secured, audited, and observable — so your agents can act with confidence on real data.

One spec.
Every tool.
No glue code.

The Model Context Protocol is an open standard — originally published by Anthropic — that gives AI agents a structured, secure way to call external tools and read data. Think of it as HTTP for AI: a universal request/response contract that any agent and any tool can speak.

Without MCP, every AI integration is a bespoke engineering project: custom APIs, hand-rolled auth, brittle prompt-injection hacks. With MCP, you build one server per tool and every agent that speaks the protocol can use it immediately — with zero additional work.

Transport
JSON-RPC 2.0 over HTTP/SSE or stdio
Auth
OAuth 2.1 with fine-grained scopes
Primitives
Tools · Resources · Prompts · Sampling
Discovery
ListTools, ListResources at runtime
// PROTOCOL MESSAGE FLOW
01
DiscoveryJSON-RPC 2.0

Client calls ListTools — server returns its capability manifest. No polling, no config files.

02
AuthorisationOAuth 2.1

Gateway validates the agent's JWT, checks RBAC policy, and issues a scoped session token.

03
InvocationTool Call

Agent sends CallTool with typed arguments. Gateway routes to the correct MCP server.

04
ExecutionStreaming

MCP server executes against the live data source and streams the result back via content blocks.

05
AuditAppend-only

Gateway writes an immutable audit record: input, output, agent identity, latency, region.

The full production stack, end to end.

Four layers. Strict separation of concerns. Every boundary enforced by the gateway — not the agent.

LAYER 1 — AI AGENTS
Layla
Sales
Zain
Support
Noor
Marketing
Alex
Operations
Sara
Strategy
LAYER 2 — MCP AI GATEWAY
MCP AI GATEWAY
OAuth 2.1 AuthRBAC PoliciesRate LimitingContext RouterAudit LoggerTLS Termination
LAYER 3 — MCP SERVERS (per integration)
CRM
Salesforce
Database
PostgreSQL
Documents
Notion / Confluence
Calendar
Google / Outlook
Helpdesk
Zendesk
Custom
Your APIs
LAYER 4 — BUSINESS TOOLS (your existing stack — zero rewrites)
SalesforceHubSpotPostgreSQLMongoDBNotionConfluenceGoogle WorkspaceJiraZendeskSlackCustom REST APIsWebhooks

Production-grade, not a demo.

We use the official @modelcontextprotocol/sdk from Anthropic — the same SDK that powers Claude. Our servers are fully typed, tested against Claude, GPT-4o, and Gemini, and deployed with zero-downtime rolling updates.

Full TypeScript with strict mode
Comprehensive error handling & retries
OpenTelemetry tracing built in
Compatible with Claude, GPT-4o, Gemini
Health endpoints & Prometheus metrics
Docker + Kubernetes manifests included
ohy-crm-server/index.tsMCP
// ohy-crm-mcp-server/index.ts
import { Server } from "@modelcontextprotocol/sdk/server/index.js"
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js"

const server = new Server(
  { name: "ohy-crm-server", version: "1.0.0" },
  { capabilities: { tools: {} } }
)

server.setRequestHandler(ListToolsRequestSchema, async () => ({
  tools: [
    {
      name: "get_lead",
      description: "Retrieve a qualified lead from the CRM pipeline",
      inputSchema: {
        type: "object",
        required: ["leadId"],
        properties: {
          leadId:        { type: "string", description: "CRM lead identifier" },
          includeHistory:{ type: "boolean", default: false },
        },
      },
    },
    {
      name: "update_deal_stage",
      description: "Move a deal to a new pipeline stage with audit trail",
      inputSchema: {
        type: "object",
        required: ["dealId", "stage"],
        properties: {
          dealId: { type: "string" },
          stage:  { type: "string", enum: ["prospecting", "qualified", "proposal", "closed_won"] },
          note:   { type: "string" },
        },
      },
    },
  ],
}))

server.setRequestHandler(CallToolRequestSchema, async (req) => {
  const { name, arguments: args } = req.params

  if (name === "get_lead") {
    const lead = await crm.getLead(args.leadId, { history: args.includeHistory })
    return { content: [{ type: "text", text: JSON.stringify(lead, null, 2) }] }
  }

  if (name === "update_deal_stage") {
    await crm.moveDeal(args.dealId, args.stage, args.note)
    await auditLog.record({ action: "deal.stage_update", ...args, agent: "layla" })
    return { content: [{ type: "text", text: "Deal updated successfully" }] }
  }
})

const transport = new StdioServerTransport()
await server.connect(transport)

Zero-trust. Immutable. Auditable.

Every layer of the stack is secured independently. Compromise one component and the damage is contained — by design, not by hope.

OAuth 2.1 + PKCE

Every MCP call carries a short-lived JWT scoped to exactly the tools the agent is allowed to invoke. No over-permissioned service accounts.

mTLS Transport

All MCP traffic — including inter-server communication — is encrypted with mutual TLS. Certificates are rotated automatically every 30 days.

Fine-Grained RBAC

Role-based policies define exactly which tools each agent can call, on which data, under which conditions. Enforced at the gateway — not the agent.

Immutable Audit Log

Every tool call — input, output, agent identity, timestamp, latency — is written to an append-only log. Retained for 90 days. Exportable for compliance.

Context Isolation

Each agent session gets an isolated context window. Cross-session data leakage is architecturally impossible — agents cannot read each other's context.

Kill Switch & Rollback

Any agent or tool connection can be suspended in under 200ms — without a deployment. Full rollback of agent-written data within the retention window.

Right topology for your scale.

We deploy the pattern that matches your security posture, team size, and traffic volume. All three support hot-reload, zero-downtime updates, and full observability.

// GATEWAY PATTERN
AgentsGatewayMCP ServersTools

Gateway Pattern

All agents connect through a central MCP gateway that handles auth, rate-limiting, routing, and audit logging. No agent talks directly to a tool server.

Best forMulti-agent deployments, regulated industries, any production workload.
Latency< 40ms
ComplexityMedium
IsolationFull RBAC + mTLS
Build this pattern

Numbers that matter in production.

Our MCP infrastructure is deployed on bare-metal in 3 regions. Gateway nodes auto-scale on demand. All metrics below are contractual SLAs, not marketing estimates — reported monthly to every client.

<40ms
Avg MCP call latency
gateway pattern, same region
99.99%
Gateway uptime SLA
measured over trailing 90 days
10K/s
Tool calls / second
per gateway node, horizontally scaled
< 200ms
Agent kill switch
suspend any agent in production

Meets your security team's checklist.

Our MCP infrastructure is audited, certified, and ready for procurement — including vendors that require SOC 2 attestation before any data flows.

🔒SOC 2 Type II
📋ISO 27001
🇪🇺GDPR
🏛️CCPA
🏥HIPAA-Ready
💳PCI-DSS L3
Data Residency
Choose EU, US, or MENA hosting
Data never crosses region boundaries
Encryption at rest (AES-256)
Key rotation every 90 days
Access Controls
SSO / SAML 2.0 integration
MFA enforced on admin plane
Just-in-time access for humans
Zero standing privileges
Incident Response
< 1h detection SLA
4h containment SLA
24h root-cause report
Bug bounty programme active
/.well-known/mcp.json
LIVE

This site is MCP-discoverable.

OHY LABS publishes a machine-readable MCP manifest at the IANA well-known URI. Any AI agent that speaks MCP can discover our capabilities — from booking a strategy call to querying our agent catalog — without reading a single line of documentation.

View manifest

Is your stack MCP-ready? Let's find out.

Book a 45-minute call with our engineering team. We'll review your tools, score your MCP readiness, and deliver a step-by-step integration plan — free.