Model Context Protocol · Pro

Sysflows speaks MCP. Both ways.

MCP, the Model Context Protocol, is the open standard for connecting AI to tools. Sysflows speaks it in both directions: your Anthropic Claude–powered agents and workflows can call your own MCP tools, and external MCP clients like Claude Desktop can connect into Sysflows over a scoped, revocable token. Pro-only, governed at every boundary, off until you turn it on.

Start free See pricing

Three ways MCP works in Sysflows

One open standard, three surfaces. Turn on the ones you want; leave the rest off. All three are Pro-only and route through a single governed boundary.

Agents call out

A trusted AI Agent uses tools on your own MCP server inside the same tool loop it already runs, with the same per-skill trust and AI-tab approvals.

Workflows call out

The MCP tool workflow node makes one deterministic call you configure at design time, no model involved, and returns the result as a variable.

Clients connect in

Point Claude Desktop, or any MCP client, at Sysflows over a scoped Personal Access Token and work with your tickets, lists, forms, and knowledge base.

New to MCP? It's an open protocol that lets an AI model discover and call external tools in a consistent way. You don't need to understand the wire format to use it: in Sysflows you attach a server in Settings, pick which tools an agent or workflow may use, or hand a client a token. The protocol does the rest.

Agents as MCP client

Let a trusted agent use your own tools.

Attach an MCP server to an AI Agent and choose exactly which of its tools the agent may use. The model can then call those tools mid-conversation, look up an order, check stock, create a record in your system, as part of the same reasoning loop that already drafts replies and triages tickets.

It slots into the controls you already know. Each MCP tool is trusted or proposal-gated per agent, just like a native skill. Untrusted tools record a proposal in the ticket's AI tab and run nothing until a human approves. Trusted tools act, and every call is logged.

  • Per-tool trust: auto-apply or queue for human approval
  • The agent only ever sees the tools you selected
  • Write tools default to untrusted; read tools can be trusted
  • Approvals reuse the existing AI-tab surface, full arguments shown
  • A loop ceiling and a monthly call cap bound runaway use

AI Agent · external tool

The agent calls your "inventory" MCP server's check_stock tool for SKU-4471, gets "12 in stock," and drafts a reply, while the write tool that would reserve units waits for an agent to approve.

check_stock · trusted reserve_units · proposed

Workflow MCP node

Call a tool deterministically, no model required.

The non-AI cousin of the agent path. In the workflow designer, drop an MCP tool node, choose a server and a tool, and map your workflow data into its inputs. At run time it makes exactly one call, nothing chooses the server, tool, or arguments but you.

The result comes back as a workflow variable you can branch on, write to a field, or pass to the next step, exactly like the AI action and connector nodes you already use. Because the author fixes everything at design time, the published workflow itself is the authorization, there's no per-call approval dance.

  • Server, tool, and argument mapping fixed at design time
  • Result returns as a variable for branching or field writes
  • A failed call branches to your error path, never silently
  • Same governed egress boundary, audit, and cap as every MCP call

See the workflow designer

Workflow step · MCP tool

On a new "address change" request, the workflow calls your verification server's validate_address tool with the submitted fields, then branches: valid continues to update the case, invalid routes back for review.

validate_address → mcp_result branch on result

Sysflows as MCP server

Connect Claude Desktop straight into Sysflows.

The mirror image: an external AI client connects into Sysflows and works with your data. Create a scoped Personal Access Token in Settings, paste it into Claude Desktop (or any MCP client), and it can search and read your tickets, workflows, lists, forms, and knowledge base, in plain language, without leaving the tool your team already lives in.

The token can never do more than the person it belongs to. Effective access is the intersection of the token's scopes and that user's own permissions, re-checked on every call against your live data. Tokens are stored hashed, shown once at creation, carry an expiry, and can be revoked instantly by their owner or an admin. v1 is read-mostly; writes arrive later behind explicit scopes and the same approval surfaces.

  • Scoped tokens: grant only the data each client should reach
  • Bounded by the human, can't exceed that person's permissions
  • Instant revocation; 90-day default expiry; hashed at rest
  • Served from your own region's cell, every call audited
  • Read-mostly first; writes land as human-confirmed proposals later

API token · Claude Desktop

A support lead's token, scoped to read tickets and the knowledge base, lets them ask Claude Desktop "what's still open for Acme this week?" and get an answer drawn only from tickets they're already allowed to see.

tickets:read kb:read Revocable

Governed at every boundary.

MCP opens a door between your data and outside tools. Sysflows treats that door as the thing to control, and never assumes the other side enforces anything for you.

One audited boundary

Every outbound call, agent or workflow, passes through a single egress layer. It's the only place data leaves, so audit, metering, and the network checks below are enforced once and can't be bypassed.

No internal targets

Outbound servers must be HTTPS, and the boundary resolves each host and refuses any address on a private, loopback, or cloud-metadata range, pinning the connection so it can't be rerouted after the check.

Scoped, revocable tokens

Inbound access is a Personal Access Token bound to one person and tenant, never more than that person can do, hashed at rest, shown once, and revocable instantly by the owner or an admin.

Payload-free audit

Every crossing in either direction writes an audit record, who, which tool, when, and whether it succeeded, without storing the arguments or results. Ticket-scoped calls also land on the ticket's activity log.

Metered by volume

MCP tools run on the remote server and burn no AI tokens, so they never touch your token allowance. Usage is metered by call volume against a monthly cap instead.

Off by default, Pro-only

Nothing crosses any boundary until you enable MCP on a Pro plan, attach a server, and select tools, or mint a token. Writes default to untrusted and route through approvals.

What we can't promise, and say plainly. Once data leaves over MCP, to a third-party server you chose, or to a client reading your data, the receiving system governs it; there's no technical control on the far side. We make the grant deliberate, scoped, capped, and audited, and we surface that clearly when you connect a server or create a token. External MCP destinations sit outside the data-residency guarantee.

Common questions about MCP

What is MCP?

MCP, the Model Context Protocol, is an open standard for connecting AI models to external tools and data in a consistent way. Instead of bespoke integrations, a tool exposes itself over MCP and any MCP-aware AI can discover and call it. Sysflows both calls out to your MCP servers and acts as an MCP server that AI clients can connect into.

Which plans include MCP?

MCP is a Pro feature, all three capabilities (agents calling MCP tools, the workflow MCP node, and the Sysflows MCP server) are available on Pro. It's off by default; you enable the parts you want from Settings.

Does MCP usage count against my AI token allowance?

No. MCP tools execute on the remote server and consume no AI model tokens, so they never draw down your monthly token allowance. MCP is metered separately by call volume against a monthly cap.

Can an external MCP client see more than the person who created the token?

No. A Personal Access Token is bound to one person and tenant, and its effective access is the intersection of the token's scopes and that person's own permissions, re-checked on every call against your live data. A token is always weaker than or equal to the human behind it, and can be revoked instantly.

Can an agent or external client change my data?

Writes are controlled. For agents, MCP write tools default to untrusted: they record a proposal in the ticket's AI tab and do nothing until a human approves. For the Sysflows MCP server, v1 is read-mostly; write tools arrive later behind explicit *:write scopes and route through the same approval surfaces, so an external write lands as a proposal a person confirms, not a silent change.

How do I connect Claude Desktop to Sysflows?

On a Pro plan, open Settings, create an API token with the scopes you want, and copy it once (it's shown only at creation). Sysflows gives you the exact endpoint URL and a ready-to-paste config snippet for Claude Desktop. You can set an expiry and an optional IP allow-list, and revoke the token at any time.

Connect your AI. On your terms.

Start free See pricing

MCP is a Pro feature. Off by default, governed, and yours to switch on.