From OpenAPI to MCP: A Practical Access Layer for AI Clients
Image Source: depositphotos.com
Connecting an AI client to a REST API looks simple until the first real production requirement appears. The client needs to discover operations, understand request schemas, authenticate safely, respect write restrictions, and handle credentials without copying them into every desktop configuration. A thin wrapper around HTTP rarely solves all of those problems.
Model Context Protocol (MCP) provides a standard way for AI clients to discover and call tools. OpenAPI provides a machine-readable description of a REST API. Used together, they can create a practical access layer between an AI client and an existing backend without rebuilding the backend as a collection of bespoke AI integrations.
The important part is not merely converting one format into another. A production design must keep discovery, client identity, access policy, upstream authentication, and backend authorization as separate layers.
Why an OpenAPI document is a useful starting point
An OpenAPI 3.x document describes paths, HTTP methods, parameters, request bodies, response shapes, and authentication requirements. That information gives an MCP implementation enough structure to help an AI client answer several questions before making a request:
- Which endpoint matches the user’s intent?
- Which parameters are required?
- What shape should the request body use?
- Is the operation a read or a write?
- Which credential must be attached upstream?
This is more reliable than asking a model to infer an API from prose documentation. It also reduces the maintenance burden because the tool layer can follow the API’s existing contract instead of duplicating every endpoint definition by hand.
Swagger UI and Redoc pages are often useful entry points, but they are documentation interfaces rather than the specification itself. A gateway may need to locate the underlyingopenapi.jsonoropenapi.yamldocument loaded by the page before it can build a dependable tool surface.
Do not generate hundreds of opaque tools
A common implementation strategy is to expose every API operation as a separate MCP tool. That can work for small APIs, but it becomes difficult to navigate when a specification contains hundreds of paths. Tool names become inconsistent, descriptions consume context, and API changes may force the entire tool inventory to be regenerated.
A schema-aware discovery pattern keeps the MCP surface smaller. For example, turning an OpenAPI 3.x specification into a hosted MCP endpoint with datamcp exposes four tools:
list_api_endpointsto discover available operations;get_endpoint_detailsto inspect one operation;get_api_schemato retrieve schema information;call_endpointto execute an approved request.
This sequence encourages the client to discover first and execute second. It also provides a stable MCP contract while the connected API evolves behind its OpenAPI description.
Keep the two authentication boundaries separate
An OpenAPI-to-MCP gateway sits between two different trust boundaries, and each one requires its own authentication decision.
AI client to MCP
The first boundary identifies the client that is calling the MCP endpoint. A remote MCP service may use an API key or an OAuth flow such as OAuth 2.0 with PKCE. This credential should represent access to the MCP link, not direct access to the backend API.
MCP gateway to the upstream API
The second boundary authenticates the gateway to the REST API. Depending on the connected API, this may be an API key in a header, query parameter, or cookie; a pre-issued Bearer token; HTTP Basic authentication; or another required custom header.
These credentials should not be confused. OAuth used by the AI client does not automatically perform an upstream OAuth authorization flow, obtain a backend token, or refresh that token. If the upstream API uses a Bearer token, the gateway still needs a valid pre-issued credential unless it explicitly implements the upstream authorization lifecycle.
Keeping these boundaries separate makes rotation and revocation clearer. A team can revoke one MCP link without immediately changing the backend credential, or rotate the upstream credential without updating every AI client.
Method restrictions are useful, but they are not authorization
A practical gateway should allow operators to narrow which HTTP methods an MCP link may call. A read-only policy can permitGETandHEADwhile blockingPOST,PUT,PATCH, andDELETE. Individual operations can also be hidden from discovery when they should not be available to a particular client.
However, a method gate is only one control. It does not prove that everyGETrequest is harmless. Some legacy APIs perform side effects through reads, and many legitimate read endpoints return sensitive information. The upstream API must continue to enforce its own identity, scopes, tenant boundaries, and resource-level authorization.
A useful way to think about the layers is:
- Client authentication establishes who may use the MCP endpoint.
- MCP link policy narrows which operations that link may request.
- Upstream credentials establish the gateway’s identity to the API.
- Backend authorization determines which resources the effective credential may access.
No gateway policy should be used as a reason to give the upstream credential broader permissions than necessary.
Hosted and local MCP have different operational costs
A local MCP server can be a good choice for development, a personal workflow, or an API that must remain reachable only from one machine. The operator controls the runtime and can inspect everything directly.
The trade-off appears when several clients, teammates, or environments need the same integration. Someone must keep the process running, distribute configuration, rotate secrets, update dependencies, maintain transport compatibility, and revoke old access. Those responsibilities are manageable, but they are not free.
A hosted MCP gateway centralizes the remote HTTPS endpoint, client authentication, link policy, credential storage, and revocation. For supported OpenAPI connections, datamcp keeps the upstream connection credential on the service side and encrypts stored credentials at rest with AES-256-GCM.
This does not make a hosted gateway automatically appropriate for every system. Teams with strict on-premise requirements, private network dependencies, or a mandatory self-hosted control plane should operate their own gateway and account for the ongoing maintenance work.
A deployment checklist for OpenAPI-to-MCP access
Before connecting an AI client to a production API, verify the complete path rather than testing only one successful request.
- Validate the specification. Confirm that the OpenAPI document is current and that operation IDs, parameters, and schemas describe the real API.
- Start with a narrow credential. Create an upstream API credential with the minimum backend permissions required for the use case.
- Separate environments. Do not reuse production credentials for development experiments.
- Apply a method gate. Begin with read-only access where possible, then enable writes deliberately.
- Hide unnecessary operations. Reducing the discovery surface lowers the chance of an irrelevant or dangerous call.
- Test denied requests. Verify that blocked methods and unauthorized backend resources fail as expected.
- Plan revocation. Know how to disable one MCP link and how to rotate the upstream credential independently.
- Review API semantics. Confirm that allowed reads do not trigger side effects or expose data the client should not receive.
Build an access layer, not just a protocol adapter
OpenAPI and MCP complement each other well. OpenAPI describes an existing REST contract, while MCP gives AI clients a standard discovery and execution interface. The production value comes from the controls between them: stable schema-aware tools, separate authentication boundaries, narrow method policies, isolated credentials, and revocable client access.
That architecture lets teams reuse APIs they already operate instead of creating another parallel integration surface for every AI client. More importantly, it keeps the backend’s authorization model in charge while giving clients enough structured context to choose and call the right operation.