Role-based MCP access layer between AI assistants and business SaaS tools. Full product analysis, architecture diagrams, and competitive positioning.
Connek is the permission layer between business data and AI assistants.
Businesses use 5-20 SaaS tools. AI assistants can't access any of them. The current workaround is manual exports, copy-pasting, and one-off API integrations. It's messy, insecure, and doesn't scale.
Connek solves this in three steps:
Sarah in finance adds her MCP URL to Claude. She asks "What's our outstanding invoice total?" Claude calls Connek's MCP, Connek checks Sarah has Xero read access, pulls the data, returns the answer. No CSV exports. No copy-paste.
┌──────────────────┐ ┌──────────────────────┐
│ BUSINESS ADMIN │ │ AI ASSISTANTS │
│ │ │ │
│ * Connects APIs │──① Connect APIs──────────────────▶ │ ┌────────────────┐ │
│ * Creates Roles │ │ │ Claude │ │
│ * Manages Users │◀─④ Issues MCP URLs───────────────── │ │ ChatGPT │ │
│ * Sets Rules │ │ │ Gemini │ │
└──────────────────┘ │ └────────────────┘ │
│ └──────────────────────┘
│ ② Create Roles │
▼ │ ⑤ Query data
┌──────────────────┐ │ via MCP
│ CONNEK │◀──────────────────────────────────────────────┘
│ │
│ ┌────────────┐ │
│ │ Permission │ │
│ │ + Access │ │
│ │ Layer │ │
│ └────────────┘ │
│ │
│ ③ Assign users │
│ + tokens │
└──────────────────┘
│
│ ⑥ Fetch data (scoped by role)
▼
┌──────────────────────────────────────────────────────────────────────────────────┐
│ SaaS TOOLS │
│ │
│ ┌────────┐ ┌────────────┐ ┌──────────┐ ┌─────┐ ┌───────────┐ ┌────────┐ │
│ │ Xero │ │ Google Ads │ │ Meta Ads │ │ GA4 │ │ Search │ │ClickUp │ │
│ └────────┘ └────────────┘ └──────────┘ └─────┘ │ Console │ └────────┘ │
│ └───────────┘ │
└──────────────────────────────────────────────────────────────────────────────────┘
Full technical topology from AI client to external SaaS, with Connek's internal request pipeline and supporting infrastructure.
Tech stack: TypeScript (strict), Hono (HTTP framework), Supabase (Postgres 15 + RLS + Auth), AES-256-GCM credential encryption, LRU caching, Zod validation, Stripe billing, Resend email, vitest testing.
┌──────────────────────────────────────────────────────────────────────────────┐
│ AI CLIENTS │
│ ┌────────────────┐ ┌───────────┐ ┌──────────┐ ┌──────────────────────┐ │
│ │ Claude Desktop │ │ ChatGPT │ │ Gemini │ │ Custom MCP Clients │ │
│ └────────────────┘ └───────────┘ └──────────┘ └──────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────────┘
│ │
│ HTTP POST/GET /mcp/<user-token> │
▼ ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│ CONNEK MCP SERVER (Hono, port 3001) │
│ │
│ REQUEST PIPELINE │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────┐ ┌───────────────┐ │
│ │ Rate Limiter │──▶│ Auth │──▶│ MCP Router │──▶│ Permission │ │
│ │ 60 req/min │ │ Middleware │ │ (JSON-RPC) │ │ Guard │ │
│ └──────────────┘ └──────────────┘ └────────────┘ └───────────────┘ │
│ │ │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────┐ │ │
│ │ Sync Logger │◀──│ Connector │◀──│ Credential │◀─────────┘ │
│ │ (async audit)│ │ (API calls) │ │ Service │ │
│ └──────────────┘ └──────────────┘ └────────────┘ │
│ │
│ REST API /api/v1 (for Next.js dashboard) │
│ Org mgmt │ User mgmt │ Role mgmt │ OAuth callbacks │ Tokens │ Sync logs │
└──────────────────────────────────────────────────────────────────────────────┘
│ │ │
▼ ▼ ▼
┌───────────────┐ ┌──────────────────────┐ ┌──────────────────────────┐
│ SUPABASE │ │ NEXT.JS DASHBOARD │ │ EXTERNAL SaaS APIs │
│ │ │ │ │ │
│ Postgres 15 │ │ * Sources │ │ Xero │
│ Row-Level │◀──▶│ * Users │ │ Google Ads │
│ Security │ │ * Access Rules │ │ Meta Ads │
│ │ │ * Sync │ │ GA4 │
│ credentials │ │ * Billing │ │ Search Console │
│ users │ │ * Developers │ │ ClickUp │
│ roles │ │ │ │ │
│ access_rules │ └──────────────────────┘ └──────────────────────────┘
│ sync_logs │
│ user_tokens │
└───────────────┘
┌─────────────────────────────────┐
│ AI CLIENT │
│ POST /mcp/<token> │
│ { method: "tools/call", │
│ params: { name, arguments }} │
└─────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ ① RATE LIMITER │
│ 60 requests / min per token │
│ ──▶ 429 Too Many Requests if exceeded │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ ② AUTH MIDDLEWARE │
│ Validate token format (64 hex chars) │
│ ──▶ LRU cache check (60s TTL) or DB lookup │
│ ──▶ user_tokens JOIN users JOIN organizations │
│ ──▶ Check: active? not revoked? not expired? │
│ ──▶ Set context: { tokenId, userId, orgId } │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ ③ MCP ROUTER │
│ Parse JSON-RPC envelope (jsonrpc, method, id) │
│ ──▶ Route to method handler │
│ initialize | tools/list | tools/call │
│ ──▶ Extract tool name + arguments │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ ④ PERMISSION GUARD │
│ getProviderForTool("xero_get_invoices") ──▶ "xero" │
│ ──▶ getUserRole(userId, orgId) │
│ ──▶ getAccessRule(roleId, integrationId) │
│ ──▶ Check: tool in allowed_tools list? │
│ ──▶ MCP isError response if denied │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ ⑤ CREDENTIAL SERVICE │
│ Check LRU cache (4 min TTL) │
│ │ cache miss │
│ Fetch from Supabase ──▶ decrypt AES-256-GCM │
│ │ if expiring within 5 min │
│ Auto-refresh via provider OAuth ──▶ re-encrypt │
│ ──▶ save to DB ──▶ update cache │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ ⑥ INTEGRATION CONNECTOR │
│ Validate arguments with Zod schema │
│ ──▶ Call external API with decrypted token │
│ ──▶ Handle errors: 401 (re-auth), 429, 5xx │
│ ──▶ Format response as MCP content array │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ ⑦ SYNC LOGGER (async, non-blocking) │
│ INSERT INTO sync_logs: │
│ { user, tool, timestamp, status, duration_ms } │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────┐
│ AI CLIENT │
│ ◀── JSON-RPC result │
│ { content: [...tool output] } │
└─────────────────────────────────┘
┌──────────────────────────────────────┐
│ ORGANISATION │
│ e.g. "Acme Corp" │
└──────────────────────────────────────┘
│ │
has many has many
│ │
▼ ▼
┌──────────────────┐ ┌──────────────────────────────────┐
│ USERS │ │ ROLES │
│ │ │ │
│ Sarah │ │ Finance │
│ James │ │ Marketing │
│ Tom │ │ Admin │
└──────────────────┘ └──────────────────────────────────┘
│ │
assigned to has many
│ │
▼ ▼
┌──────────────┐ ┌────────────────────────────────────┐
│ TOKEN │ │ ACCESS RULES │
│ (MCP URL) │ │ │
│ │ │ Rule 1: Finance + Xero │
│ Per-user │ │ allowed: [get_invoices, │
│ unique │ │ get_contacts, │
│ endpoint │ │ get_accounts] │
└──────────────┘ │ │
│ Rule 2: Marketing + Google Ads │
│ allowed: [get_campaigns, │
│ get_ad_performance] │
│ │
│ Rule 3: Marketing + Meta Ads │
│ allowed: [get_campaigns, │
│ get_ad_sets] │
└────────────────────────────────────┘
RESOLUTION CHAIN:
Token ──▶ User ──▶ Role ──▶ Access Rules ──▶ Allowed Tools
EXAMPLE:
Sarah (Finance) asks for invoices ──▶ xero_get_invoices ✅ Allowed
James (Marketing) asks for invoices ──▶ xero_get_invoices ❌ Denied
① INITIAL CONNECTION (one-time, via dashboard)
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Admin │ │ Connek │ │ SaaS Provider│
│ Dashboard │ │ Server │ │ (e.g. Xero) │
└──────┬───────┘ └──────┬───────┘ └──────┬────────┘
│ │ │
│ Click "Connect" │ │
│ ─────────────────▶│ │
│ │ Redirect to OAuth │
│ │ ──────────────────▶│
│ │ │
│ │ ◀── callback with │
│ │ access_token + │
│ │ refresh_token │
│ │ │
│ │ ENCRYPT (AES-256) │
│ │ Store in Supabase │
② ON EVERY MCP REQUEST (automatic)
┌────────────────────────────────────────────────────────────┐
│ │
│ Check LRU Cache (4 min TTL) │
│ │ │
│ ├── CACHE HIT ──▶ Use cached decrypted token │
│ │ │
│ └── CACHE MISS │
│ │ │
│ ▼ │
│ Fetch encrypted blob from Supabase │
│ │ │
│ ▼ │
│ Decrypt (AES-256-GCM + ENCRYPTION_KEY) │
│ │ │
│ ▼ │
│ Check: expires_at < (now + 5 min)? │
│ │ │ │
│ NO YES │
│ │ │ │
│ ▼ ▼ │
│ Use token Auto-refresh via │
│ as-is provider OAuth │
│ │ │
│ ▼ │
│ Re-encrypt + save │
│ │ │
│ ▼ │
│ Update LRU cache │
│ │ │
│ ▼ │
│ Use refreshed token │
└────────────────────────────────────────────────────────────┘
Where Connek sits relative to existing integration and MCP infrastructure products.
| Product | What They Do | MCP? | Per-User Perms? | Target Buyer |
|---|---|---|---|---|
| Composio | Agent tool infrastructure, 1,000+ apps | ✓ | Partial | Developers |
| Pipedream Connect | SDK for integrations + MCP servers | ✓ | Via API keys | Developers |
| Merge.dev | Unified API for HR/CRM/accounting | ✗ | Via scoping | Enterprise SaaS |
| Nango | Code-first integration platform | Adding | Via connections | Developers |
| Paragon | Integration infra for SaaS products | ✗ | Via user mapping | B2B product teams |
| Zapier AI | Automation + emerging MCP | ✓ (new) | Per-Zap | Non-technical |
| Toolhouse | No-code agent builder | ✗ | Basic | Business users |
| Connek | Role-based MCP access for teams | ✓ | ✓ First-class | Business admins |
Developer-Focused Business Admin-Focused
◀─────────────────────────────────────────────────▶
Generic / │ │
Horizontal │ Merge.dev │ Zapier AI
│ Composio │
│ Nango │
│ │
│ Pipedream Connect │
│ │
│ │
─────────────────┼───────────────────────────┼──────────────────────
│ │
│ │
Vertical / │ Paragon │
Opinionated │ │ ┌─────────────────┐
│ │ │ │
│ │ │ ★ CONNEK │
│ │ │ │
│ │ │ THE GAP │
│ │ │ │
│ │ └─────────────────┘
KEY INSIGHT: Every MCP/integration competitor targets developers.
Nobody builds for the business admin who wants to connect tools,
assign roles, and give their team AI-powered data access.
Only product purpose-built as a role-based MCP permission layer. User/role/access model is first-class, not bolted on. Non-developer buyer. Vertical specificity for agencies, accounting, and e-commerce.
6 connectors vs Composio's 1,000+ or Pipedream's 3,000+. No marketplace or community ecosystem yet. Pre-revenue, pre-launch. Single-team build capacity.
No product exists where a non-technical business admin can connect APIs, create roles, and hand MCP URLs to their team. This space is genuinely empty.
Most MCP servers are all-or-nothing. Tool-level permission rules per role is a differentiator that enterprises will demand as AI data access scales.
Integration platforms (Merge, Paragon) are enterprise-priced and sales-led. Self-service MCP access for SMBs is missing entirely.
OAuth token refresh, rotation, and health monitoring across multiple SaaS providers is painful and unsolved. Connek's per-provider credential refresher architecture addresses this directly.
The question is not whether MCP matters. It's who owns the permission and access layer between business data and AI assistants.
79 briefs across 10 tiers. Tiers 0-6 are complete. The core product works.
┌────────────────────────────────────────────────┐
│ BaseConnector (abstract) │
│ │
│ * getTools(): ToolDefinition[] │
│ * execute(tool, args, creds): McpContent │
│ * getOAuthConfig(): OAuthConfig │
└────────────────────────────────────────────────┘
│ extends
┌──────────────────┼──────────────────┬───────────────┐
▼ ▼ ▼ ▼
┌──────────┐ ┌────────────┐ ┌──────────┐ ┌──────────────┐
│ Xero │ │ Google Ads │ │ Meta Ads │ │ GA4 / Search │
│Connector │ │ Connector │ │Connector │ │ / ClickUp │
└──────────┘ └────────────┘ └──────────┘ └──────────────┘
Each connector contains:
├── oauth.ts Provider-specific OAuth flow
├── client.ts API client wrapper
├── tools.ts MCP tool definitions + Zod schemas
├── types.ts TypeScript interfaces
└── Connector.ts Main implementation
Adding a new integration:
1. Copy src/connectors/_template/
2. Implement abstract methods
3. Register in registry.ts
4. Add OAuth env vars
5. Done ── permission system handles the rest
Skip Tiers 7-9 (hardening, billing, email, observability). Ship Xero + one ad platform end-to-end with basic auth and role-based access. Get Ven using it as customer zero. Everything else is iteration after real usage.
Not an integration platform. The moat is the admin dashboard + role-based permission layer + per-user MCP URLs. That's the product. The connectors are the delivery mechanism. Don't try to match Composio or Pipedream on connector count.
Agencies manage multiple client accounts across Google Ads, Meta, Xero, and ClickUp. An agency with 10 staff and 30 clients is a high-LTV customer. Build for that use case before going horizontal.