ApexMCP Platform Update: What We've Built

When we launched the initial beta, ApexMCP could do one thing well: take a data source, wrap it as MCP tools, and hand you an endpoint. That was enough to validate the idea. It wasn't enough to ship to teams who actually need to run this in production.

The last several months have been heads-down building everything around that core: compliance features, team management, billing, event observability, and the security posture that enterprise customers require before they'll point an AI agent at production data. Here's what's in the platform now.

Connectors: More Sources, Smarter Discovery

The connector layer is how you tell ApexMCP what data sources to expose. We've expanded what you can connect and made the configuration process significantly less painful.

GraphQL with automatic schema discovery

Connect a GraphQL endpoint and ApexMCP introspects the schema automatically — no manual tool definitions required. The platform maps your types and queries to MCP tool descriptions that agents can reason over. Schema discovery runs on connect and can be refreshed on demand. Tool results are cached in Redis per-org so repeated agent queries don't hammer your upstream.

External MCP backends

If you already have an MCP server — a custom one you built, or a third-party service that speaks the protocol — you can federate it through ApexMCP. Your existing MCP endpoint gets proxied through the platform, gaining ApexMCP's auth layer, rate limiting, and audit logging without any changes to the upstream server. Redis-backed caching and pub/sub invalidation mean stale tool lists never reach the agent.

Credential vault

Connector credentials — API keys, connection strings, OAuth tokens — are stored in HashiCorp Vault, not in the application database. Each connector gets a vault path; the credential never touches the app layer in plaintext. Rotation works without downtime: update the vault entry, the next request picks it up.

Audit Logs

Every action on the platform — tool calls, connector changes, member invitations, billing events, API key creation — is written to a tamper-evident audit log.

Each entry is chained: a SHA-256 hash of the previous entry is included in the next one, making it detectable if any record is deleted or modified. You can verify chain integrity from the dashboard or via the API. Export is available as CSV or JSON for ingestion into your SIEM. PII fields are redacted in exports by default, with per-field opt-in for internal compliance workflows.

Audit log inserts are locked down at the database level: the application role has INSERT revoked on the audit_logs table directly. All writes go through a SECURITY DEFINER function that enforces the schema and cannot be bypassed by application code.

Webhooks

ApexMCP now emits outbound webhooks for platform events: tool calls, connector status changes, member changes, billing transitions, and more. Configure a target URL per event type, and every matching event is delivered with an HMAC-SHA256 signature in the X-ApexMCP-Signature header so your endpoint can verify authenticity.

Delivery failures are retried with backoff. A per-org event ring buffer lets you inspect recent webhook payloads and replay failed deliveries from the dashboard.

Billing and Tiers

Billing is live and Stripe-integrated. Tiers — limits, feature flags, and prices — are all database-driven rather than hardcoded, which means we can adjust them without a deploy. The trial tier is fully functional: you get a 14-day trial with a real MCP endpoint, real connectors, and real audit logs. Upgrading converts the trial subscription to paid without data loss.

Usage is metered per API call against your MCP endpoint, aggregated daily, and reflected in the dashboard's usage chart in near real-time. The billing view shows current period consumption, your tier limits, and a day-by-day breakdown.

Team and Access Management

BYOIDP — Bring Your Own Identity Provider

Enterprise teams that already have an IdP (Okta, Azure AD, Google Workspace, any OIDC-compliant provider) can connect it to ApexMCP. Members authenticate through their existing SSO flow. Provisioning and deprovisioning can be automated via SCIM. No separate password to manage, no shadow IT.

IP allowlist

Lock down access to your MCP endpoint, your dashboard, or both by IP range. CIDR notation, per-context (MCP traffic vs. dashboard traffic can have separate rules). Requests outside the allowlist are rejected before they reach the application layer.

OAuth2 agent tokens

For automated pipelines — scheduled agents, CI/CD integrations, server-to-server calls — you can issue OAuth2 client_credentials tokens scoped to specific tools or connector sets. These tokens are separate from user sessions, can be rotated independently, and show up distinctly in audit logs so you can tell human actions from agent actions.

MCP Endpoint Improvements

Tool enable/disable

New tools discovered from a connector are now disabled by default. You explicitly enable the tools you want to expose to agents. This prevents a schema change or a new connector from accidentally expanding an agent's surface area without review.

Provisioning versions and rollback

Every time your MCP endpoint is re-provisioned — new connectors added, tools toggled, schema refreshed — a versioned snapshot is saved. If a change breaks an agent workflow, you can roll back to the previous provisioning state in one click from the dashboard.

Compliance Pages

We've shipped the compliance foundation that enterprise procurement requires: a Trust Center with security architecture overview and sub-processor list, a Privacy Policy with data retention detail, a Terms of Service, and a Security page covering encryption, authentication, audit logging, and our responsible disclosure process.

Status Page

Live uptime monitoring is at apexmcp.ai/status, powered by BetterStack. Incident history, response time graphs, and component-level status for the gateway, MCP manager, connector service, and identity provider.

What's Next

The platform is approaching launch-ready. The remaining work before we open access broadly:

• Standalone Docker install — a single-compose deployment for teams that need data to stay on-premises. Community images available on request to enterprise customers.
• Kubernetes manifests and Terraform — for teams who want to run ApexMCP in their own cloud rather than using the managed service.
• SOC 2 Type I prep — controls documentation, vendor assessments, and policy package. Target: Q4 2026.
• Playwright end-to-end test suite — the platform works; we're building the automated harness to prove it stays working as we ship.

If you're building on MCP and want early access, the waitlist is open.