AI Codex
Building Your Internal AI StackStep 1 of 8
← Prev·Next →
Agents & OrchestrationCore Definition

What Is an Internal MCP Server — and Why Your Team Needs One

In brief

When you connect Claude to company tools through native connectors, you get one connection per service, no shared context, and no access control. An internal MCP server is a single routing layer that proxies everything through one interface — with auth, shaped responses, and permissions baked in.

9 min read·

Contents

Sign in to save

You've connected Claude to HubSpot. Then to Intercom. Then to QuickBooks. Each connection was its own thing — different setup, different permissions, different response shapes. When your sales rep asks Claude about a customer, Claude knows their deal stage (HubSpot), but not their open support ticket (Intercom), and definitely not their billing status (QuickBooks). You've connected Claude to three systems and it still doesn't know what's actually going on with the customer.

This is the native connector problem. And it's why teams that get serious about AI infrastructure build an internal MCP server.

What native connectors give you (and what they don't)

A native connector is a direct line between Claude and one service. You connect HubSpot, and Claude can look up deals. You connect Slack, and Claude can search messages. Each connector works fine in isolation.

The problems emerge when you need more than one:

No shared context. Each connector operates independently. Claude can look up a deal in HubSpot and a ticket in Intercom, but it needs to make two separate calls, and there's nothing connecting them. If you want "show me all customers with open support tickets and an enterprise deal closing this quarter," you're assembling that manually.

No access control. A sales rep and a finance manager both have Claude. The sales rep probably shouldn't be able to pull payroll data from your HR system. The finance manager probably shouldn't see individual customer conversations. Native connectors don't have a layer where you can enforce this. You're left writing it into your prompts, which is not enforcement — that's hoping.

No response shaping. Native connectors return what the API returns. HubSpot's deal endpoint returns a JSON object with 40+ fields, most of which Claude doesn't need. You're paying token costs for data that doesn't help the answer.

No audit trail. When Claude looks something up, you often have no record of what was accessed, by whom, at what time. For most companies, this is a liability.

What an internal MCP server is

An MCP server (Model Context Protocol server) is a standardized way for Claude to call tools and get data. An internal MCP server is one you build and control — it sits between Claude and all your external services.

The architecture looks like this:

Claude
  ↓
Internal MCP Server
  ↓  [ACL Middleware — injects caller identity, checks permissions]
  ↓
  ├── ChargeOver (billing)
  ├── HubSpot (CRM)
  ├── Intercom (support)
  ├── QuickBooks (accounting)
  ├── Gong (call recordings)
  ├── Granola (meeting notes)
  ├── Notion (docs)
  ├── Slack (comms)
  ├── GitHub (code)
  └── Data Warehouse (BigQuery / StarRocks)

Instead of Claude talking to each service directly, Claude makes a single connection to your MCP server, and the MCP server handles routing.

Every call goes through ACL middleware that knows who's calling. The middleware injects the caller's user ID and org ID into every request automatically — no relying on prompts or user input. If the tool the caller is trying to use requires a permission they don't have, the call never reaches the service. The tool doesn't even appear in Claude's available tool list for that user.

Tools as named functions

The way Claude discovers what it can do through your MCP server is by reading a list of tools — named functions with descriptions.

A tool looks like this:

{
  name: 'get_customer_profile',
  description: 'Returns the full customer record including deal stage, support tickets, and billing status. Use this when the user asks about a specific customer.',
  inputSchema: {
    type: 'object',
    properties: {
      customer_id: { type: 'string', description: 'The customer ID from HubSpot or ChargeOver' }
    },
    required: ['customer_id']
  }
}

Claude reads the name and description and decides when to call it. The implementation behind the tool can call three different APIs, join the results, strip out irrelevant fields, and return a shaped object — Claude just gets the clean answer.

This is the key insight: the tool's description is how Claude understands capability, and the implementation is how the server delivers it. You control both.

Shaped responses: the token economics argument

When Claude calls HubSpot directly through a native connector, it gets a full API response. A HubSpot deal object has fields for: deal ID, deal name, owner, pipeline, stage, amount, close date, created date, last modified, contact associations, company associations, activity log, custom fields — plus all the metadata.

Claude reads all of it. You pay for all of it.

Your internal MCP server can return just what's needed:

{
  "customer": "Acme Corp",
  "deal_stage": "Negotiation",
  "close_date": "2026-06-15",
  "amount": 42000,
  "open_support_tickets": 2,
  "last_payment_status": "current"
}

Six fields instead of sixty. A fraction of the tokens. And because the server controls what goes into that response, it can pull the support ticket count from Intercom and the payment status from ChargeOver and include them in the same response — something Claude couldn't do with three separate native connectors.

The company's AI data layer

The right mental model for an internal MCP server is an API gateway — but for AI agents rather than other services.

Like an API gateway, it:

  • Routes requests to the right service
  • Handles authentication so callers don't need service-specific credentials
  • Enforces access policies
  • Shapes and transforms responses
  • Maintains an audit log

Unlike a typical API gateway, it's designed around Claude's consumption patterns: natural language descriptions of tools, shaped responses optimized for token cost, and permission filtering that determines which tools even exist for a given caller.

Once you have this layer in place, adding a new data source becomes: write one MCP tool, point it at the service, define the permission group that can use it. Every team member with Claude access gets the new capability automatically — shaped, permissioned, logged.

What this enables

Cross-system answers. "Which customers have an open enterprise renewal this quarter and more than one unresolved support ticket?" This query touches HubSpot and Intercom. Your MCP server can handle it in one tool call.

Role-shaped AI. Your sales rep's Claude has access to deal data, call transcripts, and customer profiles. Your finance team's Claude has access to billing, AR aging, and QBO reports. Not because of different prompts — because of different permission groups hitting the same server.

Consistent data contracts. Every team member asking about a customer gets the same shape of response, from the same source. No one's pulling stale data from a CSV they downloaded last week.

Audit trail. Every tool call is logged: which user, which tool, which parameters, what was returned, when. This is the kind of record most companies don't have for AI queries today.

What goes wrong without it

The most common failure mode: your AI setup works fine for individual users, falls apart the moment you try to scale it.

A sales rep figures out that if they ask Claude about a customer, they need to paste in the HubSpot record first, then the recent Gong summary, then the last Intercom ticket. They do this because there's no other way. It takes 90 seconds of copy-paste before every customer conversation. The AI is genuinely helping — but only after a manual assembly step that was supposed to be the AI's job.

The second failure mode: someone asks Claude something they shouldn't be able to know. Not because Claude was hacked — because there was no access control in the first place. "What's Sarah's salary?" Claude answers because it has access to the HR system and no one built the layer that says finance managers can't see individual salaries.

An internal MCP server is how you build the infrastructure before those problems show up, rather than after.

Getting started

The minimum viable internal MCP server has:

  1. Two or three tools covering your most common Claude queries
  2. An ACL middleware layer that injects user identity and checks permissions
  3. An audit log (even just writing to a table is fine to start)

You don't need all your services wired up on day one. Start with the data your team actually asks Claude about most often. Add tools as the use cases demand them.

The architecture is straightforward. The payoff — having one interface that routes, shapes, and controls all AI data access — compounds the longer it runs.

Next in Building Your Internal AI Stack · Step 2 of 8

Continue to the next article in the learning path

Next article →

Weekly brief

For people actually using Claude at work.

Each week: one thing Claude can do in your work that most people haven't figured out yet — plus the failure modes to avoid. No tutorials. No hype.

No spam. Unsubscribe anytime.

What to read next

Picked for where you are now

All articles →
Failure Modes·10 min

The Token Cost of How You Fetch Data — and Why It Matters More Than Your Model Choice

Once you understand what the MCP server does, the token cost of how data flows through it is the next thing to get right.

Field Note·11 min

The Internal AI Stack: What It Looks Like When You Build It Properly

The full five-layer stack this server sits inside — how everything connects and what the mature version looks like.