Model Context Protocol · Enterprise Gateway

Connect Any AI Agent
to Any Enterprise API

One gateway. Every API. All your agents. Register once, call from anywhere — with enterprise auth, tenant isolation, and full audit trail built in.

SAP · Salesforce · ServiceNow · Microsoft · AWS · Any REST API

Get started free → See how it works

10+

Auth Types

∞

APIs Supported

Integration Point

Custom Connectors

The Problem

Stop Building N × M Integrations

Before — Today

One integration per agent per API

Claude → custom connector → SAP IBP

Claude → custom connector → Salesforce

Claude → custom connector → ServiceNow

Claude → custom connector → your-internal-api

GPT → custom connector → SAP IBP

GPT → custom connector → Salesforce

GPT → custom connector → ...

N agents × M APIs = N×M integrations

Credentials duplicated everywhere

No audit trail · No access control

After — NEXSUS MCP Hub

One gateway. Every combination covered.

Claude ─┐

GPT ─┼─→ NEXSUS MCP Hub ─→ Any API

Agent ─┘

Auth handled centrally.

Every call logged and audited.

Per-API scope + role restrictions.

N agents + M APIs = 1 integration

How It Works

Three Steps to Any API

The AI agent searches, understands, then calls — no hard-coded tool names needed.

Discover

Agent searches by keyword — finds the right endpoint across all registered APIs.

hub_search("HR employee list")
→ sap_hr_employees, sap_hr_headcount

Understand

Agent fetches the full parameter schema — knows exactly what to pass.

hub_describe("sap_hr_employees")
→ params: company_code, $top

Execute

Agent calls the endpoint. Hub resolves auth, rate limits, retries, and returns clean JSON.

api_call("sap_hr_employees",
'{"company_code":"1000"}')

Admin Dashboard

Full Control from the Browser

sandbox-mcp.nexus.voydd.com/dashboard

APIS

ENDPOINTS

2.4k

CALLS TODAY

99.8%

SUCCESS RATE

SAP IBP

api.sap.com · 14 endpoints

oauth2_client

Salesforce CRM

api.salesforce.com · 9 endpoints

bearer

ServiceNow ITSM

company.service-now.com · 7 endpoints

basic

Microsoft Graph

graph.microsoft.com · 11 endpoints

delegated

Capabilities

Everything You Need Out of the Box

🔌

Universal API Registry

RESTODataJSONAny HTTP

🤖

Smart Tool Routing

Smart mode keeps the LLM tool list minimal. Agents use hub_search → hub_describe → api_call regardless of how many APIs are registered.

smartlazyeager

🔐

10 Auth Types

Bearer, API key, Basic, OAuth2 client/password, AWS SigV4, delegated (OBO), elicit. Composite layers. Credentials Fernet-encrypted at rest.

oauth2aws sigv4delegatedOBO

📊

Full Observability

Prometheus metrics, Grafana Loki structured logs, per-call audit log. Every tool call produces caller identity, API, duration, and response excerpt.

prometheuslokiaudit log

🏢

Tenant Isolation

Each customer gets a dedicated gateway on their own subdomain. JWT tenant_id enforced on every request — zero cross-tenant bleed.

dedicatedjwt tenancysubdomain

⚡

Production Reliability

Per-API rate limiting, exponential backoff retries on 5xx, per-endpoint timeout overrides, JMESPath response extraction, SSL bundle support.

rate limitretrytimeoutjmespath

Authentication

Every Auth Pattern Supported

Stack multiple auth layers on a single API. Credentials encrypted at rest with Fernet AES-128.

🔑

api_key

Header, query param, or cookie

🎫

bearer

Authorization: Bearer token

👤

basic

HTTP Basic Auth

⚙️

oauth2_client

Client credentials, auto-refresh

🔄

oauth2_password

Password grant, auto-refresh

📋

custom_header

Arbitrary headers dict

☁️

aws_sig_v4

AWS Signature V4 signing

↗️

delegated

Passthrough · OBO · Inject

💬

elicit

Prompt user for credentials

🔀

composite

Stack any layers together

Security

Zero-Trust by Default

Every Request — Checked in Order

1. Valid JWT?

Verified against JWKS endpoint. Expired or malformed → redirect to /login

2. Tenant match?

token.tenant_id must equal MCP_REQUIRED_TENANT. Sandbox (empty) = allow any tenant.

3. Admin role?

Dashboard + management tools require role: owner|admin or platform_role: nexus_admin|nexus_support

4. API-level access control

Per-API restrictions: required_scopes, allowed_roles, allowed_client_ids. Any one match = allow.

5. Audit logged

Caller sub, tenant, API, endpoint, arguments (sanitised), response excerpt, duration — every call.

🔒

Fernet Encryption at Rest

All credentials encrypted with AES-128-CBC + HMAC-SHA256. Never logged, never exposed in API responses.

🍪

Secure Session Cookies

hub_session — HttpOnly, Secure, SameSite=Lax, 1h TTL. Scoped per subdomain — no cross-tenant bleed.

🏷️

JWT-Based Identity

Issued by nexus.voydd.com SSO. Claims: sub, email, role, platform_role, tenant_id. Verified via JWKS.

📋

Complete Audit Trail

Every MCP tool call and dashboard action logged. Filterable by API, caller, status, and source.

🚧

Per-API Access Policies

Restrict any API to specific scopes, roles, or client IDs. HR APIs for HR team only. Finance gated by scope.

Multi-Tenancy

One Platform, Every Customer

Sandbox for exploration. Dedicated instances for production. Each fully isolated.

Sandbox

Explore & Prototype

sandbox-mcp.nexus.voydd.com

Shared gateway instance
No tenant restriction
Up to 5 APIs · 20 endpoints
Community support
Basic audit log

Team

Dedicated Instance

your-company.nexus.voydd.com

Dedicated Cloud Run service
Full tenant isolation (JWT enforced)
Up to 25 APIs · 100 endpoints
30-day audit log
Prometheus + Loki observability
Email support · 99.5% SLA

Enterprise

Unlimited Scale

custom.your-domain.com

Unlimited APIs & endpoints
Custom domain + BYOC
1-year audit retention
SSO with your own IdP
Dedicated support engineer
99.9% SLA + on-prem option

MCP Tools

Built-In Tools for Every Workflow

Meta Tools

All callers

hub_search

Search endpoints by keyword across name, description and tags

hub_describe

Get full parameter schema and examples for any endpoint

api_call

Execute any registered endpoint by name with JSON arguments

hub_health_check

Ping any API's base URL with auth applied — verify connectivity

hub_stats

Return gateway statistics: API count, endpoint count, uptime

Management Tools

Admin only

hub_register_api

hub_set_auth

Set authentication strategy (10 types) for any registered API

hub_set_auth_layers

Configure composite multi-layer auth (e.g. OAuth2 + API key)

hub_add_endpoint

Add an HTTP endpoint with params, static headers, JMESPath filter

hub_set_access_control

Restrict an API to specific JWT scopes, roles, or client IDs

hub_issue_token

Mint a signed JWT for a user or service account with custom claims

hub_delete_api

Permanently delete an API and all its encrypted credentials

Observability

See Everything, Miss Nothing

📈

Prometheus Metrics

Expose GET /metrics in Prometheus text format. Plug into any Grafana dashboard.

hub_requests_total (api, endpoint, method, status)

hub_request_duration_seconds (histogram)

Active endpoint gauges per API

Auth refresh + failure counters

📋

Grafana Loki Logs

Structured JSON logs pushed to Loki. Query with LogQL. Batch-buffered, multi-tenant ready.

Labelled by api_id, level, job

Request events with duration + error_type

Auth refresh and failure events

Configurable batch size + flush interval

🔍

Audit Log

Persistent per-call audit trail in PostgreSQL or SQLite. Queryable from the dashboard.

caller_sub, email, tenant_id

API, endpoint, method, status

Arguments JSON (sanitised, max 2 KB)

Response excerpt + error message

Get Started

Connect Your Agent in 60 Seconds

Claude Desktop Config

// claude_desktop_config.json { "mcpServers": { "nexus-hub": { "url": "https://your.nexus.voydd.com/mcp", "headers": { "Authorization": "Bearer <token>" } } } }

Then ask Claude anything

You: Get headcount for company code 1000 Claude: hub_search("headcount") → Found: sap_hr_headcount api_call("sap_hr_headcount", '{"company_code":"1000"}') → 2,847 employees in company 1000

Ready to connect your
enterprise APIs to AI?

Get started on the sandbox in minutes. No credit card required.
Upgrade to a dedicated tenant instance when you're ready.

Create free account → Talk to us

Connect Any AI Agentto Any Enterprise API