Developer Setup
Self-Hosted Setup
Plan a self-hosted Acumatica MCP Tools deployment before moving into Docker, OAuth, and configuration details.
Use this page to plan a self-hosted Acumatica MCP Tools deployment before you move into Docker, OAuth, and environment variables.
Self-hosting means your team owns the runtime: public URL, secrets, token storage, reverse proxy, monitoring, and release process. The server still relies on Acumatica OAuth, Acumatica permissions, allowlists, limits, metadata validation, and audit logs.
Before You Deploy
Start with a sandbox Acumatica tenant when possible. Confirm the first workflow before changing configuration. An order desk workflow, inventory lookup, or reviewed CRM workflow will each require different Contract REST entities, Generic Inquiries, OData entities, writes, attachments, or actions.
Choose the Acumatica environment, endpoint version, public MCP hostname, OAuth redirect URI, token storage provider, and first workflow before deployment. These choices affect Acumatica permissions, OAuth configuration, and which MCP tools can safely be enabled.
Setup Path
For a local technical evaluation, start with Quick Start. It includes the minimal .env, Docker Compose command, OAuth login URL, and first read-only validation.
For deployment details, use Docker Deployment. It covers the Compose services, ports, Postgres volume, migration expectations, and reverse proxy requirements. Use the Configuration Reference when you need the full list of environment variable groups.
OAuth-specific setup and redirect troubleshooting are covered in Acumatica OAuth Setup.
Recommended Starting Guardrails
Begin with read-only access. Validate Contract REST schema inspection, small record reads, and any approved Generic Inquiry or OData reads needed by the workflow.
Keep destructive operations denied by default. Add write, attachment, and action allowlists only after the Acumatica admin and workflow owner agree on the exact entities and actions required. Avoid wildcard destructive allowlists outside short-lived sandbox QA, and review audit logs before expanding access.
Production Baseline
Use Postgres token storage with a stable 32-byte encryption key. Put the API behind HTTPS, set the public MCP base URL to the externally reachable host, and make the Acumatica OAuth redirect URI match the public callback URL exactly.
Do not expose Postgres publicly. Keep destructive allowlists narrow, rotate secrets intentionally, and keep audit logs available for operational review.