This is Part 3 of our 14-part MCP deep-dive series. If you haven't already, start with What Is MCP? The USB-C for AI, Explained for the foundational concepts.
Model Context Protocol (MCP) — the open standard introduced by Anthropic in November 2024 and now governed by the Linux Foundation's Agentic AI Foundation — has become the universal language AI agents use to connect to external tools and data sources.
For Salesforce Agentforce, MCP support changes everything. Native MCP client support launched in Agentforce Pilot in July 2025 and entered Beta in January 2026. With it, Agentforce agents can connect to any MCP-compliant server — Snowflake, Slack, GitHub, Jira, custom databases, and hundreds more — through a standardized interface that requires zero custom code.
Think of it this way: before MCP, connecting Agentforce to an external system meant writing Apex callouts, configuring Named Credentials, defining External Services schemas, and managing authentication flows individually for every integration. Each connection was a bespoke engineering project.
With MCP, each of those external systems exposes its capabilities through a standardized protocol. Agentforce discovers available tools automatically, understands their schemas, and invokes them within the same trust boundary that protects your Salesforce data. It's the difference between hand-wiring every appliance in your house versus plugging them into standard outlets.
MCP follows a three-tier client-server model built on JSON-RPC 2.0. Understanding these three layers is essential for planning your Agentforce integration strategy:
MCP Host — The user-facing AI platform that runs the large language model and acts as the security broker. In this context, Agentforce (and specifically the Atlas Reasoning Engine) serves as the MCP Host, orchestrating agent reasoning and enforcing the Einstein Trust Layer.
MCP Client — Middleware within the host that maintains one-to-one stateful sessions with individual MCP servers. Agentforce's native MCP client (Beta since January 2026) handles session management, authentication handshakes, and tool invocations.
MCP Server — The external system's standardized interface that exposes tools, data resources, and prompt templates via discoverable schemas. This could be Salesforce's own hosted MCP servers, third-party servers on AgentExchange, or custom servers your team builds.
Here's what happens when an Agentforce agent needs data from an external system:
The critical architectural insight is statefulness. Unlike traditional REST API calls that are stateless by design, MCP sessions maintain context across multiple interactions. An Agentforce agent can query a Snowflake data warehouse, receive results, ask follow-up questions about those results, and refine its analysis — all within the same MCP session, with full conversational context preserved.
Capacity Note: Each Agentforce agent currently supports approximately 20 simultaneous MCP tools. This constraint encourages focused agent design — a best practice we explore in our MCP Security guide.
If you've built Agentforce integrations before, you're familiar with Named Credentials, External Services, and Apex callouts. Here's how MCP changes the equation:
| Capability | MCP Connections | Traditional (Named Credentials / Apex / External Services) |
|---|---|---|
| Setup Complexity | No-code: register server URL, configure allowlist | Code-heavy: Apex classes, WSDL/JSON schemas, credential management |
| Standardization | Universal JSON-RPC 2.0 across all systems | Custom per API; each integration is unique |
| Tool Discovery | Automatic — agent discovers available tools from server | Manual — developers define schemas and map capabilities |
| State Management | Stateful sessions with preserved context | Stateless HTTP; manual session management required |
| Governance | Einstein Trust Layer + MCP Server Registry + allowlists | Custom Apex logic + Named Credential policies |
| Time to Integrate | Minutes (register, allowlist, deploy) | Days to weeks per integration |
| Cross-Platform Compatibility | Same server works with Agentforce, Claude, Cursor, and any MCP client | Salesforce-specific only |
MCP doesn't eliminate the need for traditional integration patterns. Named Credentials and Apex callouts remain the right choice for:
The pragmatic approach: use MCP for new agent-driven integrations, maintain traditional patterns for established data pipelines, and migrate legacy connections to MCP progressively as server availability grows.
Setting up an MCP connection in Agentforce follows a streamlined, no-code workflow through Salesforce Setup and Agentforce Builder:
Navigate to Setup and enter the MCP server's URL. Salesforce's enterprise MCP Server Registry validates the server and retrieves its tool manifest — the complete catalog of available operations, schemas, and descriptions.
Not every tool on an MCP server should be available to every agent. Admins select specific tools and metadata to expose to the org, creating a curated allowlist that enforces least-privilege access.
In Agentforce Builder, MCP actions appear as native agent actions — visually identical to built-in Salesforce capabilities. Drag the MCP actions into the appropriate agent topics, just as you would any other action.
This is where MCP shines over traditional integrations. Instead of writing Apex logic to constrain behavior, you provide natural language guardrails:
The Atlas Reasoning Engine interprets these instructions and enforces them during execution.
Validate the integration in Plan Canvas — Agentforce's testing environment — then deploy to production. Every execution routes through the Einstein Trust Layer automatically.
Salesforce's AgentExchange (the evolved AppExchange for the agentic era) now catalogs over 50 live MCP servers from more than 200 partners. These are pre-built, verified, and ready to deploy with zero code. Categories include data warehouses, developer tools, communication platforms, project management systems, and industry-specific applications.
The power of MCP becomes tangible when you see the breadth of external systems Agentforce can now reach:
The Data 360 MCP Server (Developer Preview, May 2026) connects Agentforce agents directly to Salesforce Data Cloud and external data warehouses like Snowflake. Use cases include:
MCP Apps for Slack (launched early 2026) enable bidirectional communication:
Through AgentExchange MCP servers, Agentforce can interact with development infrastructure:
MCP-connected Jira enables closed-loop workflows:
The most powerful use case combines multiple MCP servers in a single agent workflow:
This kind of multi-tool orchestration is what MCP was designed for, and it's only possible because every system speaks the same protocol.
For enterprises with complex integration landscapes, MuleSoft Agent Fabric is the governance and orchestration layer that makes MCP production-ready at scale.
MuleSoft's most transformative MCP capability, announced at TDX 2026 and now generally available: any existing MuleSoft API or Mule application automatically converts into an MCP server — no code modifications required.
For enterprises with hundreds of existing MuleSoft integrations, this is a game-changer. Decades of integration investment instantly become MCP-compatible assets that Agentforce agents can discover and consume. The Anypoint Platform handles the conversion, wrapping existing API endpoints in MCP-compliant tool definitions with proper schemas and descriptions.
The MCP Bridge feature extends this further by making any API agent-ready at scale:
MuleSoft Agent Fabric provides the enterprise control plane that MCP alone doesn't offer:
For a deeper dive into MuleSoft's MCP capabilities, see our dedicated guide: MuleSoft MCP Bridge: Turn APIs into MCP Servers — No Code Changes.
Security is the reason enterprises trust Salesforce, and MCP doesn't compromise that foundation. For a comprehensive security deep-dive, see MCP Security: Tool Poisoning, Rug Pulls, and Prompt Injection. Here's how the security model works within Agentforce specifically:
Every MCP action in Agentforce executes within the Einstein Trust Layer — the same security framework that governs all AI operations in Salesforce. This means:
Salesforce-hosted MCP servers respect your org's complete security model:
MCP connections in Agentforce operate within defined trust boundaries:
It's worth noting that Anthropic's Claude is currently the only LLM operating within Salesforce's trust boundary. This means the MCP protocol standard was designed by the same team whose AI model Salesforce trusts with its most sensitive operations — a level of alignment that matters for enterprise security posture.
With multiple integration protocols available, choosing the right one for each use case is critical. Here's a decision framework:
In practice, most enterprises will use all three. The emerging best practice is a layered architecture:
This layered approach aligns with how multi-platform CRM organizations are structuring their integration architecture.
The trajectory is clear: MCP is becoming the universal connector for the agentic enterprise. Here's what's on the horizon:
Announced at TDX 2026, Headless 360 exposes every Salesforce capability as MCP tools and APIs. This means external agents — Claude, custom-built AI systems, partner platforms — can consume Salesforce functionality without ever touching the Salesforce UI. Over 60 MCP tools are already available for developer experience and data/logic access.
The AgentExchange marketplace is rapidly expanding beyond 50 live MCP servers from 200+ partners. As the ecosystem grows, the integration cost for connecting Agentforce to any system approaches zero.
Salesforce has built comprehensive MCP implementation across six layers:
As both protocols mature, expect deeper integration. MCP handles the "hands" (tool access), while A2A handles the "teamwork" (agent coordination). Agentforce is positioning itself at the intersection, capable of both consuming MCP tools and participating in A2A multi-agent workflows.
MCP (Model Context Protocol) is an open standard that enables Agentforce AI agents to discover and connect to external tools, databases, and SaaS applications through a universal interface. Agentforce functions as a native MCP client, allowing agents to integrate with any MCP-compliant server without custom code.
Admins register an MCP server URL in Salesforce Setup, configure an allowlist of approved tools, then add those MCP actions to agents in Agentforce Builder. The agent automatically discovers available tools, their schemas, and invokes them within the Einstein Trust Layer.
Agentforce can connect to any MCP-compliant server, including Snowflake, Slack, GitHub, Jira, PostgreSQL, custom databases, and 50+ pre-built servers on AgentExchange. MuleSoft Agent Fabric can also convert any existing API into an MCP server.
Yes. MCP actions in Agentforce execute within the Einstein Trust Layer with PII masking, field-level security enforcement, OAuth 2.0 authentication, VPC isolation, rate limiting, and comprehensive audit trails. MuleSoft Agent Fabric adds additional governance layers including human approval workflows for high-risk actions.
Traditional integrations (Named Credentials, Apex callouts, External Services) require custom code, manual schema definition, and per-integration authentication setup. MCP provides automatic tool discovery, standardized communication via JSON-RPC 2.0, stateful sessions, and no-code setup — reducing integration time from weeks to minutes.
MuleSoft Agent Fabric serves as the enterprise MCP orchestration layer. It converts existing MuleSoft APIs into MCP servers without code changes, provides centralized governance (allowlists, rate limiting, audit logging), and orchestrates agent workflows across multi-vendor AI environments.
Use MCP for dynamic agent-to-tool connections, A2A (Agent-to-Agent Protocol) for multi-agent coordination and delegation, and REST APIs for high-throughput data pipelines and batch processing. Most enterprises use all three in a layered architecture.
Each Agentforce agent currently supports approximately 20 simultaneous MCP tools. This constraint encourages focused agent design with curated toolsets aligned to specific business functions.
TDX 2026 announced Agentforce MCP Beta rollout, Headless 360 (every Salesforce capability as MCP tools), Salesforce-hosted MCP servers in Developer Edition, AgentExchange with 50+ MCP servers, the Data 360 MCP Server preview, and MuleSoft's zero-code API-to-MCP conversion reaching general availability.
Start with a Developer Edition org, which includes Salesforce-hosted MCP servers by default. Register external MCP servers in Setup, configure allowlists, and add MCP actions to your agents in Agentforce Builder. For enterprise deployments, evaluate MuleSoft Agent Fabric for governance and API-to-MCP conversion.
MCP transforms Agentforce from a CRM-bound assistant into a universal integration hub — one that can reach any system, any database, and any SaaS tool in your enterprise through a single, standardized protocol.
Whether you're connecting to Snowflake for real-time analytics, Slack for team collaboration, or converting hundreds of existing MuleSoft integrations into MCP-ready tools, Vantage Point can help you design, implement, and govern your Agentforce MCP strategy.
Schedule a consultation with our integration team →
This is Part 3 of our MCP deep-dive series. Continue reading: - Part 1: What Is MCP? The USB-C for AI, Explained - Part 5: MuleSoft MCP Bridge: Turn APIs into MCP Servers — No Code Changes - Part 9: How to Connect HubSpot to AI Agents with MCP - Part 11: MCP Security: Tool Poisoning, Rug Pulls, and Prompt Injection - Part 14: Why MCP Changes Everything for Multi-Platform CRM Shops