The ERP in the age of AI agents: why the MCP protocol is a game changer

Conversational agents can now act, not just answer. The MCP protocol standardizes how an AI drives an ERP — provided that access is framed by robust authentication and real guardrails.

From APIs to conversation: a new way to access the ERP

For twenty years, integrating one business application with another meant writing code: calling a REST API, handling authentication, parsing responses, and maintaining all of it with every change. That approach is still solid, but it effectively shuts out everyone who is not a developer.

The arrival of AI agents — ChatGPT, Claude, Cursor, and their peers — changes the game. These assistants no longer just answer questions: they can act, meaning they can trigger operations in a third-party system. For an agent to create a quote, read a stock level, or schedule an intervention in an ERP, it needs a shared language with that software. That is exactly what the MCP protocol provides.

The MCP protocol, explained

MCP (Model Context Protocol) is an open protocol that standardizes the connection between a language model and external data sources or tools. It is often compared to a "universal port": rather than reinventing a bespoke integration for each assistant, a vendor exposes its capabilities once through an MCP server, and any compatible agent can connect to it.

Concretely, an MCP server publishes a list of tools. Each tool describes a possible action — "create a customer," "list unpaid invoices," "open the dashboard" — along with its expected parameters. The AI agent discovers this list, picks the relevant tool based on the user's request, fills it in, and receives the structured result.

How it works in practice

A user writes in their assistant: "Create a €1,500 quote for the customer Durand and send it." The agent:

  1. Discovers the tools exposed by the ERP's MCP server.
  2. Selects the quote-creation tool and infers the parameters from the message.
  3. Calls the tool through the server, which executes the operation just as the web interface would.
  4. Returns a readable confirmation and, where relevant, the link to the document.

The major advantage: these tools can be generated automatically from the ERP's OpenAPI specification. Every documented route becomes a tool the agent can use, with no manual rewriting. eyeot follows this logic: its MCP server derives its tools from the existing API and routes every call through the same stack as the interface — preserving authentication, data scope, and audit logging.

Authentication: opening the ERP to agents without dropping your guard

Handing an AI the keys to a management system immediately raises a security question. An ERP holds financial, HR, and customer data: agentic access cannot rely on a simple shared password.

The emerging standard is [OAuth](/en/glossaire/oauth) 2.1, with several modes suited to the context:

  • Authorization Code + PKCE: the user authenticates in their browser and explicitly authorizes the agent. The token issued is short-lived and renewable.
  • Device Grant: designed for command-line agents or applications without a built-in browser (a desktop assistant, for example). The user approves access on another screen.
  • API keys issued by the organization, with a controlled scope, for service integrations.

In every case, the principle is the same: the agent inherits the permissions of the user who authorized it, never more. An assistant connected to a salesperson's account cannot view payroll. This consistency relies on fine-grained access control, applied to every request, and on strict multi-tenant data isolation.

The essential guardrails of an agentic ERP

An AI agent is powerful but fallible: it can misinterpret an instruction, repeat an action, or act too quickly. An AI-ready ERP must therefore build in safety mechanisms designed for this new mode of use.

Idempotency: don't create the same invoice twice

If an agent resends a request after a network delay, it risks duplicating an operation — two invoices, two orders. The defense is idempotency: the agent attaches a unique identifier (Idempotency-Key) to each sensitive request. If the server receives the same key twice, it returns the original result without re-executing the action. A single invoice is created, no matter what.

Dry-run: simulate before writing

Before committing a high-impact operation, it is valuable to be able to preview its effects without changing anything. Dry-run mode (often an X-Dry-Run header) runs the business logic, captures what would have changed — mutations, notifications, triggers — then rolls everything back. The agent can thus announce "here is what this action will produce" before asking for a final confirmation.

Audit and RBAC: traceability and permissions

Every action triggered by an agent must be logged like any human action: who, what, when, and from which token. A timestamped audit trail — ideally cryptographically chained — ensures that no automated operation escapes oversight. On the rights side, [RBAC](/en/glossaire/multi-tenant) filters upstream what the agent is allowed to do. For automated decisions affecting individuals, the GDPR framework (notably Article 22) also requires keeping a human in the loop.

To these guardrails is added a read-only-by-default logic: an agent can freely consult and inform, while write operations remain conditional on active authorization. A clear boundary between "reading" and "acting."

Concrete use cases

Once the ERP can be driven by AI, the use cases multiply:

  • Conversational reporting: "What is my revenue for the month and my outstanding receivables?" without opening a single dashboard.
  • Assisted data entry: dictating an opportunity, a customer, or a ticket out loud, with the agent structuring the information.
  • Cross-module orchestration: linking quotes, stock, and invoicing in a single instruction, drawing on the ERP's cross-module intelligence.
  • Connecting to the ecosystem: combining the ERP with other tools through integrations triggered by the agent.

The goal is not to replace the interface but to offer an additional channel — faster for certain repetitive or exploratory tasks.

Discover eyeot

eyeot is a French ERP designed for this new generation of use cases: its MCP server exposes business operations to compatible agents, with built-in OAuth authentication, idempotency, dry-run mode, and audit logging. Agentic access respects the same permissions and the same isolation as the web interface.

If you want to experiment with driving an ERP from your favorite assistant, the free individual account opens access to every module for one user, with no credit card, so you can put the tool to the test under real conditions.

On the same topic

MCP API (AI-native)IntegrationsCross-module intelligenceMCPOAuth 2.1REST APIERP
All articles

Try eyeot for free

eyeot is a French all-in-one ERP for small and mid-sized businesses, hosted in France and GDPR-compliant. Free for individuals (1 user, every module); simple team packs for companies.

Create my free accountSee pricing