A focused Model Context Protocol (MCP) server that provides secure access to opportunities created today in your Salesforce instance. This server is designed to give users visibility into new sales opportunities without broader Salesforce access.
- Today's Opportunities Only: Restricted access to opportunities created today
- Essential Information: Returns opportunity name, stage, and owner details
- API Key Authentication: Secure access with configurable API key protection
- Rate Limiting: Prevents abuse with configurable request limits
- Security Logging: Comprehensive audit trail of all access attempts
- Real-time Data: Always shows current day's opportunities
- Production Ready: Configured for Heroku deployment with native MCP support
| Tool | Description | Returns |
|---|---|---|
get_todays_opportunities() |
Get all opportunities created today | Opportunity name, stage, owner, amount, close date |
{
"success": true,
"total_count": 3,
"opportunities": [
{
"id": "0061234567890AB",
"name": "Acme Corp - Software License",
"stage": "Prospecting",
"owner": "John Smith",
"amount": 50000,
"close_date": "2025-01-31",
"created_date": "2025-01-15T14:30:00.000+0000"
}
],
"summary": "Found 3 opportunities created today"
}
- Heroku CLI installed
- Git repository
- Salesforce credentials (username, password, security token)
-
Clone and prepare the repository:
git clone <your-repo-url> cd todays-opportunities-mcp
-
Create Heroku app:
heroku create your-opportunities-app
-
Add the Managed Inference and Agents add-on:
heroku addons:create heroku-managed-inference-and-agents:starter
-
Configure environment variables:
heroku config:set [email protected] heroku config:set SF_PASSWORD=your_password heroku config:set SF_SECURITY_TOKEN=your_security_token heroku config:set SF_INSTANCE_URL=https://your-company.salesforce.com heroku config:set SF_API_VERSION=58.0 heroku config:set MCP_API_KEY=your_secure_random_api_key_here heroku config:set REQUIRE_AUTH=true
-
Deploy:
git push heroku main
-
Test the opportunities tool:
heroku open /health
After deployment with the Managed Inference and Agents add-on:
- Go to your Heroku app dashboard
- Click on "Managed Inference and Agents" add-on
- Copy your MCP Toolkit URL and MCP Toolkit Token
-
Install dependencies:
pip install -r requirements.txt
-
Copy environment template:
cp .env.example .env
-
Configure your Salesforce credentials in
.env -
Run locally:
python main.py
-
Test health endpoint:
curl http://localhost:8000/health
Add to your Claude Desktop config:
{
"mcpServers": {
"opportunities": {
"command": "curl",
"args": [
"-X", "POST",
"-H", "Authorization: Bearer YOUR_TOOLKIT_TOKEN",
"-H", "X-API-Key: YOUR_MCP_API_KEY",
"-H", "Content-Type: application/json",
"YOUR_TOOLKIT_URL"
]
}
}
}Add to your Cursor MCP settings:
{
"opportunities": {
"url": "YOUR_TOOLKIT_URL",
"token": "YOUR_TOOLKIT_TOKEN",
"headers": {
"X-API-Key": "YOUR_MCP_API_KEY"
}
}
}For testing or custom integrations:
curl -X POST https://your-app.herokuapp.com/mcp \
-H "X-API-Key: YOUR_MCP_API_KEY" \
-H "Content-Type: application/json" \
-d '{"method": "tools/call", "params": {"name": "get_todays_opportunities"}}'| Variable | Description | Required | Default |
|---|---|---|---|
SF_USERNAME |
Salesforce username | Yes | - |
SF_PASSWORD |
Salesforce password | Yes | - |
SF_SECURITY_TOKEN |
Salesforce security token | Yes | - |
SF_INSTANCE_URL |
Salesforce instance URL | No | Auto-detected |
SF_API_VERSION |
API version to use | No | 58.0 |
MCP_API_KEY |
API key for authentication | Yes | Auto-generated |
REQUIRE_AUTH |
Enable authentication | No | true |
RATE_LIMIT_REQUESTS |
Max requests per hour | No | 50 |
RATE_LIMIT_WINDOW |
Rate limit window (seconds) | No | 3600 |
PORT |
Server port | No | 8000 |
HOST |
Server host | No | 0.0.0.0 |
LOG_LEVEL |
Logging level | No | info |
- Username: Your Salesforce login email
- Password: Your Salesforce login password
- Security Token:
- Log into Salesforce
- Go to Settings → My Personal Information → Reset My Security Token
- Check your email for the new token
Required Permissions: The Salesforce user must have read access to Opportunity objects.
Generate a secure random API key:
# Using Python
python -c "import secrets; print(f'mcp_{secrets.token_urlsafe(32)}')"
# Using OpenSSL
echo "mcp_$(openssl rand -base64 32 | tr -d '=+/' | cut -c1-32)"
# Using online generator
# Visit: https://passwordsgenerator.net/ (use 40+ characters)The server will auto-generate a random key if MCP_API_KEY is not set and REQUIRE_AUTH=true.
Check the logs for the generated key: Generated API key: mcp_abc123...
- API Key Required: All MCP requests must include
X-API-Keyheader - Health Check Exempt:
/healthendpoint remains public for monitoring - Secure Comparison: Uses constant-time comparison to prevent timing attacks
- Per-IP Limits: 50 requests per hour per IP address (configurable)
- Sliding Window: 1-hour sliding window prevents burst attacks
- Automatic Reset: Counters reset automatically after time window
All security events are logged with timestamps and IP addresses:
- Authentication successes and failures
- Rate limit violations
- Opportunity data access (with count)
- Invalid API key attempts
- HTTPS Enforcement: Production deployment forces HTTPS
- Security Logging: Comprehensive audit trail
- Error Handling: No sensitive information in error responses
Once deployed and configured, you can use the get_todays_opportunities() tool through any MCP client:
- Claude Desktop: "Show me today's opportunities"
- Cursor IDE: Access through MCP commands
- Custom Clients: Call the tool via the MCP protocol
The tool will return a formatted list of all opportunities created today, including:
- Opportunity name
- Current stage
- Owner name
- Deal amount
- Expected close date
- Read-only access: Cannot modify Salesforce data
- Today only: Restricted to opportunities created on the current date
- Essential fields: Only returns key opportunity information
- No sensitive data: Excludes internal notes, financials, or personal information
- API Key Authentication: Prevents unauthorized access
- Rate Limiting: Protects against abuse and scraping
- IP-based tracking: Monitors access patterns by source
- Comprehensive logging: Full audit trail for compliance
- Secure credentials: Environment variables protect Salesforce access
- Health Check:
GET /health- Returns server and Salesforce connection status - Logging: All queries and errors are logged for troubleshooting
- Health Check:
GET /health- Returns server and Salesforce connection status (no auth required) - Security Logs: All authentication and access events are logged
- Error Tracking: Failed requests and errors captured with context
# View all logs
heroku logs --tail
# Filter security events only
heroku logs --tail | grep "SECURITY"
# View authentication failures
heroku logs --tail | grep "AUTH_FAILURE"For issues:
- Check health: Visit
/healthendpoint for connection status - Review security logs: Look for authentication or rate limit issues
- Verify credentials: Ensure Salesforce credentials and API key are correct
- Check permissions: Verify Salesforce user has Opportunity read access
- Test API key: Use curl to test direct API access with your key