Architecture

Three layers · tokens never touch the MCP

The MCP server forwards; it holds no secrets. That single rule unlocks OAuth-as-a-service later without rewriting a thing.

LAYER 1Agents & clients

ClaudeCursorClaude Coden8nYour app

Bearer mk_live_… over streamable HTTP↓

LAYER 2Modiva MCP · mcp.modiva.ai

Typed tools, grouped by resource. Validates, authorizes, forwards to connections. Holds no tokens.

accounts_posts_comments_messages_analytics_ads_queue_connect_

normalized schema · per-platform adapter↓

LAYER 3Backend engine

Token vault

app-level + KMS

Adapters

one per platform

Queue

rate-limit · retry

Webhook ingest

single envelope

Tenancy model

Four nested levels. Profile is the agency primitive — it lets one MCP key drive 80 client accounts without ambiguity.

ORG · billing account

WORKSPACE · project / team · holds the MCP key

PROFILE · a client or brand · geo metadata lives here

CONNECTION = 1 tokenCONNECTION = 1 tokenCONNECTION = 1 token

Core tables and their foreign keys. Tokens are an encrypted blob, never a plain column.

orgs

id pk
name
billing_customer_id

workspaces

id pk
org_id → orgs
name

profiles

id pk
workspace_id → ws
name · country · tz

connections

id pk
profile_id → profiles
platform · scopes · geo

tokens

connection_id → conn
ciphertext · kms_key_id
expires_at

mcp_keys

id pk
workspace_id → ws
prefix · scopes · hash

audit_log

workspace_id → ws
actor · tool · args_hash
result · created_at

jobs

connection_id → conn
type · run_at · status
attempts