MCP Meets Salesforce: What TDX 2026 Reveals About the Agent Protocol Future
97 million monthly SDK downloads. That’s how fast the Model Context Protocol grew in just 16 months — from an experimental Anthropic project to the standard that OpenAI, Google, Microsoft, Amazon, and now Salesforce all build on.
To put that in perspective: React took about three years to hit 100 million monthly npm downloads. Kubernetes took roughly four years to reach comparable deployment density.
MCP did it in 16 months.
And at TDX 2026 — Salesforce’s developer conference running April 15–16 in San Francisco — MCP wasn’t just mentioned in a breakout session. It was a marquee topic with dedicated sessions on vibe coding, MCP integration, and semantic grounding. Salesforce has quietly built what might be the most comprehensive MCP implementation in enterprise software.
Here’s the thing: most Salesforce partners, ISVs, and enterprise architects don’t fully understand what MCP is yet. They’ve heard the term. They’ve seen the hype. But they haven’t mapped what it means for their Agentforce implementations, their AppExchange products, or their integration architecture.
This article fixes that. We’ll break down what MCP actually is, how Salesforce has implemented it across six layers of their stack, what the complementary A2A protocol adds, and what ISVs and enterprise builders should be doing right now.
What Is MCP? (And Why Should You Care?)
The Model Context Protocol is an open standard that standardizes how AI systems connect to external tools, data sources, and services. Think of it as USB-C for AI applications.
Before MCP, every AI integration was custom. Want your AI agent to read a Salesforce record? Write a custom function call. Want it to query Snowflake? Write another one. Want it to check Jira? Another custom integration.
That’s the N×M problem. N AI models times M tools equals N×M custom integrations.
MCP turns that into N+M. Build one MCP server per tool. Every MCP-compatible AI client can use it. One server, universal access.
The Architecture in 60 Seconds
MCP uses a three-tier client-server model built on JSON-RPC 2.0:
MCP Hosts are the user-facing applications where AI interactions happen — Claude Desktop, Cursor IDE, VS Code, ChatGPT. The host runs the LLM and acts as the security broker.
MCP Clients are middleware embedded within host apps. Each client maintains a dedicated 1:1 connection with a single MCP server via stateful sessions, enforcing secure isolation.
MCP Servers are lightweight processes exposing capabilities through three standardized primitives: Tools (active operations with side effects), Resources (read-only data endpoints), and Prompts (reusable templates for consistent interactions).
The connection lifecycle is straightforward: initialize, capability handshake, ready. Transport options include stdio for local connections and Streamable HTTP for production-ready remote deployments.
Now, here’s the really interesting part.
The Adoption Numbers Are Staggering
MCP launched in November 2024 when Anthropic open-sourced it under the MIT license. The early numbers were modest — around 2 million monthly downloads.
Then OpenAI adopted MCP on March 26, 2025. Sam Altman’s announcement was the inflection point.
Within 12 months of that moment, MCP reached 97 million monthly SDK downloads across Python and TypeScript. Over 10,000 public MCP servers exist across registries. More than 300 MCP clients are in production. 72% of developers surveyed plan to increase their MCP usage.
In December 2025, Anthropic donated MCP to the Agentic AI Foundation under the Linux Foundation — co-founded by Anthropic, Block, and OpenAI, with AWS, Google, Microsoft, Cloudflare, and Bloomberg as supporting members.
This isn’t one company’s protocol anymore. It’s an industry standard governed by neutral infrastructure.
Salesforce’s 6-Layer MCP Strategy
This is where it gets tactical for ISVs and enterprise architects. Salesforce hasn’t just “adopted” MCP. They’ve implemented it across six distinct layers of their platform. No other enterprise vendor has gone this deep.
Layer 1: Pre-Built MCP Servers for Developers
Available now. Three MCP servers you can install in any MCP-supported IDE today:
Salesforce DX MCP Server (Developer Preview) — 60+ tools for deploying code, creating scratch orgs, running tests via natural language. Open source at github.com/salesforcecli/mcp.
Heroku Platform MCP Server (GA) — manage Heroku apps through natural language prompts.
MuleSoft MCP Server (GA) — manage and deploy MuleSoft projects from your IDE.
Think about that. A developer using Cursor or Claude Code can now deploy Apex, create scratch orgs, and run tests without leaving their AI coding tool. The DX MCP Server is installed by default in Code Builder.
Layer 2: Agentforce as Native MCP Client
This is the big one. Agentforce launched native MCP client support in Pilot with the July 2025 release. The Beta rolled out in January 2026.
What this means: your Agentforce agents can connect to ANY MCP-compliant server — without custom code. MCP actions appear like regular agent actions in Agentforce Builder. You configure them, test them in Plan Canvas, and deploy.
Salesforce built an enterprise-grade MCP Server Registry with allowlists, rate limiting, identity management, and access protocols. Admins control exactly which tools and metadata are exposed to which agents.
But wait — there’s a practical constraint. Currently, each agent supports approximately 20 simultaneous MCP tools for context management. So you’re curating capabilities, not dumping everything into one agent.
Layer 3: Salesforce-Hosted MCP Servers
Currently in Pilot. Salesforce is introducing hosted MCP servers that expose targeted Salesforce APIs. These work with Claude Desktop, Cursor, and other MCP clients.
The future here is compelling: customers and partners will be able to build and package custom MCP servers directly on the Salesforce Platform.
Layer 4: MuleSoft API-to-MCP Conversion
GA now. Anypoint Platform can convert ANY existing API or Mule application into an MCP server. If you’ve already built MuleSoft integrations, they become MCP-accessible without rebuilding them.
For enterprises with hundreds of MuleSoft APIs, this is the fastest path to MCP adoption. Your existing integration investment converts directly.
Layer 5: Heroku for Custom MCP Server Hosting
Build custom MCP servers in any language or SDK, host them on Heroku, and connect to Agentforce via AppLink. This is the developer-first path for custom tool creation.
Layer 6: AgentExchange MCP Marketplace
AgentExchange — the evolution of AppExchange for the agent era — now includes a growing catalog of vetted MCP servers. Partners can list MCP servers; enterprises deploy with no code via Agentforce Builder.
Over 200 partners have committed to the ecosystem. 50+ agent actions are already live.
Think about it: the AppExchange model — the model that built Salesforce’s partner economy — is being replicated for agent tools via MCP.
Agentforce 360: The Platform MCP Plugs Into
To understand why MCP matters for Salesforce, you need to understand what it’s plugging into. Agentforce 360 — unveiled at Dreamforce 2025 — is a complete re-architecture of the Salesforce suite into four pillars:
1. Agentforce 360 Platform — the logic, reasoning, and runtime layer powered by the Atlas Reasoning Engine. This is where MCP actions execute.
2. Data 360 — formerly Data Cloud (its sixth name change). The context engine feeding agents structured and unstructured data. Hybrid data lakehouse with Zero-Copy federation, Tableau Semantics, and a $60K/year Starter tier.
3. Customer 360 Apps — Sales, Service, Marketing, Commerce business logic.
4. Slack — repositioned as the “Agentic Operating System” — the conversational front end for human-agent collaboration.
The numbers back the platform bet. Salesforce reported FY26 revenue of $41.5 billion. Agentforce and Data 360 hit approximately $1.4 billion ARR with 114% year-over-year growth. Over 9,500 paid Agentforce deals closed. 3.2 trillion tokens processed.
Here’s why this matters for MCP: when an Agentforce agent uses an MCP server to query an external tool, the Atlas Reasoning Engine decides which tools to call, Data 360 provides the context, and the Einstein Trust Layer masks PII before anything reaches an LLM. MCP actions execute within this trust boundary — not outside it.
That’s the enterprise-grade difference between Salesforce’s MCP implementation and a developer bolting MCP onto a standalone AI agent.
Key TDX 2026 Sessions on MCP
TDX 2026 featured three dedicated MCP sessions:
“Salesforce Developer Tools Roadmap: Vibe Coding, MCP, and ALM” — the strategic roadmap placing MCP at the center of Salesforce development tooling.
“Scale Vibe Coding with Semantic Grounding using Salesforce Unified Catalog and MCP” — how Metadata MCP Tools enable well-architected metadata creation through AI coding assistants.
“Building flows, objects, and more via natural language with Vibes IDE + MCP” — practical demonstrations of declarative Salesforce development through MCP-connected AI tools.
A $50,000 hackathon showcased Agentforce solutions built by three finalists. The conference featured 400+ sessions across five pillars: Agentforce 360, Data 360, Automation, Core Platform, and Vibe Coding.
A2A Protocol: The Other Protocol You Need to Know
MCP solves agent-to-tool connectivity. But what about agent-to-agent communication?
That’s where Google’s Agent2Agent Protocol (A2A) comes in.
Announced in April 2025 at Google Cloud Next with 50+ launch partners, A2A enables independent AI agents to discover each other, communicate, and collaborate as peers — across frameworks and vendors.
MCP vs A2A: Complementary, Not Competing
The industry consensus — from Google, Anthropic, Microsoft, and Salesforce — is clear: these protocols are complementary building blocks.
| MCP (Model Context Protocol) | A2A (Agent2Agent Protocol) |
| Agent-to-tool connectivity | Agent-to-agent communication |
| Vertical axis: how agents access tools | Horizontal axis: how agents coordinate |
| Created by Anthropic (Nov 2024) | Created by Google (Apr 2025) |
| 97M+ monthly downloads | 150+ partner organizations |
| Under Linux Foundation (AAIF) | Under Linux Foundation (LF AI) |
| JSON-RPC 2.0 + stdio/HTTP | JSON-RPC 2.0 + HTTP/SSE/gRPC |
| Tools, Resources, Prompts | Agent Cards, Tasks, Messages, Artifacts |
Google’s own metaphor captures it well: if MCP is the plumbing connecting each agent to its specific tools, A2A is the electrical distribution panel coordinating how agents work together.
The architecture pattern emerging in production looks like this: a client agent (orchestrator) uses A2A to communicate with remote specialist agents. Each specialist agent uses MCP internally to access its specific tools. The orchestrator never needs to know how each specialist’s tools work — it just communicates outcomes via A2A.
Salesforce’s Dual-Protocol Position
This is where Salesforce’s strategic positioning gets interesting.
Salesforce is a founding member of BOTH protocols. They sit on the A2A Technical Steering Committee and actively participate in MCP governance via the Agentic AI Foundation.
MuleSoft’s Agent Fabric already auto-detects and catalogs AI agents across Agentforce, Amazon Bedrock, and Google Vertex AI, mapping to A2A card specifications. This is GA now.
No other enterprise platform is a founding or governing member of both MCP and A2A simultaneously. Salesforce is uniquely positioned at the intersection of tool connectivity and agent orchestration.
The Partnerships Fueling This Strategy
Anthropic: The Deepest Integration
Claude is a foundational model for Agentforce 360 and the first LLM provider fully contained within the Salesforce trust boundary. The partnership is deep: Claude as the preferred AI for regulated industries. Salesforce deploying Claude Code across its global engineering organization. MCP Apps enabling Slack for Claude and Agentforce 360 extensions for Claude.
The Anthropic connection is what makes Salesforce’s MCP strategy authentic — not bolted on. MCP was born at Anthropic. Salesforce is building natively on it because their primary LLM partner created it.
OpenAI: The ChatGPT Bridge
Agentforce launched inside ChatGPT as an open beta in December 2025. Users can create leads, update opportunities, and trigger agent workflows from ChatGPT. Salesforce built this integration in roughly four weeks — partly to prevent what they called “homegrown MCP servers from customers just spitting out data around the trust boundary.”
Copado: AgentOps Arrives
One day before TDX — April 14, 2026 — Copado launched Agentia, a “Salesforce-first 360 delivery solution” embedding context-aware AI agents into the software delivery lifecycle. Agentia includes a Context Hub, specialized agents for Plan, Build, Test, Release, and Operate phases, and a studio for custom agent creation. Backed by Insight Partners, SoftBank, and Salesforce Ventures.
This signals a new category: AgentOps — managing the lifecycle of AI agents the way DevOps manages the lifecycle of applications.
The Security Reality Check
Look — MCP isn’t all sunshine. The security landscape is real, and enterprise builders need to understand it.
Tool Poisoning Attacks were discovered by Invariant Labs in April 2025. Malicious instructions embedded in tool metadata — visible to the AI but hidden from users — can instruct models to read SSH keys, config files, and exfiltrate data.
Rug Pull attacks silently alter tool behavior after initial user approval. Most MCP clients don’t detect metadata changes between sessions.
Supply chain attacks are real. A Postmark MCP server was compromised to blind-copy every outgoing email to attackers. CVE-2025-6514 — a critical command injection in mcp-remote — affected over 437,000 environments.
Over 30 CVEs targeting MCP infrastructure were filed in January and February 2026 alone. This isn’t theoretical risk. It’s happening.
Why Salesforce’s Enterprise-Grade Approach Matters
This is precisely why Salesforce’s MCP Server Registry matters. The registry includes allowlists (admins control which tools agents can access), rate limiting, identity management, and access protocols. MCP actions execute within the Einstein Trust Layer — PII masking, audit trails, and compliance monitoring come built in.
The difference between connecting an open-source MCP server to Claude Desktop and connecting that same server through Agentforce’s enterprise registry is the difference between a prototype and a production deployment.
Best practices for enterprise MCP adoption: sandbox all MCP servers in containers, apply principle of least privilege, inspect tool metadata before and after approval, pin versions via MCP gateways, implement OAuth 2.1, log everything, and keep humans in the loop for sensitive operations.
What ISVs and Enterprise Builders Should Do Now
The bottom line: the development paradigm is shifting. You’re not just building apps and flows anymore. You’re building agent actions and MCP servers.
Five Actions for the Next 90 Days
1. Learn the MCP spec. Read modelcontextprotocol.io. Understand hosts, clients, servers, tools, resources, and prompts. Install the Salesforce DX MCP Server in Cursor or VS Code. Experience it firsthand.
2. Identify your MCP server opportunities. What proprietary data or workflows could you expose as an MCP server? Every Integration Procedure, every custom API, every data pipeline is a potential MCP server. The question is: which ones create the most value when AI agents can access them?
3. Start building for AgentExchange. If you’re an ISV, AgentExchange is the distribution channel for the agent era. Pre-built agent actions and MCP servers are the new AppExchange listings. The first movers in each vertical will own the category.
4. Adopt the dual-protocol mindset. MCP for how your agents access tools. A2A for how your agents communicate with other agents. Both are governed by the Linux Foundation. Both have Salesforce as a founding member. Build for both.
5. Invest in security from Day 1. MCP security isn’t optional. Tool poisoning, rug pulls, and supply chain attacks are active threats. Use Salesforce’s MCP Server Registry. Sandbox your servers. Audit metadata. Log everything. Don’t treat MCP security as a post-launch concern.
How Xillentech Is Building for the Protocol Era
We’re not writing about MCP from the sidelines. We’re building on it.
DealerVogue — our Agentforce-native operating system for automotive dealerships — uses Integration Procedures as the reusable service layer that serves FlexCards, OmniScripts, and Agentforce agents from the same declarative logic. As MCP support matures, these Integration Procedures become MCP server candidates, exposing warranty verification, parts lookup, and service scheduling to any MCP-compatible AI client.
ConnectVogue — our WhatsApp and SMS messaging product for Salesforce — already operates as a BYOK architecture where customer-owned API keys manage external connections. The MCP paradigm aligns naturally with this model: each messaging channel becomes an MCP tool that any Agentforce agent can invoke.
Our CLEAN architecture (Controllers-Services-Domains-Selectors) is designed to produce agent-ready, security-review-ready code from Day 1. When Salesforce opens the pathway for partners to package custom MCP servers on the platform, we’ll be ready.
The protocol era rewards builders who design for interoperability, govern their agent boundaries, and ship production-grade integrations — not demos.
Frequently Asked Questions
What is MCP in Salesforce?
MCP (Model Context Protocol) is an open standard that Salesforce has adopted across its entire platform to standardize how Agentforce agents connect to external tools, data sources, and services. Salesforce’s implementation includes pre-built MCP servers for DX, Heroku, and MuleSoft; native MCP client support in Agentforce (Beta since January 2026); Salesforce-hosted MCP servers; MuleSoft API-to-MCP conversion; Heroku custom MCP server hosting; and AgentExchange MCP marketplace. MCP hit 97 million monthly SDK downloads and is governed by the Linux Foundation.
How does Agentforce use MCP?
Agentforce acts as a native MCP client (Beta since January 2026). Agents connect to any MCP-compliant server without custom code. MCP actions appear like regular agent actions in Agentforce Builder. Salesforce provides an enterprise-grade MCP Server Registry with allowlists, rate limiting, and identity management. Admins control which tools are exposed to which agents. Each agent supports approximately 20 simultaneous MCP tools. Actions execute within the Einstein Trust Layer for PII masking and audit trails.
What is the difference between MCP and A2A?
MCP (Model Context Protocol) handles agent-to-tool connectivity — how an AI agent accesses databases, APIs, file systems, and services. A2A (Agent2Agent Protocol) handles agent-to-agent communication — how independent AI agents discover, coordinate, and collaborate as peers. They are complementary: an agent uses MCP internally to access its tools, and A2A externally to communicate with other agents. Salesforce is a founding member of both protocols’ governance bodies.
What was announced at TDX 2026 regarding MCP?
TDX 2026 (April 15–16, San Francisco) featured three dedicated MCP sessions covering the Salesforce Developer Tools Roadmap (Vibe Coding, MCP, ALM), semantic grounding using Unified Catalog and MCP, and building Salesforce components via natural language with Vibes IDE + MCP integration. Broader announcements included Agentforce 360 updates, Data 360 capabilities, a $50,000 hackathon, and 400+ sessions across five pillars. Copado also launched Agentia one day before TDX.
What should ISVs do to prepare for MCP?
Five actions for the next 90 days: (1) Learn the MCP spec at modelcontextprotocol.io and install the Salesforce DX MCP Server. (2) Identify which proprietary data or workflows could become MCP servers. (3) Start building for AgentExchange as the distribution channel for agent actions and MCP servers. (4) Adopt a dual-protocol mindset — MCP for tool access, A2A for agent orchestration. (5) Invest in MCP security from Day 1 — use Salesforce’s MCP Server Registry, sandbox servers, and audit tool metadata.
Is MCP secure for enterprise use?
DMCP has active security concerns: tool poisoning attacks (malicious instructions in tool metadata), rug pull attacks (silently altered tool behavior), and supply chain attacks (30+ CVEs filed in January–February 2026). However, Salesforce’s enterprise MCP implementation addresses these through the MCP Server Registry (allowlists, rate limiting, access protocols), Einstein Trust Layer (PII masking, audit trails), and admin-controlled tool exposure. Enterprise adoption requires sandboxing, version pinning, OAuth 2.1, comprehensive logging, and human-in-the-loop for sensitive operations.
How does MCP connect to Data 360 and Data Cloud?
Data 360 (formerly Data Cloud) provides the context layer that grounds Agentforce agents in real enterprise data. When an agent uses MCP to access external tools, Data 360 provides the unified customer profiles, segment membership, and calculated insights that give those tool interactions business context. MCP servers can query Data 360 DMOs, and Data 360’s Zero-Copy federation means external data warehouses (Snowflake, BigQuery, Databricks) are accessible without duplication. MCP handles tool connectivity; Data 360 handles data context.
Ready to Build Agentforce Agents with MCP?
Xillentech is a Salesforce ISV + Consulting Partner building Agentforce-native solutions with MCP integration. Our CLEAN architecture produces agent-ready, security-review-ready code from Day 1. Whether you’re building AppExchange products, deploying Agentforce agents, or designing your MCP server strategy — we can help.
