d365fo-client 0.3.0__py3-none-any.whl → 0.3.2__py3-none-any.whl

d365fo_client/crud.py

@@ -1,13 +1,14 @@
 """CRUD operations for D365 F&O client."""
 
-from typing import Any, Dict, List, Optional, Union
-
-import aiohttp
+from typing import Any, Dict, Optional, Union, TYPE_CHECKING
 
 from .models import QueryOptions
 from .query import QueryBuilder
 from .session import SessionManager
 
+if TYPE_CHECKING:
+    from .models import PublicEntityInfo
+
 
 class CrudOperations:
     """Handles CRUD operations for F&O entities"""
@@ -23,13 +24,17 @@ class CrudOperations:
         self.base_url = base_url
 
     async def get_entities(
-        self, entity_name: str, options: Optional[QueryOptions] = None
+        self,
+        entity_name: str,
+        options: Optional[QueryOptions] = None,
+        entity_schema: Optional["PublicEntityInfo"] = None
     ) -> Dict[str, Any]:
         """Get entities with OData query options
 
         Args:
             entity_name: Name of the entity set
             options: OData query options
+            entity_schema: Optional entity schema for validation/optimization
 
         Returns:
             Response containing entities
@@ -52,6 +57,7 @@ class CrudOperations:
         entity_name: str,
         key: Union[str, Dict[str, Any]],
         options: Optional[QueryOptions] = None,
+        entity_schema: Optional["PublicEntityInfo"] = None
     ) -> Dict[str, Any]:
         """Get single entity by key
 
@@ -59,13 +65,15 @@ class CrudOperations:
             entity_name: Name of the entity set
             key: Entity key value (string for simple keys, dict for composite keys)
             options: OData query options
+            entity_schema: Optional entity schema for type-aware key encoding
 
         Returns:
             Entity data
         """
         session = await self.session_manager.get_session()
         query_string = QueryBuilder.build_query_string(options)
-        url = QueryBuilder.build_entity_url(self.base_url, entity_name, key)
+        # Use schema-aware URL building for proper key encoding
+        url = QueryBuilder.build_entity_url(self.base_url, entity_name, key, entity_schema)
         url += query_string
 
         async with session.get(url) as response:
@@ -78,13 +86,17 @@ class CrudOperations:
                 )
 
     async def create_entity(
-        self, entity_name: str, data: Dict[str, Any]
+        self,
+        entity_name: str,
+        data: Dict[str, Any],
+        entity_schema: Optional["PublicEntityInfo"] = None
     ) -> Dict[str, Any]:
         """Create new entity
 
         Args:
             entity_name: Name of the entity set
             data: Entity data to create
+            entity_schema: Optional entity schema for validation
 
         Returns:
             Created entity data
@@ -107,6 +119,7 @@ class CrudOperations:
         key: Union[str, Dict[str, Any]],
         data: Dict[str, Any],
         method: str = "PATCH",
+        entity_schema: Optional["PublicEntityInfo"] = None
     ) -> Dict[str, Any]:
         """Update existing entity
 
@@ -115,12 +128,14 @@ class CrudOperations:
             key: Entity key value (string for simple keys, dict for composite keys)
             data: Updated entity data
             method: HTTP method (PATCH or PUT)
+            entity_schema: Optional entity schema for type-aware key encoding and validation
 
         Returns:
             Updated entity data
         """
         session = await self.session_manager.get_session()
-        url = QueryBuilder.build_entity_url(self.base_url, entity_name, key)
+        # Use schema-aware URL building for proper key encoding
+        url = QueryBuilder.build_entity_url(self.base_url, entity_name, key, entity_schema)
 
         async with session.request(method, url, json=data) as response:
             if response.status in [200, 204]:
@@ -134,19 +149,24 @@ class CrudOperations:
                 )
 
     async def delete_entity(
-        self, entity_name: str, key: Union[str, Dict[str, Any]]
+        self,
+        entity_name: str,
+        key: Union[str, Dict[str, Any]],
+        entity_schema: Optional["PublicEntityInfo"] = None
     ) -> bool:
         """Delete entity
 
         Args:
             entity_name: Name of the entity set
             key: Entity key value (string for simple keys, dict for composite keys)
+            entity_schema: Optional entity schema for type-aware key encoding
 
         Returns:
             True if successful
         """
         session = await self.session_manager.get_session()
-        url = QueryBuilder.build_entity_url(self.base_url, entity_name, key)
+        # Use schema-aware URL building for proper key encoding
+        url = QueryBuilder.build_entity_url(self.base_url, entity_name, key, entity_schema)
 
         async with session.delete(url) as response:
             if response.status in [200, 204]:
@@ -163,6 +183,7 @@ class CrudOperations:
         parameters: Optional[Dict[str, Any]] = None,
         entity_name: Optional[str] = None,
         entity_key: Optional[Union[str, Dict[str, Any]]] = None,
+        entity_schema: Optional["PublicEntityInfo"] = None
     ) -> Any:
         """Call OData action method
 
@@ -171,13 +192,15 @@ class CrudOperations:
             parameters: Action parameters
             entity_name: Entity name for bound actions
             entity_key: Entity key for bound actions (string for simple keys, dict for composite keys)
+            entity_schema: Optional entity schema for type-aware key encoding in bound actions
 
         Returns:
             Action result
         """
         session = await self.session_manager.get_session()
+        # Use schema-aware URL building for entity-bound actions
         url = QueryBuilder.build_action_url(
-            self.base_url, action_name, entity_name, entity_key
+            self.base_url, action_name, entity_name, entity_key, entity_schema
         )
 
         # Prepare request body

d365fo_client/main.py

@@ -236,6 +236,7 @@ def create_argument_parser() -> argparse.ArgumentParser:
     _add_metadata_commands(subparsers)
     _add_entity_commands(subparsers)
     _add_action_commands(subparsers)
+    _add_service_commands(subparsers)
     _add_config_commands(subparsers)
 
     return parser
@@ -449,6 +450,63 @@ def _add_config_commands(subparsers) -> None:
     default_parser.add_argument("profile_name", help="Profile name")
 
 
+def _add_service_commands(subparsers) -> None:
+    """Add JSON service commands."""
+    service_parser = subparsers.add_parser("service", help="JSON service operations")
+    service_subs = service_parser.add_subparsers(
+        dest="service_subcommand", help="Service subcommands"
+    )
+
+    # call subcommand - generic service call
+    call_parser = service_subs.add_parser(
+        "call", help="Call a generic JSON service endpoint"
+    )
+    call_parser.add_argument(
+        "service_group", help="Service group name (e.g., 'SysSqlDiagnosticService')"
+    )
+    call_parser.add_argument(
+        "service_name", 
+        help="Service name (e.g., 'SysSqlDiagnosticServiceOperations')"
+    )
+    call_parser.add_argument(
+        "operation_name", help="Operation name (e.g., 'GetAxSqlExecuting')"
+    )
+    call_parser.add_argument(
+        "--parameters",
+        help="JSON string with parameters to send in POST body",
+    )
+
+    # sql-diagnostic subcommand - convenience wrapper for SQL diagnostic operations
+    sql_parser = service_subs.add_parser(
+        "sql-diagnostic", help="Call SQL diagnostic service operations"
+    )
+    sql_parser.add_argument(
+        "operation",
+        choices=[
+            "GetAxSqlExecuting",
+            "GetAxSqlResourceStats",
+            "GetAxSqlBlocking", 
+            "GetAxSqlLockInfo",
+            "GetAxSqlDisabledIndexes",
+        ],
+        help="SQL diagnostic operation to execute",
+    )
+    sql_parser.add_argument(
+        "--since-minutes",
+        type=int,
+        default=10,
+        help="For GetAxSqlResourceStats: get stats for last N minutes (default: 10)",
+    )
+    sql_parser.add_argument(
+        "--start-time",
+        help="For GetAxSqlResourceStats: start time (ISO format)",
+    )
+    sql_parser.add_argument(
+        "--end-time",
+        help="For GetAxSqlResourceStats: end time (ISO format)",
+    )
+
+
 def main() -> None:
     """Enhanced main entry point with CLI support."""
     parser = create_argument_parser()

d365fo_client/mcp/auth_server/auth/providers/apikey.py

@@ -0,0 +1,83 @@
+"""API Key authentication provider for FastMCP.
+
+This provider implements simple API key authentication using the Authorization header.
+Suitable for service-to-service authentication and simpler deployment scenarios.
+
+IMPORTANT: FastMCP uses BearerAuthBackend which extracts tokens from the Authorization header
+and calls token_verifier.verify_token(). Clients must send the API key as:
+    Authorization: Bearer <your-api-key>
+
+The token_verifier.verify_token() method performs constant-time comparison of the API key.
+"""
+
+from __future__ import annotations
+
+import secrets
+
+from pydantic import SecretStr
+
+from ..auth import AccessToken, TokenVerifier
+from d365fo_client.mcp.utilities.logging import get_logger
+
+logger = get_logger(__name__)
+
+
+class APIKeyVerifier(TokenVerifier):
+    """API Key token verifier for FastMCP.
+
+    This is a TokenVerifier that validates API keys sent as Bearer tokens.
+    FastMCP's BearerAuthBackend extracts the token from "Authorization: Bearer <token>"
+    and passes it to this verifier's verify_token() method.
+
+    This is a simpler alternative to OAuth for scenarios where:
+    - Service-to-service authentication is needed
+    - Simplified deployment without OAuth infrastructure
+    - Single-user or trusted client scenarios
+
+    Security features:
+    - Constant-time comparison to prevent timing attacks
+    - SecretStr storage to prevent accidental logging
+    - No token expiration (suitable for long-lived API keys)
+    """
+
+    def __init__(
+        self,
+        api_key: SecretStr,
+        base_url: str | None = None,
+        required_scopes: list[str] | None = None,
+    ):
+        """Initialize API key provider.
+
+        Args:
+            api_key: The secret API key value
+            base_url: Base URL of the server
+            required_scopes: Required scopes (for compatibility, not enforced for API keys)
+        """
+        super().__init__(base_url=base_url, required_scopes=required_scopes)
+        self.api_key = api_key
+
+    async def verify_token(self, token: str) -> AccessToken | None:
+        """Verify API key token.
+
+        This method is called by FastMCP's BearerAuthBackend after extracting
+        the token from "Authorization: Bearer <token>" header.
+
+        Args:
+            token: The API key extracted from the Authorization header
+
+        Returns:
+            AccessToken if valid, None otherwise
+        """
+        # Constant-time comparison to prevent timing attacks
+        if secrets.compare_digest(token, self.api_key.get_secret_value()):
+            logger.debug("API key authentication successful")
+            return AccessToken(
+                token=token,
+                scopes=self.required_scopes or [],
+                client_id="api_key_client",  # Fixed client_id for API key auth
+                expires_at=None,  # API keys don't expire
+                resource=None,
+            )
+
+        logger.warning("Invalid API key provided")
+        return None

d365fo_client/mcp/auth_server/auth/providers/azure.py

@@ -284,42 +284,110 @@ class AzureProvider(OAuthProxy):
 
     async def register_client(self, client_info: OAuthClientInformationFull) -> None:
         """Register a new MCP client, validating redirect URIs if configured."""
-        result = await super().register_client(client_info)
-        self._save_clients()
-        return result
+        await super().register_client(client_info)
+        try:
+            self._save_clients()
+        except Exception as e:
+            logger.error(f"Failed to persist client registration: {e}")
+            # Don't raise here as the client is already registered in memory
 
-    def _save_clients(self) -> str | None:
+    def _save_clients(self) -> None:
+        """Save client data to persistent storage.
+        
+        Raises:
+            ValueError: If clients_storage_path is not configured
+            OSError: If file operations fail
+        """
         if not self.clients_storage_path:
             logger.warning("No clients storage path configured. Skipping client save.")
-            return None
+            return
         
-        # Store self._clients to clients.json
         try:
-            client_json_path = Path(self.clients_storage_path) / "clients.json"
+            # Ensure the storage directory exists
+            storage_dir = Path(self.clients_storage_path)
+            storage_dir.mkdir(parents=True, exist_ok=True)
+            
+            client_json_path = storage_dir / "clients.json"
+            
             # Convert OAuthClientInformationFull objects to dictionaries for JSON serialization
-            clients_dict = {
-                client_id: client.model_dump() if hasattr(client, 'model_dump') else client.__dict__
-                for client_id, client in self._clients.items()
-            }
-            with client_json_path.open("w") as f:
-                json.dump(clients_dict, f, indent=2)
+            # Use mode="json" to properly serialize complex types like AnyUrl
+            clients_dict = {}
+            for client_id, client in self._clients.items():
+                try:
+                    if hasattr(client, 'model_dump'):
+                        # Use json mode to ensure proper serialization of complex types (e.g., AnyUrl)
+                        clients_dict[client_id] = client.model_dump(mode="json")
+                    else:
+                        # Fallback for non-Pydantic objects (shouldn't happen with OAuthClientInformationFull)
+                        clients_dict[client_id] = client.__dict__
+                except Exception as client_error:
+                    logger.error(f"Failed to serialize client {client_id}: {client_error}")
+                    continue
+            
+            # Write to temporary file first, then rename for atomic operation
+            temp_path = client_json_path.with_suffix('.tmp')
+            with temp_path.open("w") as f:
+                json.dump(clients_dict, f, indent=2, ensure_ascii=False)
+            
+            # Atomic rename
+            temp_path.replace(client_json_path)
+            
+            logger.debug(f"Successfully saved {len(clients_dict)} clients to {client_json_path}")
+            
         except Exception as e:
-            logger.error(f"Failed to write client data to {client_json_path}: {e}")
+            logger.error(f"Failed to save client data to {self.clients_storage_path}: {e}")
+            raise
 
     def _load_clients(self) -> None:
+        """Load client data from persistent storage.
+        
+        Loads clients from the JSON file if it exists and is valid.
+        Invalid client data is logged and skipped.
+        """
         if not self.clients_storage_path:
+            logger.debug("No clients storage path configured. Skipping client load.")
             return
         
-         # Load existing clients from storage if path is provided
-    
         try:
             client_json_path = Path(self.clients_storage_path) / "clients.json"
-            if client_json_path.exists():
-                with client_json_path.open("r") as f:
-                    clients_data = json.load(f)
-                    for client_id, client_info in clients_data.items():
-                        # Ensure client_id is a string (it should be from JSON, but type checking requires this)
-                        if isinstance(client_id, str):
-                            self._clients[client_id] = OAuthClientInformationFull.model_validate(client_info)
+            
+            if not client_json_path.exists():
+                logger.debug(f"Client storage file {client_json_path} does not exist. Starting with empty client registry.")
+                return
+            
+            # Read and parse the JSON file
+            with client_json_path.open("r", encoding="utf-8") as f:
+                clients_data = json.load(f)
+            
+            if not isinstance(clients_data, dict):
+                logger.error(f"Invalid client data format in {client_json_path}: expected dict, got {type(clients_data)}")
+                return
+            
+            loaded_count = 0
+            for client_id, client_info in clients_data.items():
+                try:
+                    # Validate client_id is a string
+                    if not isinstance(client_id, str):
+                        logger.warning(f"Skipping client with non-string ID: {client_id} (type: {type(client_id)})")
+                        continue
+                    
+                    # Validate and restore the client object
+                    if not isinstance(client_info, dict):
+                        logger.warning(f"Skipping client {client_id}: invalid data format (expected dict, got {type(client_info)})")
+                        continue
+                    
+                    # Use Pydantic model_validate to restore the object with proper validation
+                    client_obj = OAuthClientInformationFull.model_validate(client_info)
+                    self._clients[client_id] = client_obj
+                    loaded_count += 1
+                    
+                except Exception as client_error:
+                    logger.error(f"Failed to load client {client_id}: {client_error}")
+                    continue
+            
+            logger.info(f"Successfully loaded {loaded_count} clients from {client_json_path}")
+            
+        except json.JSONDecodeError as e:
+            logger.error(f"Invalid JSON in client storage file {client_json_path}: {e}")
         except Exception as e:
             logger.error(f"Failed to load clients from {client_json_path}: {e}")

d365fo_client/mcp/fastmcp_main.py

@@ -19,6 +19,7 @@ from d365fo_client.mcp.fastmcp_utils import create_default_profile_if_needed, lo
 from d365fo_client.profile_manager import ProfileManager
 from d365fo_client.settings import get_settings
 from mcp.server.auth.settings import  AuthSettings,ClientRegistrationOptions
+from d365fo_client.mcp.auth_server.auth.providers.apikey import APIKeyVerifier
 
 
 
@@ -120,6 +121,7 @@ Environment Variables:
   D365FO_MCP_AUTH_TENANT_ID    Azure AD tenant ID for authentication
   D365FO_MCP_AUTH_BASE_URL     http://localhost:8000
   D365FO_MCP_AUTH_REQUIRED_SCOPES  User.Read,email,openid,profile
+  D365FO_MCP_API_KEY_VALUE      API key for authentication (send as: Authorization: Bearer <key>)
   D365FO_LOG_LEVEL               Logging level (DEBUG, INFO, WARNING, ERROR)
   D365FO_LOG_FILE                Custom log file path (default: ~/.d365fo-mcp/logs/fastmcp-server.log)
   D365FO_META_CACHE_DIR          Metadata cache directory (default: ~/.d365fo-mcp/cache)
@@ -254,63 +256,93 @@ logger.info(f"Startup Mode: {settings.get_startup_mode()}")
 logger.info(f"Client Credentials: {'Configured' if settings.has_client_credentials() else 'Not configured'}")
 logger.info("====================================")
 
-if is_remote_transport and not settings.has_mcp_auth_credentials():
+# Validate authentication for remote transports
+if is_remote_transport:
+    has_oauth = settings.has_mcp_auth_credentials()
+    has_api_key = settings.has_mcp_api_key_auth()
+
+    # Must have either OAuth or API key
+    if not has_oauth and not has_api_key:
+        logger.error(
+            "Error: Remote transports (SSE/HTTP) require authentication. "
+            "Please configure either:\n"
+            "  OAuth: D365FO_MCP_AUTH_CLIENT_ID, D365FO_MCP_AUTH_CLIENT_SECRET, "
+            "D365FO_MCP_AUTH_TENANT_ID, D365FO_MCP_AUTH_BASE_URL, D365FO_MCP_AUTH_REQUIRED_SCOPES\n"
+            "  OR\n"
+            "  API Key: D365FO_MCP_API_KEY_VALUE, D365FO_MCP_API_KEY_HEADER_NAME (optional)"
+        )
+        sys.exit(1)
 
-    logger.error("Warning: Client credentials (D365FO_MCP_AUTH_CLIENT_ID and D365FO_MCP_AUTH_CLIENT_SECRET, D365FO_MCP_AUTH_TENANT_ID,D365FO_MCP_AUTH_BASE_URL and D365FO_MCP_AUTH_REQUIRED_SCOPES) are not set. " +
-                   "Remote transports require authentication to the D365FO environment.")
-    sys.exit(1)    
+    # OAuth takes precedence if both are configured
+    if has_oauth and has_api_key:
+        logger.warning(
+            "Both OAuth and API Key authentication configured. "
+            "Using OAuth (takes precedence)."
+        )    
 
-auth_provider: AzureProvider | None = None
+# Initialize authentication provider
+auth_provider: AzureProvider | APIKeyVerifier | None = None  # type: ignore
 auth: AuthSettings | None = None
 
 if is_remote_transport:
-    assert settings.mcp_auth_client_id is not None
-    assert settings.mcp_auth_client_secret is not None
-    assert settings.mcp_auth_tenant_id is not None
-    assert settings.mcp_auth_base_url is not None
-    assert settings.mcp_auth_required_scopes is not None
-    required_scopes=settings.mcp_auth_required_scopes_list()
-
-    # if "AX.FullAccess" not in required_scopes:
-    #     logger.warning("Warning: 'AX.FullAccess' scope is not supported. Adding it automatically.")
-    #     required_scopes.append("https://erp.dynamics.com/AX.FullAccess")
-
-    # Initialize authorization settings
-    auth_provider = AzureProvider(
-        client_id=settings.mcp_auth_client_id,  # Your Azure App Client ID
-        client_secret=settings.mcp_auth_client_secret,                 # Your Azure App Client Secret
-        tenant_id=settings.mcp_auth_tenant_id, # Your Azure Tenant ID (REQUIRED)
-        base_url=settings.mcp_auth_base_url,                   # Must match your App registration
-        required_scopes=required_scopes or ["User.Read"],  # type: ignore # Scopes your app needs
-        redirect_path="/auth/callback",  # Ensure callback path is explicit
-        clients_storage_path=config_path or ...
-    )
-    from mcp.shared.auth import OAuthClientInformationFull
-
-    # auth_provider._clients["eae68fdd-610b-47c5-9907-709c7452f1b3"] = OAuthClientInformationFull(
-    #     client_id="5eae68fdd-610b-47c5-9907-709c7452f1b3",
-    #     client_name="Test Client",
-    #     redirect_uris=[AnyUrl("http://127.0.0.1:33418")],
-    #     scope=",".join(required_scopes)
-    # )
-
+    has_oauth = settings.has_mcp_auth_credentials()
+    has_api_key = settings.has_mcp_api_key_auth()
+
+    if has_oauth:
+        # OAuth authentication setup
+        logger.info("Initializing OAuth authentication with Azure AD")
+
+        assert settings.mcp_auth_client_id is not None
+        assert settings.mcp_auth_client_secret is not None
+        assert settings.mcp_auth_tenant_id is not None
+        assert settings.mcp_auth_base_url is not None
+        assert settings.mcp_auth_required_scopes is not None
+        required_scopes = settings.mcp_auth_required_scopes_list()
+
+        # Initialize authorization settings
+        auth_provider = AzureProvider(
+            client_id=settings.mcp_auth_client_id,
+            client_secret=settings.mcp_auth_client_secret,
+            tenant_id=settings.mcp_auth_tenant_id,
+            base_url=settings.mcp_auth_base_url,
+            required_scopes=required_scopes or ["User.Read"],  # type: ignore
+            redirect_path="/auth/callback",
+            clients_storage_path=config_path or ...
+        )
 
-    auth=AuthSettings(
+        auth = AuthSettings(
             issuer_url=AnyHttpUrl(settings.mcp_auth_base_url),
             client_registration_options=ClientRegistrationOptions(
                 enabled=True,
-                valid_scopes=required_scopes or ["User.Read"], # type: ignore
-                default_scopes=required_scopes or ["User.Read"], # type: ignore
+                valid_scopes=required_scopes or ["User.Read"],  # type: ignore
+                default_scopes=required_scopes or ["User.Read"],  # type: ignore
             ),
-            required_scopes=required_scopes or ["User.Read"], # type: ignore
+            required_scopes=required_scopes or ["User.Read"],  # type: ignore
             resource_server_url=AnyHttpUrl(settings.mcp_auth_base_url),
-            
+        )
+
+    elif has_api_key:
+        # API Key authentication setup
+        logger.info("Initializing API Key authentication")
+
+        from d365fo_client.mcp.auth_server.auth.providers.apikey import APIKeyVerifier
+
+        auth_provider = APIKeyVerifier(  # type: ignore
+            api_key=settings.mcp_api_key_value,  # type: ignore
+            base_url=settings.mcp_auth_base_url,
+        )
+
+        # For API Key authentication
+        auth = AuthSettings(
+            issuer_url=AnyHttpUrl(settings.mcp_auth_base_url) if settings.mcp_auth_base_url else AnyHttpUrl("http://localhost"),
+            resource_server_url=None
         )
 
 # Initialize FastMCP server with configuration
 mcp = FastMCP(
     name=server_config.get("name", "d365fo-mcp-server"),
-    auth_server_provider=auth_provider,
+    auth_server_provider=auth_provider if isinstance(auth_provider, AzureProvider) else None,# type: ignore
+    token_verifier=auth_provider if isinstance(auth_provider, APIKeyVerifier) else None,
     auth=auth,
     instructions=server_config.get(
         "instructions",
@@ -326,16 +358,33 @@ mcp = FastMCP(
 
 )
 
-if is_remote_transport:
+# Add OAuth callback route only for Azure OAuth provider
+if is_remote_transport and isinstance(auth_provider, AzureProvider):
     from starlette.requests import Request
     from starlette.responses import RedirectResponse
-    
+
     @mcp.custom_route(path=auth_provider._redirect_path, methods=["GET"]) # type: ignore
     async def handle_idp_callback(request: Request) -> RedirectResponse:
         return await auth_provider._handle_idp_callback(request) # type: ignore
 
+# Initialize FastD365FOMCPServer
 server = FastD365FOMCPServer(mcp, config, profile_manager=profile_manager)
 
+# Configure API Key authentication if enabled
+if is_remote_transport:
+    from d365fo_client.mcp.auth_server.auth.providers.apikey import APIKeyVerifier
+
+    if isinstance(auth_provider, APIKeyVerifier):
+
+        logger.info("API Key authentication configured successfully")
+        logger.info("=" * 60)
+        logger.info("IMPORTANT: Clients must authenticate using:")
+        logger.info("  Authorization: Bearer <your-api-key>")
+        logger.info("")
+        logger.info("Example:")
+        logger.info(f"  curl -H 'Authorization: Bearer YOUR_KEY' http://localhost:{transport_config.get('http', {}).get('port', 8000)}/")
+        logger.info("=" * 60)
+
 logger.info("FastD365FOMCPServer initialized successfully")
 
 

d365fo_client/mcp/fastmcp_utils.py

@@ -144,6 +144,10 @@ def create_default_profile_if_needed(profile_manager:"ProfileManager", config:Di
         if not base_url:
             logger.warning("Cannot create default profile - D365FO_BASE_URL not set")
             return False
+        
+        if base_url.startswith("https://usnconeboxax1aos.cloud.onebox.dynamics.com"):
+            logger.warning("D365FO_BASE_URL is set to the default onebox URL - please set it to your actual environment URL")
+            return False
 
         # Determine authentication mode based on startup mode
         startup_mode = config.get("startup_mode", "profile_only")