Skip to content
MCP

Chapter 2 Β· Understand

Architecture & Request Lifecycle

Follow a single question from a user's lips all the way to Jira and back. Once you can trace this path, every later chapter is just a close-up of one box in the diagram.

🎯 What you'll be able to do

  • Name each component in the end-to-end architecture
  • Trace a request through the connector, APIM, the server, and Jira
  • Explain where the user's token is obtained, forwarded, and discarded
  • Identify which component enforces which protection

High-level architecture

Six moving parts, plus three supporting services (OAuth, Key Vault, Application Insights). Solid arrows are the request path; dotted arrows are supporting relationships.

Solid = request path. Dotted = supporting services.

Request lifecycle

Here is the same flow as a step-by-step sequence. Read it top to bottom: each numbered line is one hop.

One round trip. Every step maps to a chapter later in this guide.
Why trace the whole path?
When something breaks in production, the fastest debuggers already have this picture in their head. A 401 vs a 403 vs a payload error each points to a different box. Memorising this flow pays off in Troubleshooting.

Where identity flows

The single most important thread to follow is the user's token. It is created by Atlassian, held by the connector, borrowed by the server for one request, and used to call Jira as the user.

The server never stores the token β€” it forwards it, then forgets it.

Who does what

ComponentMain responsibilityKey protection
Copilot StudioHosts the agent and chooses toolsβ€”
Power Platform connectorRuns OAuth, holds and refreshes tokensTokens live here, not in the server
Azure API ManagementPublic gateway and routingCORS, IP filtering, rate limits, gateway secret
FastMCP serverRuns tools, calls JiraRe-checks gateway secret; request-scoped token
Jira CloudOwns the dataEnforces the user's permissions
Key VaultStores the gateway secretSecret never in code
Application InsightsLogs and tracesTokens and secrets redacted

❓ Concept check

A request reaches the app host directly (not through APIM) and is rejected with a 403. Which protection caught it, and where is the secret it relied on stored?

πŸ“Œ Chapter summary

  • User β†’ Copilot Studio β†’ connector β†’ APIM β†’ FastMCP server β†’ Jira, and back.
  • The connector handles OAuth and holds tokens; the server only borrows the token for the duration of one request.
  • APIM guards the edge; the app re-checks the gateway secret; Jira enforces user permissions.

βœ… End-of-chapter review

0/3 done