About the Organization
A healthcare services provider operates a network of therapists delivering care across a wide geographic area. With multiple database APIs covering scheduling, patient engagement, therapist utilization, and billing, the organization needed a way for non-technical leaders to query their data conversationally — without compromising on security, authentication, or role-based access governance.
The Challenge
A healthcare services provider operates a network of therapists who deliver care across a wide geographic area. The organization maintains multiple database APIs containing critical operational and clinical insights — scheduling, patient engagement, therapist utilization, billing, and more.
Despite having this data, leadership faced a persistent bottleneck: getting answers required requesting custom reports from the engineering team, then waiting days or weeks for delivery. By the time a report arrived, the question had often evolved or the window for action had passed. Decision-makers needed the ability to explore their data conversationally — asking follow-up questions, drilling into specifics, and getting answers on their own timeline.
At the same time, the organization's security engineers had legitimate concerns about exposing sensitive data to AI tools. The team was evaluating a fully on-premises solution, but that approach carried a timeline measured in months and significant infrastructure investment. Leadership needed a middle ground:
- Let non-technical users query organizational data through natural language
- Enforce strict, role-based data access — users should only see what they're authorized to see
- Authenticate users through the organization's existing identity provider
- Deploy quickly without a months-long infrastructure buildout
- Satisfy both the business need for speed and the security team's need for control
The Solution
DreamFactory's MCP (Model Context Protocol) integration provided the governed bridge between the organization's database APIs and ChatGPT — with enterprise-grade authentication and authorization built in from the start.
Secure API Exposure via MCP
DreamFactory exposes the organization's existing database APIs to ChatGPT through MCP, the open standard for connecting AI models to external data sources. Rather than giving ChatGPT broad database access, DreamFactory publishes only the specific API endpoints and operations that have been explicitly approved — each governed by the same role-based access controls that protect the APIs in every other context.
Org-Wide Deployment in Minutes
The MCP server is auto-published across the organization's ChatGPT subscription. There is no per-user setup, no plugin installation, no configuration steps for end users. Team members simply open ChatGPT and the DreamFactory data connection is available. They ask a question and go.
Branded Authentication with Google OAuth
When a user asks a data question for the first time, they are prompted to authenticate through a custom-branded login screen — the organization's own sign-in experience, powered by Google OAuth under the hood via DreamFactory. This keeps the authentication flow familiar and on-brand while leveraging the organization's existing Google Workspace identity infrastructure.
Automatic Role Mapping
After authentication, DreamFactory maps the user's Google account group membership to a corresponding DreamFactory Role. A finance director sees financial data. An operations manager sees scheduling and utilization metrics. A regional lead sees data scoped to their region. Users are returned to ChatGPT and can only query the data their role explicitly permits — no more, no less.
Extensible MCP Tooling
Beyond conversational data access, the organization has already expanded its MCP capabilities. A custom MCP tool integrates the Google Maps API to calculate drive times for therapists traveling between patient appointments. Staff use this tool directly within ChatGPT to look up travel durations for internal billing — turning what was a manual, error-prone process into a conversational query.
The Results
Leadership went from waiting days for engineer-built reports to getting answers in seconds by asking ChatGPT in plain English. The engineering team is no longer a bottleneck for routine data questions, freeing them to focus on building rather than reporting.
Critically, this was deployed without compromising on security. The organization's security engineers have full control over which data each role can access, authentication flows through their existing Google identity infrastructure, and every query is governed by DreamFactory's role-based access controls. There is no shadow AI, no ungoverned data access, and no gap between “who can see what in the API” and “who can see what through ChatGPT.”
What would have been a months-long on-premises buildout is live today — secure, role-based, and already expanding to new use cases like therapist drive-time billing. The organization proved that moving fast and maintaining security governance are not mutually exclusive.
