PHPackages magebitcom/magento2-mcp-module - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. magebitcom/magento2-mcp-module ActiveMagento2-module[Utility & Helpers](/categories/utility) magebitcom/magento2-mcp-module ============================== Magento 2 MCP (Model Context Protocol) server module v1.0.3(1w ago)14134—5%17MITPHPPHP >=8.1CI passing Since May 7Pushed 1w ago1 watchersCompare [ Source](https://github.com/magebitcom/magento2-mcp-module)[ Packagist](https://packagist.org/packages/magebitcom/magento2-mcp-module)[ RSS](/packages/magebitcom-magento2-mcp-module/feed)WikiDiscussions master Synced 1w ago READMEChangelog (7)Dependencies (6)Versions (17)Used By (7) [![Sample MCP session: an operator asks why a customer's order hasn't arrived; the AI calls three MCP tools and reports the order status, shipment progress, and customer history.](docs/header.svg)](docs/header.svg) Magento 2 MCP module ==================== [](#magento-2-mcp-module) Extensible [Model Context Protocol](https://modelcontextprotocol.io/specification/2025-06-18) server for Magento 2. Connect your store to any MCP-compatible AI agent — read and mutate customer, product, CMS or sales data, fetch reports, manage configuration, and more. The base module ships the transport, authentication, ACL, audit log, and tool registry, plus a small set of system tools for inspecting and refreshing the store. Domain-specific functionality lives in optional sub-modules listed below — you can also write your own. Contents -------- [](#contents) - [What the base module gives you](#what-the-base-module-gives-you) - [Quick start](#quick-start) - [Installation](#installation) - [Sub-modules](#sub-modules) - [Order module — `Magebit_McpOrderTools`](#order-module--magebit_mcpordertools) - [Catalog module — `Magebit_McpCatalogTools`](#catalog-module--magebit_mcpcatalogtools) - [Customer module — `Magebit_McpCustomerTools`](#customer-module--magebit_mcpcustomertools) - [CMS module — `Magebit_McpCmsTools`](#cms-module--magebit_mcpcmstools) - [Marketing module — `Magebit_McpMarketingTools`](#marketing-module--magebit_mcpmarketingtools) - [Report module — `Magebit_McpReportTools`](#report-module--magebit_mcpreporttools) - [Google Analytics module — `Magebit_McpGoogleAnalyticsTools`](#google-analytics-module--magebit_mcpgoogleanalyticstools) - [Setup](#setup) - [Connecting an AI agent](#connecting-an-ai-agent) - [Bearer token](#bearer-token) - [OAuth 2.1](#oauth-21) - [Security](#security) - [Extending](#extending) - [Contributing](#contributing) What the base module gives you ------------------------------ [](#what-the-base-module-gives-you) - A `POST /mcp` JSON-RPC endpoint with bearer-token and OAuth 2.1 authentication - Per-tool admin-role ACL and a two-layer write kill-switch - A PII-redacting audit log with configurable retention - Per-(admin, tool) rate limiting - An origin allowlist with sensible defaults for major AI clients - Core tools for cache types, indexers, store views, system configuration values and admin notifications - MCP prompt support (see examples in [Prompt/System](Prompt/System/) directory) Quick start ----------- [](#quick-start) The fastest path from `composer require` to a connected AI is the interactive **[Quick Setup guide](https://magebitcom.github.io/magento2-mcp-module/quick-setup/)** — pick which AI you're using (Claude, ChatGPT, Cursor, Claude Code, or anything else MCP-compatible) and follow the per-client steps with copy-paste snippets and admin-screen screenshots. Not connecting? The **[Connection Checker](https://magebitcom.github.io/magento2-mcp-module/quick-setup/diagnose.html)** probes your store's MCP endpoints from the browser and flags redirects, unreachable hosts and base-URL mismatches; the **[MCP Inspector guide](https://magebitcom.github.io/magento2-mcp-module/quick-setup/inspector.html)** walks you through verifying the OAuth sign-in and bearer-token access end to end. For the long-form reference — every admin setting, the OAuth and bearer-token flows in detail, and the full tool catalog — see the [Wiki](https://github.com/magebitcom/magento2-mcp-module/wiki). Installation ------------ [](#installation) ``` composer require magebitcom/magento2-mcp-module bin/magento module:enable Magebit_Mcp bin/magento setup:upgrade ``` Sub-modules ----------- [](#sub-modules) Each sub-module is published independently and depends on `Magebit_Mcp`. Install only the ones you need. After every `composer require` below, enable and rebuild Magento with: ``` bin/magento module:enable Magebit_McpTools bin/magento setup:upgrade ``` ### Order module — [`Magebit_McpOrderTools`](https://github.com/magebitcom/magento2-mcp-order-tools) [](#order-module--magebit_mcpordertools) - Read and search orders, invoices, shipments, payments, order comments and credit memos - Create invoices, shipments, shipment tracks, credit memos and order comments - Cancel, hold or unhold orders ``` composer require magebitcom/magento2-mcp-order-tools ``` ### Catalog module — [`Magebit_McpCatalogTools`](https://github.com/magebitcom/magento2-mcp-catalog-tools) [](#catalog-module--magebit_mcpcatalogtools) - Read and search products and categories - Create, update or delete products - Create, update or delete categories ``` composer require magebitcom/magento2-mcp-catalog-tools ``` ### Customer module — [`Magebit_McpCustomerTools`](https://github.com/magebitcom/magento2-mcp-customer-tools) [](#customer-module--magebit_mcpcustomertools) - Read or search customers, addresses and customer groups - Fetch customer confirmation status - Create, update or delete customers and addresses - Trigger password reset or resend confirmation ``` composer require magebitcom/magento2-mcp-customer-tools ``` ### CMS module — [`Magebit_McpCmsTools`](https://github.com/magebitcom/magento2-mcp-cms-tools) [](#cms-module--magebit_mcpcmstools) - Read or search CMS pages and blocks - Create, update or delete CMS pages and blocks ``` composer require magebitcom/magento2-mcp-cms-tools ``` ### Marketing module — [`Magebit_McpMarketingTools`](https://github.com/magebitcom/magento2-mcp-marketing-tools) [](#marketing-module--magebit_mcpmarketingtools) - Read or search catalog rules, cart rules and coupons - Delete, toggle and apply catalog and cart rules - Generate or delete coupon codes ``` composer require magebitcom/magento2-mcp-marketing-tools ``` ### Report module — [`Magebit_McpReportTools`](https://github.com/magebitcom/magento2-mcp-report-tools) [](#report-module--magebit_mcpreporttools) - Cart reports (products in cart, abandoned carts) - Popular search queries and newsletter problems (bounces, send failures) - Product reviews, review counts and average ratings - Aggregated sales reports for orders, tax, invoices, shipments, refunds and coupons - Customer reports (orders, totals, new customers, online visitors) - Product reports (most viewed, bestsellers, low-stock, qty ordered, downloads) - Dashboard summary (lifetime sales, average order, revenue for a period, recent orders, top search terms, top bestsellers) - Refresh sales/customer/review statistics ``` composer require magebitcom/magento2-mcp-report-tools ``` ### Google Analytics module — [`Magebit_McpGoogleAnalyticsTools`](https://github.com/magebitcom/magento2-mcp-google-analytics-tools) [](#google-analytics-module--magebit_mcpgoogleanalyticstools) - List Google Analytics accounts and GA4 properties for the connected Google account - Inspect GA4 property details (name, currency, timezone, industry) and linked Google Ads accounts - List a property's custom dimensions and metrics - Run GA4 Data API reports — core, real-time (last 30 minutes) and funnel - Read-only; authenticates to Google via OAuth with an encrypted refresh token ``` composer require magebitcom/magento2-mcp-google-analytics-tools ``` Setup ----- [](#setup) Configuration lives under **Stores → Configuration → Magebit → MCP Server**. Defaults are sensible for development; review every section before going to production. SettingDefaultNotes**General → Enable MCP Server**YesMaster kill-switch. When off, every request returns HTTP 503 before authentication runs.**General → Server Name**`Magento MCP`Advertised to MCP clients during the `initialize` handshake.**General → Server Description**emptyOptional free-text hint advertised alongside the server name.**General → Allow Write Tools**YesGlobal toggle. A token's per-row write flag is only honoured when this is on.**Security → Allowed Origins**localhost + Claude, ChatGPT, Gemini, Copilot, Grok and PerplexityOne origin per line. Trailing `*` is allowed. Tighten for production.**Audit Log → Retention (days)**`90`Older rows are purged by the `magebit_mcp_audit_purge` cron. `0` disables purging.**Rate Limiting → Enabled**NoCaps `tools/call` requests per (admin, tool) per minute. Recommended for production.**Rate Limiting → Requests Per Minute**`60`Used when rate limiting is enabled.**OAuth 2.1 → Access Token Lifetime**`3600` (1 hour)**OAuth 2.1 → Refresh Token Lifetime (days)**`30`**OAuth 2.1 → Authorization Code Lifetime**`60` (seconds)Increase only for debugging.Four separate admin-role permissions gate the module so a token-manager role need not see the audit log and vice versa: - `Magebit_Mcp::mcp_tokens` — create, list, revoke and delete bearer tokens - `Magebit_Mcp::mcp_oauth_clients` — manage OAuth clients - `Magebit_Mcp::mcp_audit` — view the audit log - `Magebit_Mcp::config` — change settings under *Stores → Configuration → Magebit → MCP Server* Each MCP tool is also gated by its own admin-role permission under `Magebit_Mcp::tools`. Restrict admins to the subset they should be able to drive. Connecting an AI agent ---------------------- [](#connecting-an-ai-agent) Two authentication paths. Bearer tokens are simplest; OAuth 2.1 is the right choice for hosted MCP clients (Claude, ChatGPT) that ask the operator to consent. ### Bearer token [](#bearer-token) Mint a token from the CLI (or from **System → MCP → Connections** in the admin): ``` bin/magento magebit:mcp:token:create \ --admin-user \ --name "" \ [--allow-writes] \ [--expires "+30 days"] \ [-s ] [-s ] ``` The plaintext is printed once and is never recoverable afterwards — store it securely. Manage tokens with: ``` bin/magento magebit:mcp:token:list [-u ] bin/magento magebit:mcp:token:revoke # day-to-day; preserves the audit trail bin/magento magebit:mcp:token:delete # hard-delete ``` Configure your MCP client with: SettingValueURL`https:///mcp`Authorization header`Bearer `### OAuth 2.1 [](#oauth-21) Manage OAuth clients under **System → MCP → OAuth Clients**. The module exposes: EndpointPurpose`GET /.well-known/oauth-authorization-server`Authorization-server metadata (RFC 8414).`GET /.well-known/oauth-protected-resource`Protected-resource metadata (RFC 9728).`GET|POST /mcp/oauth/authorize`Interactive consent screen. Requires admin sign-in.`POST /mcp/oauth/token`Token endpoint (`authorization_code` and `refresh_token` grants).Two scopes are advertised: - `mcp:read` — invoke read-only tools - `mcp:write` — also invoke write tools (still subject to the global write toggle) Each OAuth client has its own scope cap and the consenting admin can narrow further at the consent screen. OAuth-issued tokens land in the same Connections list as bearer tokens, so you manage and revoke them in one place. Security -------- [](#security) - **Two authentication paths.** Bearer tokens issued by an admin, and OAuth 2.1 with mandatory PKCE. - **Origin allowlist.** Configurable; defaults cover only loopback and the major AI surfaces. Tighten for production. - **Per-tool admin-role ACL.** Every tool resolves through Magento's standard role permissions — MCP can never do what the admin UI would forbid. - **Two-layer write gating.** Write tools require the global *Allow write tools* toggle *and* a per-token (or per-OAuth-scope) write flag. - **Confirmation hint for destructive tools.** Write tools may flag themselves as requiring confirmation; clients that support it (e.g. Claude Desktop) prompt the operator. - **Per-(admin, tool) rate limiter.** Off by default; recommended for production. - **Audit log.** Every request is recorded — even unauthenticated attempts. Argument values are PII-redacted before storage. - **Separated admin permissions.** Token management, OAuth-client management, audit-log viewing and module configuration are four distinct ACLs. If you discover a security issue, please report it privately to rather than opening a public issue. Extending --------- [](#extending) Write your own tools and prompts by implementing `Magebit\Mcp\Api\ToolInterface` (or `PromptInterface`) and registering them via `di.xml`. The six sub-modules listed above are full worked examples. The contract surface is: 1. Implement `Magebit\Mcp\Api\ToolInterface` and declare an ACL resource for the tool. By convention, dots in the tool name become underscores in the ACL id (`catalog.product.get` → `Vendor_Module::mcp_tool_catalog_product_get`). 2. Register the tool in `di.xml` under `Magebit\Mcp\Model\Tool\ToolRegistry`. The DI key must match the tool's `getName()` and conform to `^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$`. 3. For write tools that wrap a Magento service contract, optionally implement `Magebit\Mcp\Api\UnderlyingAclAwareInterface` so the dispatcher also enforces the equivalent admin-UI permission. 4. Run `bin/magento magebit:mcp:tools:validate-acl` to confirm every tool's ACL resource resolves. See [docs/EXTENDING.md](docs/EXTENDING.md) for the full contract, the schema-builder DSL, schema presets, the field-resolver pattern, lifecycle events, and a complete worked example. Contributing ------------ [](#contributing) Found a bug, have a feature suggestion or want to help? Contributions are very welcome — open an issue or pull request on GitHub. --- [![magebit (1)](https://private-user-images.githubusercontent.com/58505474/416166496-cdc904ce-e839-40a0-a86f-792f7ab7961f.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3ODA4NTE5MzIsIm5iZiI6MTc4MDg1MTYzMiwicGF0aCI6Ii81ODUwNTQ3NC80MTYxNjY0OTYtY2RjOTA0Y2UtZTgzOS00MGEwLWE4NmYtNzkyZjdhYjc5NjFmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNjA2MDclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjYwNjA3VDE3MDAzMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTc2MDZhZWVlMGMyNTFjZWM3N2FkMDVhYzZiZjk0YmU1ZjM0OGFiMTE5YTU5YTNjNjUzNTdlYWYwZjI1Y2M1YWEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JnJlc3BvbnNlLWNvbnRlbnQtdHlwZT1pbWFnZSUyRnBuZyJ9.hNJ5HNDnO5VjfUlZ31NPeIIJiSUcr1cN9sxePO8qNhw)](https://private-user-images.githubusercontent.com/58505474/416166496-cdc904ce-e839-40a0-a86f-792f7ab7961f.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3ODA4NTE5MzIsIm5iZiI6MTc4MDg1MTYzMiwicGF0aCI6Ii81ODUwNTQ3NC80MTYxNjY0OTYtY2RjOTA0Y2UtZTgzOS00MGEwLWE4NmYtNzkyZjdhYjc5NjFmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNjA2MDclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjYwNjA3VDE3MDAzMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTc2MDZhZWVlMGMyNTFjZWM3N2FkMDVhYzZiZjk0YmU1ZjM0OGFiMTE5YTU5YTNjNjUzNTdlYWYwZjI1Y2M1YWEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JnJlc3BvbnNlLWNvbnRlbnQtdHlwZT1pbWFnZSUyRnBuZyJ9.hNJ5HNDnO5VjfUlZ31NPeIIJiSUcr1cN9sxePO8qNhw) *Have questions or need help? Contact us at * ### Health Score 49 — FairBetter than 94% of packages Maintenance98 Actively maintained with recent releases Popularity23 Limited adoption so far Community15 Small or concentrated contributor base Maturity50 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~3 days Total 7 Last Release 11d ago Major Versions v0.0.3 → v1.0.02026-05-27 PHP version history (2 changes)v0.0.1PHP ~8.1.0||~8.2.0||~8.3.0||~8.4.0 v0.0.3PHP >=8.1 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/10514036?v=4)[magebit](/maintainers/magebit)[@Magebit](https://github.com/Magebit) --- Top Contributors [![KristofersOzolinsMagebit](https://avatars.githubusercontent.com/u/58505474?v=4)](https://github.com/KristofersOzolinsMagebit "KristofersOzolinsMagebit (53 commits)") --- Tags adobeadobe-commerceaimagento2magento2-extensionmagento2-modulemcp-server ### Embed Badge ![Health badge](/badges/magebitcom-magento2-mcp-module/health.svg) ``` [![Health](https://phpackages.com/badges/magebitcom-magento2-mcp-module/health.svg)](https://phpackages.com/packages/magebitcom-magento2-mcp-module) ``` ### Alternatives [friendsoftypo3/content-blocks TYPO3 CMS Content Blocks - Content Types API | Define reusable components via YAML 101466.4k44](/packages/friendsoftypo3-content-blocks)[elgentos/regenerate-catalog-urls Regenerate Catalog URL Rewrites (products, categories, cms pages) 2852.6M](/packages/elgentos-regenerate-catalog-urls)[run-as-root/magento2-prometheus-exporter Magento2 Prometheus Exporter 68353.9k](/packages/run-as-root-magento2-prometheus-exporter)[myparcelnl/magento A Magento 2 module that creates MyParcel labels 1859.0k](/packages/myparcelnl-magento)[loki/magento2-components Core module for defining Alpine.js components with advanced AJAX features 1010.0k22](/packages/loki-magento2-components)[magepal/magento2-form-field-manager Customer and Address Form Fields Manager for Magento2 293.9k](/packages/magepal-magento2-form-field-manager) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)