Download the PHP package magebitcom/magento2-mcp-module without Composer

On this page you can find all versions of the php package magebitcom/magento2-mcp-module. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package magento2-mcp-module

Magento 2 MCP module

Extensible Model Context Protocol server for Magento 2. Connect your store to any MCP-compatible AI agent — read and mutate customer, product, CMS or sales data, fetch reports, manage configuration, and more.

The base module ships the transport, authentication, ACL, audit log, and tool registry, plus a small set of system tools for inspecting and refreshing the store. Domain-specific functionality lives in optional sub-modules listed below — you can also write your own.

Contents

What the base module gives you

Quick start

The fastest path from composer require to a connected AI is the interactive Quick Setup guide — pick which AI you're using (Claude, ChatGPT, Cursor, Claude Code, or anything else MCP-compatible) and follow the per-client steps with copy-paste snippets and admin-screen screenshots.

For the long-form reference — every admin setting, the OAuth and bearer-token flows in detail, and the full tool catalog — see the Wiki.

Installation

Sub-modules

Each sub-module is published independently and depends on Magebit_Mcp. Install only the ones you need. After every composer require below, enable and rebuild Magento with:

Order module — Magebit_McpOrderTools

Catalog module — Magebit_McpCatalogTools

Customer module — Magebit_McpCustomerTools

CMS module — Magebit_McpCmsTools

Marketing module — Magebit_McpMarketingTools

Report module — Magebit_McpReportTools

Google Analytics module — Magebit_McpGoogleAnalyticsTools

Setup

Configuration lives under Stores → Configuration → Magebit → MCP Server. Defaults are sensible for development; review every section before going to production.

Setting Default Notes
General → Enable MCP Server Yes Master kill-switch. When off, every request returns HTTP 503 before authentication runs.
General → Server Name Magento MCP Advertised to MCP clients during the initialize handshake.
General → Server Description empty Optional free-text hint advertised alongside the server name.
General → Allow Write Tools Yes Global toggle. A token's per-row write flag is only honoured when this is on.
Security → Allowed Origins localhost + Claude, ChatGPT, Gemini, Copilot, Grok and Perplexity One origin per line. Trailing * is allowed. Tighten for production.
Audit Log → Retention (days) 90 Older rows are purged by the magebit_mcp_audit_purge cron. 0 disables purging.
Rate Limiting → Enabled No Caps tools/call requests per (admin, tool) per minute. Recommended for production.
Rate Limiting → Requests Per Minute 60 Used when rate limiting is enabled.
OAuth 2.1 → Access Token Lifetime 3600 (1 hour)
OAuth 2.1 → Refresh Token Lifetime (days) 30
OAuth 2.1 → Authorization Code Lifetime 60 (seconds) Increase only for debugging.

Four separate admin-role permissions gate the module so a token-manager role need not see the audit log and vice versa:

Each MCP tool is also gated by its own admin-role permission under Magebit_Mcp::tools. Restrict admins to the subset they should be able to drive.

Connecting an AI agent

Two authentication paths. Bearer tokens are simplest; OAuth 2.1 is the right choice for hosted MCP clients (Claude, ChatGPT) that ask the operator to consent.

Bearer token

Mint a token from the CLI (or from System → MCP → Connections in the admin):

The plaintext is printed once and is never recoverable afterwards — store it securely. Manage tokens with:

Configure your MCP client with:

Setting Value
URL https://<your-store>/mcp
Authorization header Bearer <token>

OAuth 2.1

Manage OAuth clients under System → MCP → OAuth Clients. The module exposes:

Endpoint Purpose
GET /.well-known/oauth-authorization-server Authorization-server metadata (RFC 8414).
GET /.well-known/oauth-protected-resource Protected-resource metadata (RFC 9728).
GET\|POST /mcp/oauth/authorize Interactive consent screen. Requires admin sign-in.
POST /mcp/oauth/token Token endpoint (authorization_code and refresh_token grants).

Two scopes are advertised:

Each OAuth client has its own scope cap and the consenting admin can narrow further at the consent screen. OAuth-issued tokens land in the same Connections list as bearer tokens, so you manage and revoke them in one place.

Security

If you discover a security issue, please report it privately to [email protected] rather than opening a public issue.

Extending

Write your own tools and prompts by implementing Magebit\Mcp\Api\ToolInterface (or PromptInterface) and registering them via di.xml. The six sub-modules listed above are full worked examples.

The contract surface is:

  1. Implement Magebit\Mcp\Api\ToolInterface and declare an ACL resource for the tool. By convention, dots in the tool name become underscores in the ACL id (catalog.product.getVendor_Module::mcp_tool_catalog_product_get).
  2. Register the tool in di.xml under Magebit\Mcp\Model\Tool\ToolRegistry. The DI key must match the tool's getName() and conform to ^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$.
  3. For write tools that wrap a Magento service contract, optionally implement Magebit\Mcp\Api\UnderlyingAclAwareInterface so the dispatcher also enforces the equivalent admin-UI permission.
  4. Run bin/magento magebit:mcp:tools:validate-acl to confirm every tool's ACL resource resolves.

See docs/EXTENDING.md for the full contract, the schema-builder DSL, schema presets, the field-resolver pattern, lifecycle events, and a complete worked example.

Contributing

Found a bug, have a feature suggestion or want to help? Contributions are very welcome — open an issue or pull request on GitHub.

magebit (1)

Have questions or need help? Contact us at [email protected]

All versions of magento2-mcp-module with dependencies

PHP Build Version
Package Version
Requires php Version >=8.1
magento/framework Version ^103.0
opis/json-schema Version ^2.3
magebitcom/magento2-core Version *
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package magebitcom/magento2-mcp-module contains the following files

Loading the files please wait ...