Skip to content

Commit 77ed49e

Browse files
authored
Merge pull request #520 from decocms/rafavalls/shopify-mcp-tools-doc
feat(shopify): add read-only Shopify Admin GraphQL API MCP
2 parents 701f003 + ebff24f commit 77ed49e

29 files changed

Lines changed: 3962 additions & 0 deletions

bun.lock

Lines changed: 31 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

deploy.json

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -502,5 +502,14 @@
502502
"youtube-search/**",
503503
"shared/**"
504504
]
505+
},
506+
"shopify": {
507+
"site": "shopify",
508+
"entrypoint": "./dist/server/main.js",
509+
"platformName": "kubernetes-bun",
510+
"watch": [
511+
"shopify/**",
512+
"shared/**"
513+
]
505514
}
506515
}

package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,7 @@
7373
"registry",
7474
"replicate",
7575
"shared",
76+
"shopify",
7677
"slack-mcp",
7778
"sora",
7879
"strapi",

registry.json

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3018,6 +3018,55 @@
30183018
]
30193019
}
30203020
},
3021+
{
3022+
"id": "deco/shopify",
3023+
"title": "Shopify",
3024+
"description": "Read-only MCP for the Shopify Admin GraphQL API — products, collections, orders, draft orders, customers, inventory, fulfillment, discounts, online store content, B2B, markets, Shopify Payments and ShopifyQL analytics.",
3025+
"is_public": true,
3026+
"_meta": {
3027+
"mcp.mesh": {
3028+
"verified": false,
3029+
"friendly_name": "Shopify",
3030+
"short_description": "Read-only access to Shopify stores: catalog, orders, customers, inventory and analytics.",
3031+
"owner": "deco",
3032+
"has_remote": true,
3033+
"has_oauth": true,
3034+
"tags": [
3035+
"shopify",
3036+
"ecommerce",
3037+
"orders",
3038+
"products",
3039+
"customers",
3040+
"inventory",
3041+
"analytics",
3042+
"api"
3043+
],
3044+
"categories": [
3045+
"E-commerce"
3046+
],
3047+
"readme": "The Shopify MCP gives AI agents read-only access to a Shopify store through the Admin GraphQL API. It can browse and search products, variants and collections, inspect orders (including draft orders, abandoned checkouts, returns, refund previews and fulfillment status), look up customers and segments, check inventory levels per location, review discounts and marketing activities, read online store content (pages, blogs, articles, menus, redirects and theme files), and pull financial data from Shopify Payments (payouts, balance, disputes). It also supports ShopifyQL analytics queries where available. Because every tool is a GraphQL query — never a mutation — the MCP can never modify store data. Connect with a custom-app Admin API access token (Authorization field) and the store's myshopify.com domain."
3048+
}
3049+
},
3050+
"server": {
3051+
"name": "shopify",
3052+
"title": "Shopify",
3053+
"description": "Read-only MCP for the Shopify Admin GraphQL API — products, collections, orders, draft orders, customers, inventory, fulfillment, discounts, online store content, B2B, markets, Shopify Payments and ShopifyQL analytics.",
3054+
"icons": [
3055+
{
3056+
"src": "https://github.com/shopify.png"
3057+
}
3058+
],
3059+
"remotes": [
3060+
{
3061+
"type": "HTTP",
3062+
"url": "https://sites-shopify.deco.site/mcp",
3063+
"name": "shopify",
3064+
"title": "Shopify",
3065+
"description": "Read-only MCP for the Shopify Admin GraphQL API — products, collections, orders, draft orders, customers, inventory, fulfillment, discounts, online store content, B2B, markets, Shopify Payments and ShopifyQL analytics."
3066+
}
3067+
]
3068+
}
3069+
},
30213070
{
30223071
"id": "deco/slack",
30233072
"title": "Slack Bot Beta",

shopify/README.md

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
# Shopify MCP
2+
3+
Read-only MCP for the **Shopify Admin GraphQL API** (pinned to `2026-07`). Every tool is a
4+
GraphQL query — never a mutation — so the MCP can never modify store data.
5+
6+
45 tools across 11 domains: products & collections, orders (drafts, abandoned checkouts,
7+
returns, refund previews), fulfillment & locations, inventory, customers & segments,
8+
discounts & marketing, online store content (pages, blogs, articles, menus, redirects,
9+
themes), store properties & localization, B2B companies & markets, Shopify Payments,
10+
and ShopifyQL analytics. See [TOOLS.md](./TOOLS.md) for the full catalog and scope map.
11+
12+
## Setup
13+
14+
1. In the Shopify admin, create a **custom app** (Settings → Apps and sales channels →
15+
Develop apps) and give it the **read scopes** you need — e.g. `read_products`,
16+
`read_orders`, `read_customers`, `read_inventory`, `read_fulfillments`, `read_locations`,
17+
`read_discounts`, `read_content`, `read_themes`, `read_locales`, `read_translations`,
18+
`read_marketing_events`, `read_users`, `read_companies`, `read_markets`,
19+
`read_shopify_payments_payouts`, `read_shopify_payments_disputes`, `read_reports`.
20+
Tools whose scope is missing fail with a clear ACCESS_DENIED hint; grant only what you use.
21+
2. Install the app on the store and copy the **Admin API access token** (`shpat_…`).
22+
3. Connect the MCP:
23+
- **Token** (connection Authorization field): the Admin API access token
24+
- **Store Domain** (config field): `my-store.myshopify.com`
25+
- **API Version** (optional): defaults to `2026-07`
26+
27+
Orders older than 60 days additionally require the `read_all_orders` scope, which Shopify
28+
only grants to approved apps.
29+
30+
### Local development
31+
32+
```sh
33+
SHOPIFY_STORE_DOMAIN=my-store.myshopify.com SHOPIFY_ACCESS_TOKEN=shpat_xxx bun run dev
34+
```
35+
36+
Env vars are a fallback — connection state (`storeDomain`) and the Authorization header
37+
always win.
38+
39+
## Development
40+
41+
```sh
42+
bun run check # typecheck
43+
bun test # unit tests (credential resolution, retry/backoff, connection flattening)
44+
bun run validate:queries # validates every GraphQL document against the live Shopify schema
45+
```
46+
47+
`validate:queries` posts each tool's query to shopify.dev's public GraphiQL proxy
48+
(`https://shopify.dev/admin-graphql-direct-proxy/<version>`), which validates against the
49+
real Admin API schema and executes on demo data — no store or token required. Run it when
50+
bumping the API version.
51+
52+
## Auth notes
53+
54+
Token auth only (same pattern as the Magento MCP). Shopify OAuth would require a registered
55+
partner app (client id/secret) and a per-store authorization URL, which the runtime `oauth`
56+
hook can't currently express — the shop domain isn't known when the authorization URL is
57+
built. If a partner app ever exists, the OAuth flow can be added in `server/main.ts`.

0 commit comments

Comments
 (0)