Shopify MCP
Shopify's official hosted MCP servers. The authenticated Customer Accounts MCP (per-store /customer/api/mcp) uses OAuth 2.0 + PKCE over Streamable HTTP for order and account data; a public Storefront/catalog MCP (/api/mcp and /api/ucp/mcp) is intentionally unauthenticated for product discovery and cart. Replaces the community GeLi2001/shopify-mcp admin wrapper. Note: scores other than authentication are a provisional assessment from Shopify's documentation pending a live tool-level audit.
Score Breakdown
Server Info
- Package
- https://{shop}.myshopify.com/customer/api/mcp
- Registry
- remote
- Maintainer
- ShopifyVendor
- Category
- E-commerce
- Tags
- storeproductsordershostedoauth
- Last Scanned
- 7 Apr 2026
Findings
3 issuesAuthentication & Identity
LOWImplements MCP OAuth spec for per-user authentication
Official Shopify hosted MCP. The authenticated Customer Accounts MCP server (https://{shop}.myshopify.com/customer/api/mcp) uses OAuth 2.0 authorization code flow with PKCE (endpoints discovered via /.well-known/openid-configuration) and a Bearer access token, over Streamable HTTP. Shopify also runs a deliberately public, no-auth Storefront/catalog MCP for product discovery. Scored on the authenticated official server.
Document the required OAuth scopes for each tool.
Tool Schema Quality
MEDIUMTool schemas not independently audited
The hosted server has no public source repository, so tool input schemas, required fields, and parameter constraints could not be verified directly. Provisional score pending a live tool-level audit.
Run a live audit against the hosted endpoint to enumerate and score tool schemas.
Data Exposure
MEDIUMPagination and field selection not verified
Whether list operations paginate and support field selection could not be verified without a live audit of the hosted tool surface.
Audit list operations for pagination and field-selection support.
Deploy Shopify MCP securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow