Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-github-aiwerk-mcp-server-shopify": {
"args": [
"-y",
"@aiwerk/mcp-server-shopify"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Shopify Admin GraphQL API MCP server. Lets an AI agent read and write to a Shopify store: products, orders, customers, inventory, draft orders, collections, locations, metafields.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y '@aiwerk/mcp-server-shopify' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked @aiwerk/mcp-server-shopify against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ecommerce
A command line tool for setting up commercetools MCP server
Electronic component sourcing, BOM management, and PCB design workflows.
Rent GPUs, robots, drones, and construction gear on RIGShare; also onboards equipment owners.
Read-only merchant data from 8 Chinese e-commerce platforms: orders, products, after-sales, ads
MCP Security Weekly
Get CVE alerts and security updates for io.github.AIWerk/mcp-server-shopify and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Shopify Admin GraphQL API MCP server. Lets an AI agent read and write to a Shopify store: products, orders, customers, inventory, draft orders, collections, locations, metafields.
Built and signed by AIWerk. MIT licensed.
v0.1.0 — under active development. Tool surface and credential flow may change before v1.0.
npx -y @aiwerk/mcp-server-shopify
This server uses the modern OAuth client_credentials grant (Shopify Dev Dashboard apps). Legacy shpat_* custom-app tokens are not supported.
Three environment variables:
| Env var | What |
|---|---|
SHOPIFY_STORE_DOMAIN | Your store domain, e.g. your-store.myshopify.com |
SHOPIFY_CLIENT_ID | Client ID from your Shopify Dev Dashboard app |
SHOPIFY_CLIENT_SECRET | Client Secret from your Shopify Dev Dashboard app |
The server automatically exchanges the client credentials for an Admin API access token and refreshes the token before its 24h expiry. No manual token rotation.
my-mcp-app).The 12 scopes below cover the full v0.1 tool surface. Trim to a smaller set if you want a more restricted token (e.g. read-only orders).
read_products, write_products,
read_customers, write_customers,
read_orders, write_orders,
read_draft_orders, write_draft_orders,
read_inventory, write_inventory,
read_locations,
read_publications
v0.1 ships 28 tools across the Shopify Admin GraphQL API. See src/tools/ for the implementation; tool names are shown in tools/list after the server starts.
Shopify gates access to customer-bearing objects (Customer, DraftOrder, plus customer { ... } selections inside Order) behind a separate approval. Apps not approved for protected customer data will see this error from the affected tools:
GraphQL error: This app is not approved to access the Customer object.
See https://shopify.dev/docs/apps/launch/protected-customer-data
The server returns this error verbatim to the AI client. Apply for protected-data approval at the link above if you need:
shopify_list_customers, _get_customer, _search_customers, _create_customer, _update_customer, _add_customer_noteshopify_create_draft_order, _complete_draft_ordershopify_get_order, _list_orders, _search_orders, _mark_order_paid, _cancel_order, _add_order_note (these may also be affected when the response includes customer fields)Product, inventory, location, collection, metafield, and shop-info tools are unaffected.
The server pins the Shopify GraphQL Admin API to 2026-04. Bumped quarterly per the Shopify release schedule.
npm install
npm run build
export SHOPIFY_STORE_DOMAIN=your-store.myshopify.com
export SHOPIFY_CLIENT_ID=YOUR_CLIENT_ID
export SHOPIFY_CLIENT_SECRET=YOUR_CLIENT_SECRET
node dist/src/server.js
Pull the secrets from your preferred secret store however you like. For example, with pass(1):
SHOPIFY_CLIENT_ID=$(pass show aiwerk/shopify-dev-client-id)
SHOPIFY_CLIENT_SECRET=$(pass show aiwerk/shopify-dev-client-secret)
export SHOPIFY_CLIENT_ID SHOPIFY_CLIENT_SECRET
npm test
Unit tests use mocked GraphQL responses and run with no external dependencies. There is no live integration harness in this repo — for now we smoke-test against an internal AIWerk dev store before publish.
See SECURITY.md for credenti