MCP server for YooKassa payment API — payments, refunds, receipts (54-FZ). 10 tools. First MCP for
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"yookassa": {
"env": {
"YOOKASSA_SHOP_ID": "your-shop-id",
"YOOKASSA_SECRET_KEY": "your-secret-key"
},
"args": [
"-y",
"@theyahia/yookassa-mcp"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
MCP server for YooKassa API -- payments, refunds, receipts (54-FZ), payouts, webhooks, recurring, SBP, marketplace splits. 20 tools.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y '@theyahia/yookassa-mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked @theyahia/yookassa-mcp against OSV.dev.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in finance
Let AI agents create, discover, and track tokens across chains via Printr.
Real-time financial market data: stocks, forex, crypto, commodities, and economic indicators
Swiss accounting integration for Bexio. 310 tools for invoices, contacts, projects.
Brazilian public procurement (PNCP) and Federal Revenue CNPJ data — 16 tools, 4 prompts.
MCP Security Weekly
Get CVE alerts and security updates for io.github.theYahia/yookassa-mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
MCP server for YooKassa API -- payments, refunds, receipts (54-FZ), payouts, webhooks, recurring, SBP, marketplace splits. 20 tools.
Part of Russian API MCP series by @theYahia.
{
"mcpServers": {
"yookassa": {
"command": "npx",
"args": ["-y", "@theyahia/yookassa-mcp"],
"env": {
"YOOKASSA_SHOP_ID": "your-shop-id",
"YOOKASSA_SECRET_KEY": "your-secret-key"
}
}
}
}
claude mcp add yookassa -e YOOKASSA_SHOP_ID=your-id -e YOOKASSA_SECRET_KEY=your-key -- npx -y @theyahia/yookassa-mcp
{
"servers": {
"yookassa": {
"command": "npx",
"args": ["-y", "@theyahia/yookassa-mcp"],
"env": {
"YOOKASSA_SHOP_ID": "your-shop-id",
"YOOKASSA_SECRET_KEY": "your-secret-key"
}
}
}
}
{
"mcpServers": {
"yookassa": {
"command": "npx",
"args": ["-y", "@theyahia/yookassa-mcp"],
"env": {
"YOOKASSA_SHOP_ID": "your-shop-id",
"YOOKASSA_SECRET_KEY": "your-secret-key"
}
}
}
}
⚠️ The HTTP transport exposes money-moving tools. It requires a Bearer token, binds to
127.0.0.1by default, and validatesHost/Origin(DNS-rebinding protection). Never expose it directly to the internet — put it behind an authenticating reverse proxy / mTLS. See SECURITY.md.
MCP_AUTH_TOKEN="$(openssl rand -hex 32)" HTTP_PORT=3000 npx -y @theyahia/yookassa-mcp --http
Then call /mcp with Authorization: Bearer <MCP_AUTH_TOKEN>.
Endpoints:
POST /mcp -- MCP Streamable HTTP transport (Bearer auth required; stateless — POST only)GET /health -- unauthenticated health check ({ "status": "ok", "tools": <count> })| Variable | Required | Description |
|---|---|---|
YOOKASSA_SHOP_ID | Yes | Shop ID (Settings -> Shop) |
YOOKASSA_SECRET_KEY | Yes | Secret key (Integration -> API Keys) |
YOOKASSA_PAYOUT_AGENT_ID | Payouts | Gateway id (agentId) for the Payouts product (Settings -> Payouts) |
YOOKASSA_PAYOUT_SECRET_KEY | Payouts | Secret key for the Payouts gateway |
HTTP_PORT | No | Port for HTTP transport (default 3000); enables --http mode |
MCP_AUTH_TOKEN | HTTP only | Required in HTTP mode. Bearer token clients must send on /mcp |
HTTP_HOST | No | Bind address for HTTP mode (default 127.0.0.1; set 0.0.0.0 to expose — only behind a proxy) |
MCP_ALLOWED_HOSTS | No | Comma-separated Host allowlist (default 127.0.0.1:<port>,localhost:<port>) |
MCP_ALLOWED_ORIGINS | No | Comma-separated browser Origin CORS allowlist (default: none — browser origins rejected) |
YOOKASSA_DEBUG | No | Set to 1 to trace each request (method/path/status/latency/idempotency-key) to stderr — never logs secrets, the auth header, or request bodies |
This server drives real money operations. While developing:
YOOKASSA_SHOP_ID / YOOKASSA_SECRET_KEY.get_shop_info — expect "test": true — before
switching to a live shop.