Managed MCP Servers

Ask about this Page
Copy for LLM
View as Markdown

Create and configure the MCP Servers that your AI agents connect to.

Managed MCP Servers

From the Merchant Center, you control which tools an agent can use and generate the credentials the agent uses to connect. You can also see which agents are active and turn access off at any time.

Only users with appropriate permissions can view and edit MCP Servers. These permissions are granted by your Administrators Team.
For concepts, authentication, and the API, see the Managed MCP Servers reference.

Create an MCP Server

To configure an MCP Server, go to Settings > Managed MCP Servers.
  1. Select Add MCP Server.
  2. Enter a unique Server key. The key becomes part of the MCP Server URL and can't be changed after creation. Name it after the agent or workflow it supports (for example, promo-audit-server) rather than something generic.
  3. Provide the MCP Server with a name and a description.
  4. Select one of the available authorization methods. For details on each method, see the Managed MCP Servers overview.
  5. Enable at least one of the tools available on the MCP Server.
  6. Select Add MCP Server. You are taken to the server's detail page.

Tools

Tools are the individual actions an agent can perform through this server. Each tool covers one action on one resource, and its name reflects that action, such as read_products to read Products or create_orders to create Orders. Enable a tool to grant that action, and leave it disabled to withhold it. This lets you give an agent read access to a resource without granting write access, for example by enabling read_products but not update_products. At least one tool is required. For the full list of tools, see the Managed MCP Servers reference.

To grant several tools at once, use the group options:

  • All enables every tool that Commerce MCP exposes, including read and write actions on all resources, along with any tools added in later minor releases. Because this grants full write access, use it only when an agent needs it.
  • All read enables every read-only tool. Use this for an agent that should look up data but never create or update it.
The Tools tab, filtered to Enabled, with Group select options for All and All read.
You can add or remove tools later from the server's detail page, where you can also give the server a localized Name and Description. From the same page, you can override a tool's description. This is useful for giving an agent business-specific context the default description doesn't cover.

API Clients

Agents authenticate using API Client credentials, for use in machine-to-machine flows. You must add at least one API Client before an agent can connect to the server. On the MCP server detail page:
  1. Select Add API Client and name it after the agent that will use it. The scope of this API Client is auto-derived from this MCP server's key and previously enabled tools.
  2. Select Create. Copy the client ID and secret. The Merchant Center won't show the secret again.
Credentials for a newly created API Client, including the scope and a ready-to-use cURL command for generating a token.
The agent authenticates with this API Client ID and secret, scoped to this one server; it can't be used to call commercetools APIs directly. See API Clients for how this credential is scoped.

From an API Client, you can also generate a bearer token directly. This is useful for testing a connection, or for a client that doesn't support OAuth. A generated token expires, so you regenerate it with the same credentials when it lapses. A client that supports OAuth 2.0 discovery obtains and refreshes tokens from the credentials on its own, so it won't need this.

Select View all on the API Clients card to see every API Client created for this MCP Server. From there you can inspect each client's name, ID, and scope, or revoke access for any agent connected to it.

Response filtering policies

The server's detail page has a Response filtering policies tab. It shows the response field-filtering rules that are applied to tool responses before they reach an agent. These rules are only present when they were set through the API at server creation. If none were set for a server, the tab has nothing to show.

The tab groups the rules into three policy types:

  • Mask value (Redact): replaces the value of a matching field with a placeholder (for example, REDACTED) while keeping the field. A rule on a parent field applies to all fields nested within it.
  • Remove field (Drop): strips matching fields, and everything nested inside them, from the response. Fields can be matched by path or by name.
  • Override (Keep): exempts specific field paths from a redact or drop rule. Only exact paths can be kept, and a field can't be kept on its own if its parent is already matched by a rule.
Response filtering policies are configured through the API and can't be created or edited from this tab. You can view a policy's matchers and settings, but changes have to go through the setJsonOutputFiltering update action of the Managed MCP Servers API.

Connect an agent

The server must be enabled before an agent can connect to it. The server's detail page shows the generated MCP Server URL. Copy this into your agent's MCP configuration to connect using the API Client credentials. The agent sees only the tools enabled on this server. For how to authenticate the connection and client-specific setup examples, see the Managed MCP Servers reference.
If you are managing several servers, the Key column on the MCP Servers list page shows each server's key. Use it to confirm you are pointing an agent at the right one.

Manage and revoke access

  • Enable server: use the toggle on the server's detail page to immediately enable access to the newly created MCP Server.
  • Disable server: use the toggle on the server's detail page to immediately block all agents connected through it without deleting its configuration. It stays configured, so you can turn it back on later.
  • Delete a server: click the Trash icon to permanently remove the MCP Server and invalidate all associated API Clients and tokens.
  • Rotate credentials manually: create a new API Client, then revoke the old one from the API Clients tab. Existing tokens issued from the revoked client stop working once revoked.

Disabling a server or deleting it does not affect other MCP Servers in the same Project. It also does not affect standard API Clients used outside of Managed MCP Servers.