Create and configure the MCP Servers that your AI agents connect to.
Managed MCP Servers
From the Merchant Center, you control which tools an agent can use and generate the credentials the agent uses to connect. You can also see which agents are active and turn access off at any time.
Create an MCP Server
- Select Add MCP Server.
- Enter a unique Server key. The key becomes part of the MCP Server URL and can't be changed after creation. Name it after the agent or workflow it supports (for example,
promo-audit-server) rather than something generic. - Provide the MCP Server with a name and a description.
- Select one of the available authorization methods. For details on each method, see the Managed MCP Servers overview.
- Enable at least one of the tools available on the MCP Server.
- Select Add MCP Server. You are taken to the server's detail page.
Tools
read_products to read Products or create_orders to create Orders. Enable a tool to grant that action, and leave it disabled to withhold it. This lets you give an agent read access to a resource without granting write access, for example by enabling read_products but not update_products. At least one tool is required. For the full list of tools, see the Managed MCP Servers reference.To grant several tools at once, use the group options:
- All enables every tool that Commerce MCP exposes, including read and write actions on all resources, along with any tools added in later minor releases. Because this grants full write access, use it only when an agent needs it.
- All read enables every read-only tool. Use this for an agent that should look up data but never create or update it.
API Clients
- Select Add API Client and name it after the agent that will use it. The scope of this API Client is auto-derived from this MCP server's key and previously enabled tools.
- Select Create. Copy the client ID and secret. The Merchant Center won't show the secret again.
From an API Client, you can also generate a bearer token directly. This is useful for testing a connection, or for a client that doesn't support OAuth. A generated token expires, so you regenerate it with the same credentials when it lapses. A client that supports OAuth 2.0 discovery obtains and refreshes tokens from the credentials on its own, so it won't need this.
Response filtering policies
The tab groups the rules into three policy types:
- Mask value (Redact): replaces the value of a matching field with a placeholder (for example,
REDACTED) while keeping the field. A rule on a parent field applies to all fields nested within it. - Remove field (Drop): strips matching fields, and everything nested inside them, from the response. Fields can be matched by path or by name.
- Override (Keep): exempts specific field paths from a redact or drop rule. Only exact paths can be kept, and a field can't be kept on its own if its parent is already matched by a rule.
setJsonOutputFiltering update action of the Managed MCP Servers API.Connect an agent
Manage and revoke access
- Enable server: use the toggle on the server's detail page to immediately enable access to the newly created MCP Server.
- Disable server: use the toggle on the server's detail page to immediately block all agents connected through it without deleting its configuration. It stays configured, so you can turn it back on later.
- Delete a server: click the Trash icon to permanently remove the MCP Server and invalidate all associated API Clients and tokens.
- Rotate credentials manually: create a new API Client, then revoke the old one from the API Clients tab. Existing tokens issued from the revoked client stop working once revoked.
Disabling a server or deleting it does not affect other MCP Servers in the same Project. It also does not affect standard API Clients used outside of Managed MCP Servers.