MCP Server

[busbyk]

Description

Integrates the Payload MCP plugin (@payloadcms/plugin-mcp) to expose a Model Context Protocol server at /api/mcp. This allows AI tools like Claude Code to query CMS content directly using API key authentication, with full RBAC enforcement.

It has been configured to only allow read access to collections and to only allow super admins to manage API keys.

Related Issues

None

Key Changes

• MCP plugin integration (src/plugins/index.ts): Configures mcpPlugin with read-only access to 16 collections and the nacWidgetsConfig global. Includes server instructions that describe the multi-tenant data model and common query patterns to MCP clients.
• Patch for @payloadcms/plugin-mcp (patches/@payloadcms__plugin-mcp.patch): Adds two features not yet upstream:
  • authDepth — controls population depth when authenticating API key users (our RBAC needs depth 3 to resolve globalRoleAssignments.docs[].globalRole.rules)
  • instructions — passes the MCP protocol's instructions field through to clients during initialization
• isUser type guard and getUser helper (src/utilities/isUser.ts): The MCP plugin adds a second auth collection (payload-mcp-api-keys), which widens req.user to a union type. These utilities let existing code safely narrow back to User without type assertions. We can't narrow this at the Payload config level - this is a result of having multiple "auth" collections.
• Access control for MCP API Keys: Locked to super admins only via hasSuperAdminPermissions on all CRUD operations.
• E2E tests (__tests__/e2e/admin/collections/mcp-api-keys.e2e.spec.ts): Tests that super admin can access the MCP API Keys collection and all other roles (7 roles) are denied.
• Migration (src/migrations/20260403_204010.ts): Adds the payload_mcp_api_keys table and related schema.
• Documentation (docs/mcp-server.md, CLAUDE.md): Setup guide, security model, troubleshooting, and MCP querying tips for developers.

How to test

1. pnpm install to apply the patch
2. pnpm seed to set up the database with the new migration
3. pnpm dev to start the dev server
4. Log in as super admin
5. Navigate to Admin > MCP API Keys, create a new key associated with your user
6. Configure your AI tool's MCP server settings per docs/mcp-server.md
7. Verify you can query collections (e.g., findTenants, findPosts) - ask something like "List the posts for NWAC"
8. Verify non-super-admin users cannot access the MCP API Keys collection

Screenshots / Demo video

https://www.loom.com/share/ed05450621d9421baf0a5b356bd467a5

Migration Explanation

Adds the payload_mcp_api_keys table with columns for API key management (label, user relationship, API key hash, enabled collections, etc.). This is a purely additive migration — no existing tables are modified.

Future enhancements / Questions

• Open upstream PRs on @payloadcms/plugin-mcp for the authDepth and instructions features to eliminate the patch
• Consider enabling selective write operations (e.g., create on posts) for AI-assisted content workflows
• Consider adding custom MCP tools for non-CRUD operations (e.g., triggering revalidation, running reports)

[github-actions]

Migration Safety Check

Found 3 potential issues:

20260403_204010.ts

Warning (line 32): DELETE keyword detected - review for data loss

FOREIGN KEY (\`user_id\`) REFERENCES \`users\`(\`id\`) ON UPDATE no action ON DELETE set null

Warning (line 45): ALTER keyword detected - review for data loss

sql`ALTER TABLE \`payload_locked_documents_rels\` ADD \`payload_mcp_api_keys_id\` integer REFERENCES payload_mcp_api_keys(id);`,

Warning (line 51): ALTER keyword detected - review for data loss

sql`ALTER TABLE \`payload_preferences_rels\` ADD \`payload_mcp_api_keys_id\` integer REFERENCES payload_mcp_api_keys(id);`,

---

Review these patterns and add backup/restore logic if needed. See docs/migration-safety.md for guidance.

[github-actions]

Preview deployment: https://mcp-server.preview.avy-fx.org