Official Shopify Dev MCP server from the Shopify AI Toolkit that connects Claude and other MCP clients to Shopify developer documentation, API schemas, GraphQL validation, Liquid and theme validation, UI extension validation, Shopify Functions guidance, Polaris surfaces, and Shopify CLI workflow guidance.
Shopify documents the Dev MCP server as a local MCP server for developer resources that does not require authentication. Do not assume that means an assistant has permission to operate a real store., Store-scoped workflows are routed through Shopify CLI guidance such as `shopify store auth` and `shopify store execute`. Those commands require explicit store domains, scopes, and local shell execution outside the MCP server itself., Mutating store operations must include `--allow-mutations` according to the bundled Shopify CLI guidance. Treat any mutation, product change, inventory change, theme change, discount change, or customer-account operation as a human-approved production action., Validate generated Admin, Storefront, Customer Account, Partner, Payments Apps, and Shopify Functions GraphQL operations with `validate_graphql_codeblocks` before using them in an app or CLI workflow., Validate Liquid, theme, and UI extension code with the matching validation tools before deploying or copying it into a merchant-facing storefront, checkout, customer account, POS, or Admin extension., The npm package is installed at runtime with `npx`. Pin a version and review package metadata when reproducibility, supply-chain review, or enterprise change control matters., The AI Toolkit plugin is recommended by Shopify because it auto-updates. Direct MCP and manual skill installs may require manual updates when Shopify changes API versions, schemas, or validation behavior., Do not let an assistant run Shopify CLI store commands against production stores unless the exact store domain, scopes, GraphQL operation, variables, mutation status, and rollback plan have been reviewed.
Privacy notes
Shopify's toolkit README states that search and validation scripts send usage events to `https://shopify.dev/mcp/usage` by default, including tool name, skill name and version, model/client identifiers when supplied, search query text, search response, and error text., The same instrumentation can include validation results, validated code when present, validator-specific context, file type, theme path, file list, artifact ID, and revision number., Set `OPT_OUT_INSTRUMENTATION=true` when prompts, code snippets, validation inputs, file paths, model identifiers, or client identifiers should not be reported through Shopify's default instrumentation path., Tool results and documentation search can expose Shopify app architecture, API names, version choices, schema fragments, extension targets, Liquid snippets, theme paths, checkout or customer account surfaces, Functions inputs, and Polaris component usage., Store-scoped CLI workflows can expose store domains, access scopes, GraphQL operations, variables, query results, product data, customer data, inventory data, order data, and merchant-specific configuration in terminal output and AI transcripts., Theme validation can inspect local theme files, filenames, paths, Liquid code, JSON templates, translation files, and schema blocks. Treat those as merchant or project-confidential when sharing logs or transcripts., MCP client logs, package manager logs, shell history, editor logs, and assistant conversations may retain generated Shopify code, store domains, schema validation errors, and command output outside Shopify.
Author
Shopify
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-04
Decision playbook
Review trust signals before you adopt
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
Compare context
Selected
0
Current score
78
Baseline
—
Delta
No baseline selected
No major trust-signal divergence detected in the current selection.
Source and provenance checks
Complete
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Done
Source provenance statusRequired
Marked as source-backed.
Done
Metadata reviewed
Registry metadata indicates a reviewed listing.
Done
Safety and privacy checks
Complete
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Done
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Done
Trust level risk gateRequired
Trust level does not block evaluation.
Done
Package and install checks
Needs review
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Done
Package verification flag
No package verification flag provided.
Pending
Checksum metadata
No checksum provided for downloaded artifact.
Pending
Compare-driven decision checks
Needs review
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
8 safety and 7 privacy notes across 5 risk areas. Review closely: permissions & scopes, network access.
5 areas
SafetyPermissions & scopesShopify documents the Dev MCP server as a local MCP server for developer resources that does not require authentication. Do not assume that means an assistant has permission to operate a real store.
SafetyPermissions & scopesStore-scoped workflows are routed through Shopify CLI guidance such as `shopify store auth` and `shopify store execute`. Those commands require explicit store domains, scopes, and local shell execution outside the MCP server itself.
SafetyData retentionMutating store operations must include `--allow-mutations` according to the bundled Shopify CLI guidance. Treat any mutation, product change, inventory change, theme change, discount change, or customer-account operation as a human-approved production action.
SafetyPermissions & scopesValidate generated Admin, Storefront, Customer Account, Partner, Payments Apps, and Shopify Functions GraphQL operations with `validate_graphql_codeblocks` before using them in an app or CLI workflow.
SafetyPermissions & scopesValidate Liquid, theme, and UI extension code with the matching validation tools before deploying or copying it into a merchant-facing storefront, checkout, customer account, POS, or Admin extension.
SafetyExecution & processesThe npm package is installed at runtime with `npx`. Pin a version and review package metadata when reproducibility, supply-chain review, or enterprise change control matters.
SafetyExecution & processesThe AI Toolkit plugin is recommended by Shopify because it auto-updates. Direct MCP and manual skill installs may require manual updates when Shopify changes API versions, schemas, or validation behavior.
SafetyPermissions & scopesDo not let an assistant run Shopify CLI store commands against production stores unless the exact store domain, scopes, GraphQL operation, variables, mutation status, and rollback plan have been reviewed.
PrivacyNetwork accessShopify's toolkit README states that search and validation scripts send usage events to `https://shopify.dev/mcp/usage` by default, including tool name, skill name and version, model/client identifiers when supplied, search query text, search response, and error text.
PrivacyLocal filesThe same instrumentation can include validation results, validated code when present, validator-specific context, file type, theme path, file list, artifact ID, and revision number.
PrivacyLocal filesSet `OPT_OUT_INSTRUMENTATION=true` when prompts, code snippets, validation inputs, file paths, model identifiers, or client identifiers should not be reported through Shopify's default instrumentation path.
PrivacyLocal filesTool results and documentation search can expose Shopify app architecture, API names, version choices, schema fragments, extension targets, Liquid snippets, theme paths, checkout or customer account surfaces, Functions inputs, and Polaris component usage.
PrivacyPermissions & scopesStore-scoped CLI workflows can expose store domains, access scopes, GraphQL operations, variables, query results, product data, customer data, inventory data, order data, and merchant-specific configuration in terminal output and AI transcripts.
PrivacyLocal filesTheme validation can inspect local theme files, filenames, paths, Liquid code, JSON templates, translation files, and schema blocks. Treat those as merchant or project-confidential when sharing logs or transcripts.
PrivacyExecution & processesMCP client logs, package manager logs, shell history, editor logs, and assistant conversations may retain generated Shopify code, store domains, schema validation errors, and command output outside Shopify.
Safety notes
Shopify documents the Dev MCP server as a local MCP server for developer resources that does not require authentication. Do not assume that means an assistant has permission to operate a real store.
Store-scoped workflows are routed through Shopify CLI guidance such as `shopify store auth` and `shopify store execute`. Those commands require explicit store domains, scopes, and local shell execution outside the MCP server itself.
Mutating store operations must include `--allow-mutations` according to the bundled Shopify CLI guidance. Treat any mutation, product change, inventory change, theme change, discount change, or customer-account operation as a human-approved production action.
Validate generated Admin, Storefront, Customer Account, Partner, Payments Apps, and Shopify Functions GraphQL operations with `validate_graphql_codeblocks` before using them in an app or CLI workflow.
Validate Liquid, theme, and UI extension code with the matching validation tools before deploying or copying it into a merchant-facing storefront, checkout, customer account, POS, or Admin extension.
The npm package is installed at runtime with `npx`. Pin a version and review package metadata when reproducibility, supply-chain review, or enterprise change control matters.
The AI Toolkit plugin is recommended by Shopify because it auto-updates. Direct MCP and manual skill installs may require manual updates when Shopify changes API versions, schemas, or validation behavior.
Do not let an assistant run Shopify CLI store commands against production stores unless the exact store domain, scopes, GraphQL operation, variables, mutation status, and rollback plan have been reviewed.
Privacy notes
Shopify's toolkit README states that search and validation scripts send usage events to `https://shopify.dev/mcp/usage` by default, including tool name, skill name and version, model/client identifiers when supplied, search query text, search response, and error text.
The same instrumentation can include validation results, validated code when present, validator-specific context, file type, theme path, file list, artifact ID, and revision number.
Set `OPT_OUT_INSTRUMENTATION=true` when prompts, code snippets, validation inputs, file paths, model identifiers, or client identifiers should not be reported through Shopify's default instrumentation path.
Tool results and documentation search can expose Shopify app architecture, API names, version choices, schema fragments, extension targets, Liquid snippets, theme paths, checkout or customer account surfaces, Functions inputs, and Polaris component usage.
Store-scoped CLI workflows can expose store domains, access scopes, GraphQL operations, variables, query results, product data, customer data, inventory data, order data, and merchant-specific configuration in terminal output and AI transcripts.
Theme validation can inspect local theme files, filenames, paths, Liquid code, JSON templates, translation files, and schema blocks. Treat those as merchant or project-confidential when sharing logs or transcripts.
MCP client logs, package manager logs, shell history, editor logs, and assistant conversations may retain generated Shopify code, store domains, schema validation errors, and command output outside Shopify.
Prerequisites
Node.js 18 or later for the documented Shopify AI Toolkit requirements.
MCP-capable client such as Claude Code, Codex, Cursor, Gemini CLI, VS Code, or another stdio-compatible client.
Network access to install and update the `@shopify/dev-mcp` npm package and fetch Shopify developer resources.
Shopify app, theme, storefront, extension, Functions, or Admin API project context when validating code against Shopify schemas.
Decision on whether to use the Dev MCP server directly, the Shopify AI Toolkit plugin, or individual Shopify agent skills.
Telemetry decision for Shopify AI Toolkit search and validation surfaces, including whether to set `OPT_OUT_INSTRUMENTATION=true`.
Separate Shopify CLI authentication and scope plan before using generated `shopify store auth` or `shopify store execute` commands against a real store.
Shopify Dev MCP is the direct MCP-server install path for the official Shopify
AI Toolkit. It runs locally with npx -y @shopify/dev-mcp@latest and gives
Claude, Codex, Cursor, Gemini CLI, VS Code, and other MCP clients access to
Shopify developer documentation, API schema guidance, GraphQL validation,
Liquid and theme checks, UI extension validation, Shopify Functions guidance,
Polaris surfaces, and Shopify CLI workflow instructions.
Use it when the assistant needs current Shopify platform context while building
apps, themes, storefronts, checkout extensions, customer account extensions, POS
extensions, Functions, Admin GraphQL workflows, Storefront API flows, or Partner
API workflows. Keep the boundary clear: the Dev MCP server is a developer
resource server, while real store operations require separately authenticated
Shopify CLI commands and human review.
Features
Official Shopify AI Toolkit source from Shopify/Shopify-AI-Toolkit.
Direct local stdio MCP setup through npx -y @shopify/dev-mcp@latest.
Documented setup examples for Claude Code, Codex, Cursor, Gemini CLI, and VS
Code.
No authentication required for the documented Dev MCP developer-resource
server.
learn_shopify_api guidance for selecting relevant Shopify APIs and versions.
search_docs_chunks for finding current Shopify developer documentation and
API references.
validate_graphql_codeblocks for validating GraphQL operations against
Shopify Admin, Storefront, Customer Account, Partner, Payments Apps, and
Functions schemas.
validate_component_codeblocks for validating UI extension and Polaris
component code against supported surfaces and API versions.
validate_theme and validate_theme_codeblocks for Liquid and theme
validation.
Bundled schema data for Admin, Storefront, Partner, Customer, Payments Apps,
and multiple Shopify Functions APIs across stable, release-candidate, and
unstable API versions.
Shopify CLI guidance for app scaffolding, extension generation, app config
validation, development, deployment, store authentication, and store-scoped
GraphQL execution.
Optional alternate install paths through the auto-updating Shopify AI Toolkit
plugin or individual Shopify agent skills.
Use Cases
Ask Claude to validate an Admin GraphQL mutation before adding it to a
Shopify app.
Search Shopify docs for the right API version, extension target, Polaris
component, Liquid object, or Functions input shape.
Validate Liquid snippets, theme schema blocks, JSON templates, and translation
files before changing a theme.
Generate checkout, customer account, POS, Admin, or app-home UI extension code
and validate the component surface before shipping.
Build or debug Shopify Functions with schema-backed GraphQL input validation.
Convert a store task into a scoped Shopify CLI workflow using
shopify store auth and shopify store execute, then review the command
before running it.
Keep a Shopify app, theme, or extension conversation grounded in Shopify's
current docs instead of relying on stale model memory.
Installation
Claude Code
Add the MCP server through Claude Code's stdio MCP configuration:
claude mcp add --transport stdio shopify-dev-mcp -- npx -y @shopify/dev-mcp@latest
Restart Claude Code after adding the server.
Generic MCP JSON
Use this shape for MCP clients that accept mcpServers JSON:
Restart the client after editing MCP configuration.
Configuration
Disable default instrumentation
Set OPT_OUT_INSTRUMENTATION=true when using AI Toolkit search or validation
surfaces with private code, store-specific context, or sensitive file paths:
For any task that targets a real Shopify store, require the assistant to state
the store domain, scopes, operation type, and whether mutation execution is
needed before running shell commands:
Validate the GraphQL operation first. If it is a mutation, do not run
`shopify store execute` until I approve the exact store domain, scopes, query,
variables, and `--allow-mutations` flag.
Examples
Validate a Shopify Admin GraphQL operation:
Use Shopify Dev MCP to validate this Admin GraphQL mutation against the current
stable API version. If validation fails, fix the operation and validate again.
Do not run it against a store.
Work on Liquid theme code:
Search Shopify docs for the relevant Liquid object and validate this section
schema and Liquid code. Point out errors before suggesting theme changes.
Prepare, but do not run, a store-scoped command:
Create a Shopify CLI workflow for reading inventory for SKU EXAMPLE-SKU from
staging-shop.myshopify.com. Validate the GraphQL query and show the exact
`shopify store auth` and `shopify store execute` commands, but do not run them.
npm package: @shopify/dev-mcp, binary shopify-dev-mcp, latest package
checked as 1.14.0 on 2026-06-04.
Shopify's docs state that the Dev MCP server runs locally and does not require
authentication.
The toolkit repository is MIT licensed; the npm package metadata for
@shopify/dev-mcp currently reports ISC.
The older https://shopify.dev/apps/build/devmcp path redirects to the
current AI Toolkit documentation page.
Duplicate Check
Checked current upstream content for Shopify titles, slugs, source URLs,
shopify-dev-mcp, @shopify/dev-mcp, Shopify AI Toolkit,
Shopify-AI-Toolkit, and the current and legacy docs URLs.
Checked live open issues and pull requests for Shopify MCP and
shopify-dev-mcp.
No dedicated Shopify Dev MCP entry, source URL duplicate, target file
duplicate, semantic duplicate, or open duplicate PR was found before drafting.
Disclosure
This is an independent community directory entry submitted by oktofeesh1.
Shopify is a commercial ecommerce platform, but this listing is not sponsored,
paid, affiliate-backed, or submitted by Shopify. Use Shopify's current docs,
API terms, privacy policy, and Partner requirements before connecting an
assistant to store-specific workflows.
Show that Shopify Dev MCP for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/mcp/shopify-dev-mcp)
How it compares
Shopify Dev MCP for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
Official Shopify Dev MCP server from the Shopify AI Toolkit that connects Claude and other MCP clients to Shopify developer documentation, API schemas, GraphQL validation, Liquid and theme validation, UI extension validation, Shopify Functions guidance, Polaris surfaces, and Shopify CLI workflow guidance.
Real-time product search and price comparison across 11M+ products from Singapore, Southeast Asia, and US marketplaces via a remote streamable-HTTP MCP endpoint with API key auth.
MCP server for context-window optimization that routes large tool outputs through sandbox tools, indexes session state, and helps agents retrieve only the context they need.
Built-in Streamable HTTP MCP server for Dagu that lets AI agents read workflow state, inspect DAG specs and logs, preview or apply workflow changes, and start, enqueue, retry, or stop DAG runs.
✓Shopify documents the Dev MCP server as a local MCP server for developer resources that does not require authentication. Do not assume that means an assistant has permission to operate a real store.
Store-scoped workflows are routed through Shopify CLI guidance such as `shopify store auth` and `shopify store execute`. Those commands require explicit store domains, scopes, and local shell execution outside the MCP server itself.
Mutating store operations must include `--allow-mutations` according to the bundled Shopify CLI guidance. Treat any mutation, product change, inventory change, theme change, discount change, or customer-account operation as a human-approved production action.
Validate generated Admin, Storefront, Customer Account, Partner, Payments Apps, and Shopify Functions GraphQL operations with `validate_graphql_codeblocks` before using them in an app or CLI workflow.
Validate Liquid, theme, and UI extension code with the matching validation tools before deploying or copying it into a merchant-facing storefront, checkout, customer account, POS, or Admin extension.
The npm package is installed at runtime with `npx`. Pin a version and review package metadata when reproducibility, supply-chain review, or enterprise change control matters.
The AI Toolkit plugin is recommended by Shopify because it auto-updates. Direct MCP and manual skill installs may require manual updates when Shopify changes API versions, schemas, or validation behavior.
Do not let an assistant run Shopify CLI store commands against production stores unless the exact store domain, scopes, GraphQL operation, variables, mutation status, and rollback plan have been reviewed.
✓Read-only product catalog access by default; no write or delete operations exposed.
API key should be stored in the MCP client config or environment, never committed.
✓Context Mode encourages agents to execute scripts and route large outputs through sandbox tools; review allowed commands and workspace boundaries.
Hook-based installs can affect tool routing automatically. Verify the installed hooks and settings before using it in shared or sensitive workspaces.
Indexed session state can influence future retrieval and continuity; purge state when switching projects, clients, or sensitivity levels.
Do not rely on compressed or searched summaries for high-stakes decisions without inspecting original files or outputs.
✓Dagu is a workflow engine; MCP access can expose shell commands, Docker containers, Kubernetes Jobs, SSH commands, SQL queries, HTTP calls, agent harnesses, and other workflow steps.
The MCP server registers `dagu_change` and `dagu_execute` as destructive-capable tools, so require preview/review before applying DAG changes or starting/stopping production runs.
API keys can be scoped to the MCP surface; avoid reusing broad admin credentials for agent access.
Workflow edits may change schedules, parameters, retries, secrets usage, queues, resource limits, notifications, and downstream infrastructure actions.
Keep the Dagu server and MCP endpoint behind trusted network boundaries, TLS, and authentication for shared or remote deployments.
Privacy notes
✓Shopify's toolkit README states that search and validation scripts send usage events to `https://shopify.dev/mcp/usage` by default, including tool name, skill name and version, model/client identifiers when supplied, search query text, search response, and error text.
The same instrumentation can include validation results, validated code when present, validator-specific context, file type, theme path, file list, artifact ID, and revision number.
Set `OPT_OUT_INSTRUMENTATION=true` when prompts, code snippets, validation inputs, file paths, model identifiers, or client identifiers should not be reported through Shopify's default instrumentation path.
Tool results and documentation search can expose Shopify app architecture, API names, version choices, schema fragments, extension targets, Liquid snippets, theme paths, checkout or customer account surfaces, Functions inputs, and Polaris component usage.
Store-scoped CLI workflows can expose store domains, access scopes, GraphQL operations, variables, query results, product data, customer data, inventory data, order data, and merchant-specific configuration in terminal output and AI transcripts.
Theme validation can inspect local theme files, filenames, paths, Liquid code, JSON templates, translation files, and schema blocks. Treat those as merchant or project-confidential when sharing logs or transcripts.
MCP client logs, package manager logs, shell history, editor logs, and assistant conversations may retain generated Shopify code, store domains, schema validation errors, and command output outside Shopify.
✓BuyWhere API key is sent as a Bearer token in the Authorization header on every request.
Search queries are sent to BuyWhere's API to retrieve product data; no third-party analytics or telemetry is included in MCP responses.
BuyWhere may log API request metadata (endpoint, timestamp, status) for abuse prevention and billing.
✓Context Mode can index file edits, git operations, tasks, errors, user decisions, local files, and command output in SQLite/FTS5 stores.
Indexed data may include source code, logs, secrets accidentally printed to terminal, customer data, repository paths, and private prompts.
Local analytics and statusline data can reveal workflow patterns, tool usage, and project activity.
✓DAG specs, run parameters, logs, documents, audit records, secrets references, API keys, environment variables, and workflow outputs may be exposed to the MCP client.
Workflow logs can contain credentials, customer data, internal hostnames, database query results, command output, file paths, or incident context.
Dagu stores state locally by default and can also run distributed workers; review where DAG files, logs, audit entries, and secrets are persisted.
Any workflow state returned through the MCP client may be sent onward to the configured model provider.
Prerequisites
Node.js 18 or later for the documented Shopify AI Toolkit requirements.
MCP-capable client such as Claude Code, Codex, Cursor, Gemini CLI, VS Code, or another stdio-compatible client.
Network access to install and update the `@shopify/dev-mcp` npm package and fetch Shopify developer resources.
Shopify app, theme, storefront, extension, Functions, or Admin API project context when validating code against Shopify schemas.
A BuyWhere API key (free at https://buywhere.ai/api-keys).
An MCP client such as Claude Code, Claude Desktop, Cursor, Windsurf, or any MCP-compatible host.
Network access to https://api.buywhere.ai.
Node.js 22.5 or newer, or Bun for supported installs.
MCP client such as Claude Code, Gemini CLI, VS Code Copilot, Cursor, Codex, or another supported host.
Optional Claude Code plugin marketplace support for automatic hooks and slash commands.
Team agreement on what files, command outputs, and session events may be indexed locally.
Dagu installed from Homebrew, GitHub Releases, npm, Docker/GHCR, Helm, or another upstream-supported installation path.
A running Dagu HTTP server with the built-in MCP endpoint enabled through the normal server path.
MCP client that supports Streamable HTTP server configuration.
API key with MCP surface access when Dagu authentication is enabled.