Skip to main content
mcpSource-backed
Shopify logo

Shopify Dev MCP for Claude

Official Shopify Dev MCP server from the Shopify AI Toolkit that connects Claude and other MCP clients to Shopify developer documentation, API schemas, GraphQL validation, Liquid and theme validation, UI extension validation, Shopify Functions guidance, Polaris surfaces, and Shopify CLI workflow guidance.

by Shopify · submitted by oktofeesh1·added 2026-06-04·
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://shopify.dev/docs/apps/build/ai-toolkit, https://github.com/Shopify/Shopify-AI-Toolkit
Brand
Shopify
Brand domain
shopify.com
Brand asset source
brandfetch
Safety notes
Shopify documents the Dev MCP server as a local MCP server for developer resources that does not require authentication. Do not assume that means an assistant has permission to operate a real store., Store-scoped workflows are routed through Shopify CLI guidance such as `shopify store auth` and `shopify store execute`. Those commands require explicit store domains, scopes, and local shell execution outside the MCP server itself., Mutating store operations must include `--allow-mutations` according to the bundled Shopify CLI guidance. Treat any mutation, product change, inventory change, theme change, discount change, or customer-account operation as a human-approved production action., Validate generated Admin, Storefront, Customer Account, Partner, Payments Apps, and Shopify Functions GraphQL operations with `validate_graphql_codeblocks` before using them in an app or CLI workflow., Validate Liquid, theme, and UI extension code with the matching validation tools before deploying or copying it into a merchant-facing storefront, checkout, customer account, POS, or Admin extension., The npm package is installed at runtime with `npx`. Pin a version and review package metadata when reproducibility, supply-chain review, or enterprise change control matters., The AI Toolkit plugin is recommended by Shopify because it auto-updates. Direct MCP and manual skill installs may require manual updates when Shopify changes API versions, schemas, or validation behavior., Do not let an assistant run Shopify CLI store commands against production stores unless the exact store domain, scopes, GraphQL operation, variables, mutation status, and rollback plan have been reviewed.
Privacy notes
Shopify's toolkit README states that search and validation scripts send usage events to `https://shopify.dev/mcp/usage` by default, including tool name, skill name and version, model/client identifiers when supplied, search query text, search response, and error text., The same instrumentation can include validation results, validated code when present, validator-specific context, file type, theme path, file list, artifact ID, and revision number., Set `OPT_OUT_INSTRUMENTATION=true` when prompts, code snippets, validation inputs, file paths, model identifiers, or client identifiers should not be reported through Shopify's default instrumentation path., Tool results and documentation search can expose Shopify app architecture, API names, version choices, schema fragments, extension targets, Liquid snippets, theme paths, checkout or customer account surfaces, Functions inputs, and Polaris component usage., Store-scoped CLI workflows can expose store domains, access scopes, GraphQL operations, variables, query results, product data, customer data, inventory data, order data, and merchant-specific configuration in terminal output and AI transcripts., Theme validation can inspect local theme files, filenames, paths, Liquid code, JSON templates, translation files, and schema blocks. Treat those as merchant or project-confidential when sharing logs or transcripts., MCP client logs, package manager logs, shell history, editor logs, and assistant conversations may retain generated Shopify code, store domains, schema validation errors, and command output outside Shopify.
Author
Shopify
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-04

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

CLI install

Copy-ready — paste the snippet to get started.

10 minutes

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

7 prerequisites to line up before setup.

0/7 ready
Install & runtime2Configuration1Permissions & scopes1Network & hosting1General210 minutes

Safety & privacy surface

Safety & privacy surface

8 safety and 7 privacy notes across 5 risk areas. Review closely: permissions & scopes, network access.

5 areas
  • SafetyPermissions & scopesShopify documents the Dev MCP server as a local MCP server for developer resources that does not require authentication. Do not assume that means an assistant has permission to operate a real store.
  • SafetyPermissions & scopesStore-scoped workflows are routed through Shopify CLI guidance such as `shopify store auth` and `shopify store execute`. Those commands require explicit store domains, scopes, and local shell execution outside the MCP server itself.
  • SafetyData retentionMutating store operations must include `--allow-mutations` according to the bundled Shopify CLI guidance. Treat any mutation, product change, inventory change, theme change, discount change, or customer-account operation as a human-approved production action.
  • SafetyPermissions & scopesValidate generated Admin, Storefront, Customer Account, Partner, Payments Apps, and Shopify Functions GraphQL operations with `validate_graphql_codeblocks` before using them in an app or CLI workflow.
  • SafetyPermissions & scopesValidate Liquid, theme, and UI extension code with the matching validation tools before deploying or copying it into a merchant-facing storefront, checkout, customer account, POS, or Admin extension.
  • SafetyExecution & processesThe npm package is installed at runtime with `npx`. Pin a version and review package metadata when reproducibility, supply-chain review, or enterprise change control matters.
  • SafetyExecution & processesThe AI Toolkit plugin is recommended by Shopify because it auto-updates. Direct MCP and manual skill installs may require manual updates when Shopify changes API versions, schemas, or validation behavior.
  • SafetyPermissions & scopesDo not let an assistant run Shopify CLI store commands against production stores unless the exact store domain, scopes, GraphQL operation, variables, mutation status, and rollback plan have been reviewed.
  • PrivacyNetwork accessShopify's toolkit README states that search and validation scripts send usage events to `https://shopify.dev/mcp/usage` by default, including tool name, skill name and version, model/client identifiers when supplied, search query text, search response, and error text.
  • PrivacyLocal filesThe same instrumentation can include validation results, validated code when present, validator-specific context, file type, theme path, file list, artifact ID, and revision number.
  • PrivacyLocal filesSet `OPT_OUT_INSTRUMENTATION=true` when prompts, code snippets, validation inputs, file paths, model identifiers, or client identifiers should not be reported through Shopify's default instrumentation path.
  • PrivacyLocal filesTool results and documentation search can expose Shopify app architecture, API names, version choices, schema fragments, extension targets, Liquid snippets, theme paths, checkout or customer account surfaces, Functions inputs, and Polaris component usage.
  • PrivacyPermissions & scopesStore-scoped CLI workflows can expose store domains, access scopes, GraphQL operations, variables, query results, product data, customer data, inventory data, order data, and merchant-specific configuration in terminal output and AI transcripts.
  • PrivacyLocal filesTheme validation can inspect local theme files, filenames, paths, Liquid code, JSON templates, translation files, and schema blocks. Treat those as merchant or project-confidential when sharing logs or transcripts.
  • PrivacyExecution & processesMCP client logs, package manager logs, shell history, editor logs, and assistant conversations may retain generated Shopify code, store domains, schema validation errors, and command output outside Shopify.

Safety notes

  • Shopify documents the Dev MCP server as a local MCP server for developer resources that does not require authentication. Do not assume that means an assistant has permission to operate a real store.
  • Store-scoped workflows are routed through Shopify CLI guidance such as `shopify store auth` and `shopify store execute`. Those commands require explicit store domains, scopes, and local shell execution outside the MCP server itself.
  • Mutating store operations must include `--allow-mutations` according to the bundled Shopify CLI guidance. Treat any mutation, product change, inventory change, theme change, discount change, or customer-account operation as a human-approved production action.
  • Validate generated Admin, Storefront, Customer Account, Partner, Payments Apps, and Shopify Functions GraphQL operations with `validate_graphql_codeblocks` before using them in an app or CLI workflow.
  • Validate Liquid, theme, and UI extension code with the matching validation tools before deploying or copying it into a merchant-facing storefront, checkout, customer account, POS, or Admin extension.
  • The npm package is installed at runtime with `npx`. Pin a version and review package metadata when reproducibility, supply-chain review, or enterprise change control matters.
  • The AI Toolkit plugin is recommended by Shopify because it auto-updates. Direct MCP and manual skill installs may require manual updates when Shopify changes API versions, schemas, or validation behavior.
  • Do not let an assistant run Shopify CLI store commands against production stores unless the exact store domain, scopes, GraphQL operation, variables, mutation status, and rollback plan have been reviewed.

Privacy notes

  • Shopify's toolkit README states that search and validation scripts send usage events to `https://shopify.dev/mcp/usage` by default, including tool name, skill name and version, model/client identifiers when supplied, search query text, search response, and error text.
  • The same instrumentation can include validation results, validated code when present, validator-specific context, file type, theme path, file list, artifact ID, and revision number.
  • Set `OPT_OUT_INSTRUMENTATION=true` when prompts, code snippets, validation inputs, file paths, model identifiers, or client identifiers should not be reported through Shopify's default instrumentation path.
  • Tool results and documentation search can expose Shopify app architecture, API names, version choices, schema fragments, extension targets, Liquid snippets, theme paths, checkout or customer account surfaces, Functions inputs, and Polaris component usage.
  • Store-scoped CLI workflows can expose store domains, access scopes, GraphQL operations, variables, query results, product data, customer data, inventory data, order data, and merchant-specific configuration in terminal output and AI transcripts.
  • Theme validation can inspect local theme files, filenames, paths, Liquid code, JSON templates, translation files, and schema blocks. Treat those as merchant or project-confidential when sharing logs or transcripts.
  • MCP client logs, package manager logs, shell history, editor logs, and assistant conversations may retain generated Shopify code, store domains, schema validation errors, and command output outside Shopify.

Prerequisites

  • Node.js 18 or later for the documented Shopify AI Toolkit requirements.
  • MCP-capable client such as Claude Code, Codex, Cursor, Gemini CLI, VS Code, or another stdio-compatible client.
  • Network access to install and update the `@shopify/dev-mcp` npm package and fetch Shopify developer resources.
  • Shopify app, theme, storefront, extension, Functions, or Admin API project context when validating code against Shopify schemas.
  • Decision on whether to use the Dev MCP server directly, the Shopify AI Toolkit plugin, or individual Shopify agent skills.
  • Telemetry decision for Shopify AI Toolkit search and validation surfaces, including whether to set `OPT_OUT_INSTRUMENTATION=true`.
  • Separate Shopify CLI authentication and scope plan before using generated `shopify store auth` or `shopify store execute` commands against a real store.

Schema details

Install type
cli
Troubleshooting
No
Source repository stats
Scope
Source repo
Collection metadata
Estimated setup
10 minutes
Difficulty
intermediate
Full copyable content
{
  "mcpServers": {
    "shopify-dev-mcp": {
      "command": "npx",
      "args": ["-y", "@shopify/dev-mcp@latest"]
    }
  }
}

About this resource

Content

Shopify Dev MCP is the direct MCP-server install path for the official Shopify AI Toolkit. It runs locally with npx -y @shopify/dev-mcp@latest and gives Claude, Codex, Cursor, Gemini CLI, VS Code, and other MCP clients access to Shopify developer documentation, API schema guidance, GraphQL validation, Liquid and theme checks, UI extension validation, Shopify Functions guidance, Polaris surfaces, and Shopify CLI workflow instructions.

Use it when the assistant needs current Shopify platform context while building apps, themes, storefronts, checkout extensions, customer account extensions, POS extensions, Functions, Admin GraphQL workflows, Storefront API flows, or Partner API workflows. Keep the boundary clear: the Dev MCP server is a developer resource server, while real store operations require separately authenticated Shopify CLI commands and human review.

Features

  • Official Shopify AI Toolkit source from Shopify/Shopify-AI-Toolkit.
  • Direct local stdio MCP setup through npx -y @shopify/dev-mcp@latest.
  • Documented setup examples for Claude Code, Codex, Cursor, Gemini CLI, and VS Code.
  • No authentication required for the documented Dev MCP developer-resource server.
  • learn_shopify_api guidance for selecting relevant Shopify APIs and versions.
  • search_docs_chunks for finding current Shopify developer documentation and API references.
  • validate_graphql_codeblocks for validating GraphQL operations against Shopify Admin, Storefront, Customer Account, Partner, Payments Apps, and Functions schemas.
  • validate_component_codeblocks for validating UI extension and Polaris component code against supported surfaces and API versions.
  • validate_theme and validate_theme_codeblocks for Liquid and theme validation.
  • Bundled schema data for Admin, Storefront, Partner, Customer, Payments Apps, and multiple Shopify Functions APIs across stable, release-candidate, and unstable API versions.
  • Shopify CLI guidance for app scaffolding, extension generation, app config validation, development, deployment, store authentication, and store-scoped GraphQL execution.
  • Optional alternate install paths through the auto-updating Shopify AI Toolkit plugin or individual Shopify agent skills.

Use Cases

  • Ask Claude to validate an Admin GraphQL mutation before adding it to a Shopify app.
  • Search Shopify docs for the right API version, extension target, Polaris component, Liquid object, or Functions input shape.
  • Validate Liquid snippets, theme schema blocks, JSON templates, and translation files before changing a theme.
  • Generate checkout, customer account, POS, Admin, or app-home UI extension code and validate the component surface before shipping.
  • Build or debug Shopify Functions with schema-backed GraphQL input validation.
  • Convert a store task into a scoped Shopify CLI workflow using shopify store auth and shopify store execute, then review the command before running it.
  • Keep a Shopify app, theme, or extension conversation grounded in Shopify's current docs instead of relying on stale model memory.

Installation

Claude Code

Add the MCP server through Claude Code's stdio MCP configuration:

claude mcp add --transport stdio shopify-dev-mcp -- npx -y @shopify/dev-mcp@latest

Restart Claude Code after adding the server.

Generic MCP JSON

Use this shape for MCP clients that accept mcpServers JSON:

{
  "mcpServers": {
    "shopify-dev-mcp": {
      "command": "npx",
      "args": ["-y", "@shopify/dev-mcp@latest"]
    }
  }
}

Codex CLI

Codex uses TOML-style MCP configuration:

[mcp_servers.shopify-dev-mcp]
command = "npx"
args = ["-y", "@shopify/dev-mcp@latest"]

Restart the client after editing MCP configuration.

Configuration

Disable default instrumentation

Set OPT_OUT_INSTRUMENTATION=true when using AI Toolkit search or validation surfaces with private code, store-specific context, or sensitive file paths:

{
  "mcpServers": {
    "shopify-dev-mcp": {
      "command": "npx",
      "args": ["-y", "@shopify/dev-mcp@latest"],
      "env": {
        "OPT_OUT_INSTRUMENTATION": "true"
      }
    }
  }
}

Store-scoped CLI workflow guardrail

For any task that targets a real Shopify store, require the assistant to state the store domain, scopes, operation type, and whether mutation execution is needed before running shell commands:

Validate the GraphQL operation first. If it is a mutation, do not run
`shopify store execute` until I approve the exact store domain, scopes, query,
variables, and `--allow-mutations` flag.

Examples

Validate a Shopify Admin GraphQL operation:

Use Shopify Dev MCP to validate this Admin GraphQL mutation against the current
stable API version. If validation fails, fix the operation and validate again.
Do not run it against a store.

Work on Liquid theme code:

Search Shopify docs for the relevant Liquid object and validate this section
schema and Liquid code. Point out errors before suggesting theme changes.

Prepare, but do not run, a store-scoped command:

Create a Shopify CLI workflow for reading inventory for SKU EXAMPLE-SKU from
staging-shop.myshopify.com. Validate the GraphQL query and show the exact
`shopify store auth` and `shopify store execute` commands, but do not run them.

Source Notes

  • Official docs: Shopify AI Toolkit.
  • Official repository: Shopify/Shopify-AI-Toolkit.
  • npm package: @shopify/dev-mcp, binary shopify-dev-mcp, latest package checked as 1.14.0 on 2026-06-04.
  • Shopify's docs state that the Dev MCP server runs locally and does not require authentication.
  • The toolkit repository is MIT licensed; the npm package metadata for @shopify/dev-mcp currently reports ISC.
  • The older https://shopify.dev/apps/build/devmcp path redirects to the current AI Toolkit documentation page.

Duplicate Check

  • Checked current upstream content for Shopify titles, slugs, source URLs, shopify-dev-mcp, @shopify/dev-mcp, Shopify AI Toolkit, Shopify-AI-Toolkit, and the current and legacy docs URLs.
  • Checked live open issues and pull requests for Shopify MCP and shopify-dev-mcp.
  • No dedicated Shopify Dev MCP entry, source URL duplicate, target file duplicate, semantic duplicate, or open duplicate PR was found before drafting.

Disclosure

This is an independent community directory entry submitted by oktofeesh1. Shopify is a commercial ecommerce platform, but this listing is not sponsored, paid, affiliate-backed, or submitted by Shopify. Use Shopify's current docs, API terms, privacy policy, and Partner requirements before connecting an assistant to store-specific workflows.

Source citations

Add this badge to your README

Show that Shopify Dev MCP for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/mcp/shopify-dev-mcp.svg)](https://heyclau.de/entry/mcp/shopify-dev-mcp)

How it compares

Shopify Dev MCP for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

1 trust signal differ across this comparison (Submitter).

Field

Official Shopify Dev MCP server from the Shopify AI Toolkit that connects Claude and other MCP clients to Shopify developer documentation, API schemas, GraphQL validation, Liquid and theme validation, UI extension validation, Shopify Functions guidance, Polaris surfaces, and Shopify CLI workflow guidance.

Open dossier

Real-time product search and price comparison across 11M+ products from Singapore, Southeast Asia, and US marketplaces via a remote streamable-HTTP MCP endpoint with API key auth.

Open dossier

MCP server for context-window optimization that routes large tool outputs through sandbox tools, indexes session state, and helps agents retrieve only the context they need.

Open dossier

Built-in Streamable HTTP MCP server for Dagu that lets AI agents read workflow state, inspect DAG specs and logs, preview or apply workflow changes, and start, enqueue, retry, or stop DAG runs.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDiffersoktofeesh1BuyWhereoktofeesh1oktofeesh1
Install riskReview firstReview firstReview firstReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
BrandShopify logoShopifyBuyWhere logoBuyWhereContext Mode logoContext ModeDagu logoDagu
Categorymcpmcpmcpmcp
SourceSource-backedSource-backedSource-backedSource-backed
AuthorShopifyBuyWheremksgludagucloud
Added2026-06-042026-06-262026-06-052026-06-06
Platforms
Harness
Source repo
Safety notesShopify documents the Dev MCP server as a local MCP server for developer resources that does not require authentication. Do not assume that means an assistant has permission to operate a real store. Store-scoped workflows are routed through Shopify CLI guidance such as `shopify store auth` and `shopify store execute`. Those commands require explicit store domains, scopes, and local shell execution outside the MCP server itself. Mutating store operations must include `--allow-mutations` according to the bundled Shopify CLI guidance. Treat any mutation, product change, inventory change, theme change, discount change, or customer-account operation as a human-approved production action. Validate generated Admin, Storefront, Customer Account, Partner, Payments Apps, and Shopify Functions GraphQL operations with `validate_graphql_codeblocks` before using them in an app or CLI workflow. Validate Liquid, theme, and UI extension code with the matching validation tools before deploying or copying it into a merchant-facing storefront, checkout, customer account, POS, or Admin extension. The npm package is installed at runtime with `npx`. Pin a version and review package metadata when reproducibility, supply-chain review, or enterprise change control matters. The AI Toolkit plugin is recommended by Shopify because it auto-updates. Direct MCP and manual skill installs may require manual updates when Shopify changes API versions, schemas, or validation behavior. Do not let an assistant run Shopify CLI store commands against production stores unless the exact store domain, scopes, GraphQL operation, variables, mutation status, and rollback plan have been reviewed.Read-only product catalog access by default; no write or delete operations exposed. API key should be stored in the MCP client config or environment, never committed.Context Mode encourages agents to execute scripts and route large outputs through sandbox tools; review allowed commands and workspace boundaries. Hook-based installs can affect tool routing automatically. Verify the installed hooks and settings before using it in shared or sensitive workspaces. Indexed session state can influence future retrieval and continuity; purge state when switching projects, clients, or sensitivity levels. Do not rely on compressed or searched summaries for high-stakes decisions without inspecting original files or outputs.Dagu is a workflow engine; MCP access can expose shell commands, Docker containers, Kubernetes Jobs, SSH commands, SQL queries, HTTP calls, agent harnesses, and other workflow steps. The MCP server registers `dagu_change` and `dagu_execute` as destructive-capable tools, so require preview/review before applying DAG changes or starting/stopping production runs. API keys can be scoped to the MCP surface; avoid reusing broad admin credentials for agent access. Workflow edits may change schedules, parameters, retries, secrets usage, queues, resource limits, notifications, and downstream infrastructure actions. Keep the Dagu server and MCP endpoint behind trusted network boundaries, TLS, and authentication for shared or remote deployments.
Privacy notesShopify's toolkit README states that search and validation scripts send usage events to `https://shopify.dev/mcp/usage` by default, including tool name, skill name and version, model/client identifiers when supplied, search query text, search response, and error text. The same instrumentation can include validation results, validated code when present, validator-specific context, file type, theme path, file list, artifact ID, and revision number. Set `OPT_OUT_INSTRUMENTATION=true` when prompts, code snippets, validation inputs, file paths, model identifiers, or client identifiers should not be reported through Shopify's default instrumentation path. Tool results and documentation search can expose Shopify app architecture, API names, version choices, schema fragments, extension targets, Liquid snippets, theme paths, checkout or customer account surfaces, Functions inputs, and Polaris component usage. Store-scoped CLI workflows can expose store domains, access scopes, GraphQL operations, variables, query results, product data, customer data, inventory data, order data, and merchant-specific configuration in terminal output and AI transcripts. Theme validation can inspect local theme files, filenames, paths, Liquid code, JSON templates, translation files, and schema blocks. Treat those as merchant or project-confidential when sharing logs or transcripts. MCP client logs, package manager logs, shell history, editor logs, and assistant conversations may retain generated Shopify code, store domains, schema validation errors, and command output outside Shopify.BuyWhere API key is sent as a Bearer token in the Authorization header on every request. Search queries are sent to BuyWhere's API to retrieve product data; no third-party analytics or telemetry is included in MCP responses. BuyWhere may log API request metadata (endpoint, timestamp, status) for abuse prevention and billing.Context Mode can index file edits, git operations, tasks, errors, user decisions, local files, and command output in SQLite/FTS5 stores. Indexed data may include source code, logs, secrets accidentally printed to terminal, customer data, repository paths, and private prompts. Local analytics and statusline data can reveal workflow patterns, tool usage, and project activity.DAG specs, run parameters, logs, documents, audit records, secrets references, API keys, environment variables, and workflow outputs may be exposed to the MCP client. Workflow logs can contain credentials, customer data, internal hostnames, database query results, command output, file paths, or incident context. Dagu stores state locally by default and can also run distributed workers; review where DAG files, logs, audit entries, and secrets are persisted. Any workflow state returned through the MCP client may be sent onward to the configured model provider.
Prerequisites
  • Node.js 18 or later for the documented Shopify AI Toolkit requirements.
  • MCP-capable client such as Claude Code, Codex, Cursor, Gemini CLI, VS Code, or another stdio-compatible client.
  • Network access to install and update the `@shopify/dev-mcp` npm package and fetch Shopify developer resources.
  • Shopify app, theme, storefront, extension, Functions, or Admin API project context when validating code against Shopify schemas.
  • A BuyWhere API key (free at https://buywhere.ai/api-keys).
  • An MCP client such as Claude Code, Claude Desktop, Cursor, Windsurf, or any MCP-compatible host.
  • Network access to https://api.buywhere.ai.
  • Node.js 22.5 or newer, or Bun for supported installs.
  • MCP client such as Claude Code, Gemini CLI, VS Code Copilot, Cursor, Codex, or another supported host.
  • Optional Claude Code plugin marketplace support for automatic hooks and slash commands.
  • Team agreement on what files, command outputs, and session events may be indexed locally.
  • Dagu installed from Homebrew, GitHub Releases, npm, Docker/GHCR, Helm, or another upstream-supported installation path.
  • A running Dagu HTTP server with the built-in MCP endpoint enabled through the normal server path.
  • MCP client that supports Streamable HTTP server configuration.
  • API key with MCP surface access when Dagu authentication is enabled.
Install
npx -y @shopify/dev-mcp@latest
claude mcp add buywhere --transport http --header "Authorization: Bearer YOUR_BUYWHERE_API_KEY" https://api.buywhere.ai/mcp
claude mcp add context-mode -- npx -y context-mode
brew install dagu
Config
{
  "mcpServers": {
    "shopify-dev-mcp": {
      "command": "npx",
      "args": ["-y", "@shopify/dev-mcp@latest"],
      "env": {
        "OPT_OUT_INSTRUMENTATION": "true"
      }
    }
  }
}
{
  "mcpServers": {
    "buywhere": {
      "type": "http",
      "url": "https://api.buywhere.ai/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_BUYWHERE_API_KEY",
        "X-Buywhere-Market": "SG"
      }
    }
  }
}
{
  "mcpServers": {
    "context-mode": {
      "command": "npx",
      "args": ["-y", "context-mode"]
    }
  }
}
{
  "mcpServers": {
    "dagu": {
      "url": "LOCAL_DAGU_MCP_URL",
      "headers": {
        "Authorization": "Bearer DAGU_MCP_API_KEY"
      }
    }
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.