A Model Context Protocol (MCP) server that connects AI agents to the ShopSite e-commerce platform.
This server allows LLMs to programmatically interact with a ShopSite store to retrieve orders, browse products, and update inventory, abstracting away the complexity of ShopSite's legacy XML/CGI interfaces and HMAC authentication.
- Orders: Fetch recent orders with date filtering.
- Products: Retrieve the full product catalog (paginated).
- Inventory: Update stock levels for specific SKUs.
- Search: Scrape the Back Office to find products by name/SKU.
- Security: Handles ShopSite's custom OAuth 1.0a-style HMAC-SHA1 signature generation automatically.
- Type Safety: Built with TypeScript and Zod for robust input validation.
| Tool | Description | Inputs |
|---|---|---|
get_orders |
Retrieve list of recent orders | days (optional, default 30) |
get_products |
Retrieve product catalog (paginated) | limit (default 50), offset (default 0) |
search_backoffice_products |
Search products via Admin UI (scraping) | query (name or sku string) |
update_inventory |
Update inventory quantity for a SKU | sku (string), quantity (number) |
- Node.js v18+ OR Docker
- A ShopSite store (Pro version recommended for XML API access)
- ShopSite API Credentials (Client ID, Secret, etc.)
- ShopSite Admin Credentials (for
search_backoffice_products)
You must provide the following environment variables (via .env or Docker env vars):
SHOPSITE_BASE_URL=https://mystore.com/cgi-bin/sc
SHOPSITE_CLIENT_ID=your_client_id
SHOPSITE_CLIENT_SECRET=your_client_secret
SHOPSITE_AUTH_CODE=your_auth_code
SHOPSITE_USER=your_username # Optional, depending on auth setup
SHOPSITE_PASS=your_password # OptionalTo obtain credentials:
- Log in to ShopSite Back Office.
- Go to Utilities > Applications.
- Register a new application to get the Client ID and Secret.
Run directly with Docker, passing your environment variables:
docker run -i --rm \
-e SHOPSITE_BASE_URL="https://mystore.com/cgi-bin/sc" \
-e SHOPSITE_CLIENT_ID="your_id" \
-e SHOPSITE_CLIENT_SECRET="your_secret" \
-e SHOPSITE_AUTH_CODE="your_code" \
ghcr.io/nickborrello/shopsite-mcp:latestRun directly from the registry without cloning:
npx shopsite-mcp(Ensure environment variables are set in your shell or .env)
-
Install dependencies:
npm install
-
Build the project:
npm run build
-
Run the server:
node dist/src/index.js
You can verify the signature logic without connecting to a real store by running the included test script:
node dist/test/verify_signature.jssrc/client.ts: Handles the OAuth HMAC signing and XML parsing.src/index.ts: Defines the MCP server and tools.src/types.ts: TypeScript interfaces for ShopSite XML structures.
To the team at ShopSite (if you ever read this): Please join us in the modern era.
Working with your platform is an absolute nightmare for developers.
- Complete Lack of Modern API: It is baffling that in this day and age, we are still forced to wrangle with archaic XML over CGI. There is no clean JSON REST API, no GraphQL, nothing that resembles modern software standards.
- Unnecessarily Complex Auth: Your implementation of HMAC-SHA1 signatures is convoluted, poorly documented, and fragile. It wastes hours of developer time for no tangible security benefit over standard OAuth 2.0.
- Hostile Ecosystem: This entire MCP server exists solely because you have made it so incredibly painful to build even the simplest integrations.
You are making it actively difficult for businesses to extend your platform. Please, for the sake of anyone who has to write code against your software: Build a real API.
This project is licensed under the ISC License - see the LICENSE file for details.
This project is an unofficial tool and is not affiliated with, endorsed by, or connected to ShopSite, Inc. "ShopSite" is a registered trademark of ShopSite, Inc.