Security

PrestaShop MCP Server offers two authentication methods to secure access to your store: OAuth 2.0 and Token authentication. OAuth 2.0 is the most secure method and should be preferred whenever possible.

The module uses PrestaShop OAuth to authenticate users. This approach ensures that only valid PrestaShop accounts can access your MCP Server.

Authentication follows the OAuth 2.0 standard, a secure authorization protocol widely used in the industry.

Tips

OAuth 2.0 is the most secure authentication method and is recommended by Anthropic for MCP servers. Prefer this method whenever your AI application supports it.

Why PrestaShop Accounts for OAuth?

The module relies on PrestaShop Accounts (ps_accounts) as OAuth provider because it is designed to integrate into the PrestaShop ecosystem:

  • The ps_accounts module handles authentication and token validation
  • OAuth scopes (mcp.discover, mcp.read, mcp.write) are specific to the MCP Server
  • The email extracted from the OAuth token is used to verify authorizations in the members list
  • The system integrates with other PrestaShop services (CloudSync, EventBus)

Using another OAuth provider would require recreating all this infrastructure and would lose integration with the existing PrestaShop ecosystem.

Token Authentication

For AI applications or MCP clients that do not support OAuth authentication, PrestaShop MCP Server offers an alternative: token-based authentication.

A token can be generated when adding a member from the Members page. This token is sent in the Authorization header as a Bearer or Basic value to authenticate requests directly, without going through the OAuth flow.

Warning

Token authentication is less secure than OAuth 2.0 because the token is static and does not expire automatically. Use it only when OAuth is not supported by your AI application.

Member Management

The Members page in the module configuration adds an additional security layer. Regardless of the authentication method used (OAuth or token), the user must be explicitly authorized in the members list to access the MCP Server.

Each member is assigned a role that determines their level of access:

  • Viewer — Read-only access. The member can query data but cannot make any modifications.
  • Editor — Full access (read and write). The member can query and modify data.

The server enforces role-based permissions on every request. A Viewer attempting a write operation will be rejected.

Recommendations

To maintain the security of your installation:

  • Prefer OAuth 2.0 whenever your AI application supports it
  • Regularly review the members list and remove unnecessary access
  • Use strong passwords for your PrestaShop accounts
  • Keep the module and its dependencies, such as the ps_accounts module, up to date to benefit from security fixes
  • If using token authentication, regenerate tokens periodically and revoke those that are no longer needed
Last Updated:
Contributors: fox-john, Claude Opus 4.6