Security

PrestaShop MCP Server secures access to your store through an OAuth 2.0 authentication system and member management.

OAuth 2.0 Authentication

The module exclusively uses PrestaShop OAuth to authenticate users. This approach ensures that only valid PrestaShop accounts can access your MCP Server.

Authentication follows the OAuth 2.0 standard, a secure authorization protocol widely used in the industry.

How Authentication Works

Here's how the authentication process works when you connect an AI application to your store:

  1. You are redirected to the PrestaShop OAuth login page
  2. You authenticate with your PrestaShop credentials
  3. PrestaShop OAuth issues an access token with the following scopes:
    • mcp.discover: Discovery of available tools
    • mcp.read: Reading store data
    • mcp.write: Modifying store data
    • email: Access to your email for member verification
  4. With each request, the AI application sends this token in the Authorization header
  5. The MCP Server validates the token with PrestaShop OAuth and checks your email against the members list
  6. If the token is valid and the email is authorized, the request is processed

Each token is cryptographically signed and has a limited validity period. Expired tokens are automatically rejected.

Member Management

The Members page in the module configuration adds an additional security layer. Even with a valid PrestaShop account, you must be explicitly authorized in this list to access the MCP Server through an AI application.

By default, your PrestaShop account email address is automatically added during onboarding. You can then add or remove members as needed.

This dual verification (valid OAuth token + authorized email) ensures that only people of your choice can interact with your store through AI applications.

Why Only PrestaShop OAuth?

The module relies on PrestaShop OAuth because it is designed to integrate into the PrestaShop ecosystem:

  • The ps_accounts module handles authentication and token validation
  • OAuth scopes (mcp.discover, mcp.read, mcp.write) are specific to the MCP Server
  • The email extracted from the OAuth token is used to verify authorizations in the members list
  • The system integrates with other PrestaShop services (CloudSync, EventBus)

Using another OAuth provider would require recreating all this infrastructure and would lose integration with the existing PrestaShop ecosystem.

Recommendations

To maintain the security of your installation:

  • Regularly review the members list and remove unnecessary access
  • Use strong passwords for your PrestaShop accounts
  • Keep the module and its dependencies, such as the ps_accounts module, up to date to benefit from security fixes
Last Updated:
Contributors: fox-john