Skip to main content

Settings

All settings for the AI Integration extension are located at Stores -> Configuration -> Mirasvit Extensions -> MCP Server.

tip

To apply changes, clear the Magento cache after modifying these settings.

General Settings

General Settings

General Settings

  • Enable MCP Server: master switch for the MCP server endpoint. When set to No, AI clients will not be able to connect, and the MCP endpoint (/mcp/server/handle) will return an error. Default: Yes.

Security

Security

Security

  • Allowed IP Addresses: restricts which IP addresses can access the MCP endpoint. Enter one IP address per line. When empty (default), all IPs are allowed.
note

IP restriction is applied before OAuth authentication. If a request comes from a non-allowed IP, it is rejected immediately without checking the OAuth token.

Even when no IP restriction is configured, every request still requires a valid OAuth access token.

Authentication

Authentication

Authentication

AI Integration uses OAuth 2.1 with PKCE for authentication. AI clients never receive your admin password — they get a scoped access token through the OAuth authorization flow.

  • Access Token Lifetime (seconds): how long an access token remains valid after being issued. After expiry, the AI client automatically uses its refresh token to get a new access token. No manual action is required. Default: 3600 (1 hour).

  • Refresh Token Lifetime (seconds): how long the client stays "connected" without the admin user needing to re-authorize. Once the refresh token expires, the AI client must go through the authorization flow again. Default: 2592000 (30 days).

  • Authorization Code Lifetime (seconds): how long the one-time authorization code is valid between when the admin clicks Authorize on the consent screen and when the AI client exchanges it for tokens. Default: 600 (10 minutes).

  • Require User Consent: controls whether the admin sees a consent screen showing which tools and permissions the AI client is requesting before authorization is granted. When set to No, authorization is granted immediately. Default: Yes.

Token lifecycle

The OAuth flow works as follows:

  1. Authorization: the AI client opens a browser window. The admin sees a consent screen and clicks Authorize. An authorization code is generated (valid for the configured lifetime).
  2. Token exchange: the AI client exchanges the authorization code for an access token and a refresh token.
  3. API access: the AI client uses the access token for every MCP request.
  4. Automatic refresh: when the access token expires, the AI client automatically uses the refresh token to get a new access token. This happens transparently.
  5. Re-authorization: when the refresh token expires, the admin must authorize the client again through the consent flow.

Tools

Database Reader

Tools — Database Reader

Tools — Database Reader

  • Query Timeout (seconds): maximum execution time for SQL queries. If a query exceeds this limit, it is terminated. Valid range: 1–300 seconds. Default: 30.

  • Table Access Mode: defines how the table patterns list is interpreted.

    • Blacklist (default): tables matching the patterns are blocked. All other tables are accessible.
    • Whitelist: only tables matching the patterns are accessible. All other tables are blocked.

  • Table Patterns: one pattern per line. Use * as a wildcard (e.g., sales_*, customer_entity).

  • Include Default Security Blacklist: enables a built-in list of patterns that block access to sensitive tables (admin credentials, OAuth secrets, sessions, etc.). Default: Yes.

  • Default Blacklist Patterns (read-only): displayed when the default blacklist is enabled. Shows all built-in patterns that protect sensitive tables.

For details on how table access control works, see the Database Reader page.

Logging

Logging

Logging

  • Enable Request Logging: enables logging of all MCP requests. Useful for debugging and monitoring AI client activity. Default: No.

  • Log Level: controls the amount of detail captured in logs.

    • Basic: logs the method name, tool name, status (success/error), execution time, and IP address.
    • Detailed: includes everything from Basic, plus the request arguments sent by the AI client.
    • Debug: includes everything from Detailed, plus the full response data returned to the AI client.

    Default: Basic.

note

The Debug level may generate large log entries, especially for tools that return significant amounts of data (e.g., database queries or REST API responses). Use it only for troubleshooting.

  • Log Retention (Days): number of days to keep log entries. Set to 0 to keep logs indefinitely. Default: 30.