Settings
All settings on this page are located at Stores -> Configuration -> Mirasvit Extensions -> MCP Server.
For tool-specific settings (e.g., Database Reader), see the MCP Tools Settings page.
To apply changes, clear the Magento cache after modifying these settings.
General Settings
- Enable MCP Server: master switch for the MCP server endpoint. When set to No, AI clients will not be able to connect, and the MCP endpoint (
/mcp/server/handle) will return an error. Default: Yes.
Security
- Allowed IP Addresses: restricts which IP addresses can access the MCP endpoint. Enter one IP address per line. When empty (default), all IPs are allowed.
IP restriction is applied before OAuth authentication. If a request comes from a non-allowed IP, it is rejected immediately without checking the OAuth token.
Even when no IP restriction is configured, every request still requires a valid OAuth access token.
Authentication
AI Agent Connector uses OAuth 2.1 with PKCE for authentication. AI clients never receive your admin password — they get a scoped access token through the OAuth authorization flow.
-
Access Token Lifetime (seconds): how long an access token remains valid after being issued. After expiry, the AI client automatically uses its refresh token to get a new access token. No manual action is required. Default: 3600 (1 hour).
-
Refresh Token Lifetime (seconds): how long the client stays "connected" without the admin user needing to re-authorize. Once the refresh token expires, the AI client must go through the authorization flow again. Default: 2592000 (30 days).
-
Authorization Code Lifetime (seconds): how long the one-time authorization code is valid between when the admin clicks Authorize on the consent screen and when the AI client exchanges it for tokens. Default: 600 (10 minutes).
-
Require User Consent: controls whether the admin sees a consent screen showing which tools and permissions the AI client is requesting before authorization is granted. When set to No, authorization is granted immediately. Default: Yes.
Token lifecycle
The OAuth flow works as follows:
- Authorization: the AI client opens a browser window. The admin sees a consent screen and clicks Authorize. An authorization code is generated (valid for the configured lifetime).
- Token exchange: the AI client exchanges the authorization code for an access token and a refresh token.
- API access: the AI client uses the access token for every MCP request.
- Automatic refresh: when the access token expires, the AI client automatically uses the refresh token to get a new access token. This happens transparently.
- Re-authorization: when the refresh token expires, the admin must authorize the client again through the consent flow.
Logging
-
Enable Request Logging: enables logging of all MCP requests. Useful for debugging and monitoring AI client activity. Default: No.
-
Log Level: controls the amount of detail captured in logs.
- Basic: logs the method name, tool name, status (success/error), execution time, and IP address.
- Detailed: includes everything from Basic, plus the request arguments sent by the AI client.
- Debug: includes everything from Detailed, plus the full response data returned to the AI client.
Default: Basic.
The Debug level may generate large log entries, especially for tools that return significant amounts of data (e.g., database queries or REST API responses). Use it only for troubleshooting.
- Log Retention (Days): number of days to keep log entries. Set to 0 to keep logs indefinitely. Default: 30.