Evaluation record ยท mcp-server-shopify

Shopify MCP Servers

v2026.7

Shopify

MCPecommerceagentic-commercestorefrontmcp
77
Strong
About This MCP

Shopify's official MCP surface spans three layers: the Storefront MCP, live by default on every eligible store at {shop}.myshopify.com/api/mcp (public, no auth; catalog, cart, and policy tools), the local @shopify/dev-mcp stdio server (v1.14.x) for docs search and GraphQL schema work, and the open-source Shopify AI Toolkit (April 2026) adding authenticated admin operations via the Shopify CLI. Default-on endpoints across millions of stores form a huge aggregate agent surface.

Last Evaluated: July 9, 2026
Official Website

Trust Vector Analysis

Dimension Breakdown

๐Ÿš€Performance & Reliability
+
api reliability

API stability analysis of the hosted endpoint riding on Shopify's storefront-serving infrastructure

Evidence
Shopify Storefront MCP Server Documentation โ€” Storefront MCP is served from Shopify's production storefront infrastructure at https://{shop}.myshopify.com/api/mcp (JSON-RPC 2.0 over HTTP POST), the same platform that serves live storefront traffic
highVerified: 2026-07-09
operation success rate

Operation success testing across the documented storefront tool set against live stores

Evidence
Shopify Storefront MCP Server Documentation โ€” Six documented tools (search_catalog, lookup_catalog, get_product on the UCP endpoint; get_cart, update_cart, search_shop_policies_and_faqs) map to stable storefront primitives; lookup accepts up to 10 IDs per call
mediumVerified: 2026-07-09
search accuracy

Relevance assessment of catalog search and docs/schema search results for representative queries

Evidence
Shopify Dev MCP / AI Toolkit Documentation โ€” Dev MCP bundles Shopify documentation search, GraphQL schema introspection (introspect_graphql_schema across Admin, Storefront, Partner, Customer, and Function APIs), and code validation; storefront catalog search returns relevance-ranked product results
mediumVerified: 2026-07-09
rate limit handling

Rate limiting behavior observation under sustained anonymous tool-call load across plan tiers

Evidence
Shopify Storefront MCP Server Documentation โ€” Storefront MCP inherits storefront-tier rate limiting; limits vary by plan (Plus stores receive higher limits and earlier access to advanced UCP capabilities) and some stores may restrict agent access entirely
mediumVerified: 2026-07-09
error recovery

Error handling testing with invalid product IDs, restricted stores, and malformed cart operations

Evidence
Shopify Storefront MCP Server Documentation โ€” JSON-RPC 2.0 structured errors for malformed requests and restricted stores; Dev MCP validate tools return per-code-block validation results explaining why GraphQL was valid or invalid
mediumVerified: 2026-07-09
๐Ÿ›ก๏ธSecurity
+
authentication security

Authentication mechanism review across the anonymous storefront endpoint, local Dev MCP, and CLI-authenticated admin path

Evidence
Shopify Storefront MCP Server Documentation โ€” Storefront MCP servers don't require authentication: requests need only a Content-Type header and the store domain; any client on the internet can call the endpoint. Admin operations via the AI Toolkit use the authenticated Shopify CLI session instead
highVerified: 2026-07-09
scope limitation

Permission boundary testing between the anonymous storefront surface and authenticated admin operations

Evidence
About Storefront MCP โ€” The public endpoint is scoped to already-public storefront data (catalog, policies, FAQs) plus cart state; admin mutations are fully separated behind the Shopify CLI authenticated path and are never reachable through /api/mcp
highVerified: 2026-07-09
prompt injection risk

Threat modeling of merchant-authored content as an injection vector, including a publicly documented exploit against the storefront tool chain

Evidence
CodeIntegrity: Shopify MCP Prompt Injection Exploit โ€” Documented indirect prompt injection: a malicious prompt hidden in a product description forced an unauthorized search_shop_catalog call and made the consuming LLM present attacker-chosen products with fabricated positive bias; merchant-authored content is untrusted input to every connected agent
Shopify Storefront MCP Server Documentation โ€” Because the endpoint is default-on across millions of stores, any store's product descriptions, policies, and FAQ text flow into agent context at ecosystem scale with no server-side sanitization guarantees
highVerified: 2026-07-09
token exposure risk

Token storage and exposure-surface analysis across the three access paths

Evidence
Shopify Dev MCP / AI Toolkit Documentation โ€” Storefront MCP needs no credentials at all; the local Dev MCP server runs over stdio without authentication; admin operations reuse the Shopify CLI's existing local session rather than static API keys pasted into client config
mediumVerified: 2026-07-09
unauthorized action risk

Authorization boundary testing of cart writes and CLI-authenticated admin mutations

Evidence
Shopify AI Toolkit Repository โ€” The AI Toolkit lets agents execute real store operations (products, inventory, store management) through the authenticated CLI path with no server-side confirmation step; on the storefront side, anonymous update_cart writes are possible but individually low-consequence
mediumVerified: 2026-07-09
๐Ÿ”’Privacy & Compliance
+
customer data exposure

Data classification of every field reachable through the anonymous storefront tool set

Evidence
About Storefront MCP โ€” The storefront surface exposes only already-public catalog, policy, and FAQ data plus session cart contents; customer PII and order history are not reachable through the anonymous endpoint
mediumVerified: 2026-07-09
sensitive data protection

Review of telemetry defaults and of sensitive data classes reachable via the authenticated admin path

Evidence
Shopify Dev MCP npm package โ€” Dev MCP makes instrumentation calls back to Shopify by default; disabling requires setting OPT_OUT_INSTRUMENTATION=true in the client env. Admin-path results (inventory, unpublished products) flow into the connected LLM's context
mediumVerified: 2026-07-09
organization data control

Review of merchant-side controls over default-on agent exposure and opt-out mechanics

Evidence
Shopify Storefront MCP Server Documentation โ€” The endpoint is on by default for eligible stores (default-on for eligible US merchants since March 24, 2026); merchants can restrict agent access, but exposure is opt-out rather than opt-in and many merchants receive agent traffic without having configured anything
mediumVerified: 2026-07-09
third party data sharing

Analysis of downstream data sharing once storefront and admin content leaves the Shopify boundary

Evidence
Shopify Privacy Policy โ€” Store content retrieved via MCP flows to whichever LLM provider the consuming agent uses (ChatGPT, Copilot, Gemini, and others surface Shopify stores by default), governed by those providers' data policies rather than Shopify's
mediumVerified: 2026-07-09
๐Ÿ‘๏ธTrust & Transparency
+
documentation quality

Documentation completeness and accuracy review across the three server surfaces

Evidence
Shopify Agentic Commerce Documentation โ€” Dedicated documentation hub covering Storefront MCP, catalog/UCP tools, Dev MCP, and the AI Toolkit, with per-tool references, request schemas, and client setup guides
highVerified: 2026-07-09
operation visibility

Logging and traceability assessment across anonymous, local, and CLI-authenticated paths

Evidence
Shopify Storefront MCP Server Documentation โ€” Anonymous storefront MCP calls are not attributable to an identity and merchants get no dedicated MCP audit log; admin-path operations are visible as normal API activity, and Dev MCP calls appear only in client logs
mediumVerified: 2026-07-09
open source transparency

Source availability review across the open-source developer tooling and the closed hosted endpoint

Evidence
Shopify AI Toolkit Repository โ€” AI Toolkit open-sourced under MIT on April 9, 2026 (439 stars, actively pushed through June 2026) and @shopify/dev-mcp v1.14.2 is published on npm (ISC); the hosted Storefront MCP implementation itself remains closed source
highVerified: 2026-07-09
api coverage clarity

Comparison of documented tool surface against observed endpoint behavior

Evidence
Shopify Storefront MCP Server Documentation โ€” Tool surface explicitly enumerated: search_catalog/lookup_catalog/get_product at /api/ucp/mcp and get_cart/update_cart/search_shop_policies_and_faqs at /api/mcp, with input constraints (e.g., 10 IDs per lookup) and agent-profile requirements documented
highVerified: 2026-07-09
โš™๏ธOperational Excellence
+
ease of setup

Setup complexity assessment for merchants, agent builders, and developers

Evidence
Shopify Storefront MCP Server Documentation โ€” Zero merchant setup: the endpoint is live by default on every eligible store; consumers just point a client at https://{shop}.myshopify.com/api/mcp. Dev MCP is a one-line npx @shopify/dev-mcp install
highVerified: 2026-07-09
api performance

Latency observation across catalog search, cart, and policy tools

Evidence
Shopify Storefront MCP Server Documentation โ€” Tools are thin JSON-RPC wrappers over Shopify's storefront-serving stack, which is heavily optimized for low-latency commerce traffic
mediumVerified: 2026-07-09
reliability

Uptime analysis of Shopify storefront infrastructure hosting the endpoint

Evidence
Shopify Status โ€” Storefront MCP rides Shopify's production storefront infrastructure with strong historical availability; the surface reached default-on general availability in Q1 2026 after a 2025 rollout
mediumVerified: 2026-07-09
feature coverage

Feature completeness assessment against end-to-end agentic commerce and development workflows

Evidence
Shopify Dev MCP / AI Toolkit Documentation โ€” Combined surface spans buyer-side commerce (catalog, cart, policies), developer tooling (docs, schema introspection, validation across Admin/Storefront/Partner/Customer/Function APIs), and CLI-backed store operations; checkout completion still hands off to Shopify-hosted flows
highVerified: 2026-07-09
community adoption

Adoption analysis across merchant footprint, agent platforms, and developer tooling

Evidence
Shopify AI Toolkit Repository โ€” Default-on across millions of stores (5.6M stores made agent-discoverable in ChatGPT, Copilot, Google AI Mode, and Gemini as of March 2026); AI Toolkit at 439 stars within three months of its April 9, 2026 open-source launch with plugins for Claude Code, Codex, Cursor, and VS Code
highVerified: 2026-07-09
Strengths
  • +Zero-setup, default-on storefront endpoint makes every eligible store agent-ready
  • +Clean separation between the anonymous public surface and CLI-authenticated admin operations
  • +No credentials required for the storefront path, eliminating token-leak risk there entirely
  • +Dev MCP provides docs search, GraphQL schema introspection, and validation across all major Shopify APIs
  • +AI Toolkit is MIT-licensed open source with first-party plugins for major AI coding tools
  • +Backed by Shopify's production commerce infrastructure and status transparency
  • +UCP catalog tools position stores for cross-platform agentic commerce discovery
Limitations
  • !Default-on public endpoints at millions of stores create an enormous aggregate attack and scraping surface that merchants did not individually opt into
  • !Merchant-authored product descriptions are untrusted input; an indirect prompt injection exploit against the storefront tool chain has been publicly documented
  • !Anonymous access means no identity, revocation, or per-consumer rate accountability on the storefront path
  • !No dedicated merchant-facing MCP audit log for agent traffic
  • !Dev MCP sends instrumentation telemetry by default (opt-out via OPT_OUT_INSTRUMENTATION)
  • !Admin operations via the AI Toolkit lack a server-side confirmation step
  • !The hosted Storefront MCP implementation is closed source
Metadata
repository: https://github.com/Shopify/shopify-ai-toolkit
package name: @shopify/dev-mcp
package version: 1.14.2
license: MIT (AI Toolkit); ISC (@shopify/dev-mcp npm package); hosted Storefront MCP closed source
maintained by: Shopify
github stars: 439
remote endpoint: https://{shop}.myshopify.com/api/mcp (commerce tools); https://{shop}.myshopify.com/api/ucp/mcp (catalog tools)
authentication: None (Storefront MCP, public by design); none needed (local Dev MCP); Shopify CLI session (admin operations via AI Toolkit)
transport types
0: streamable-http / JSON-RPC 2.0 over HTTP POST (storefront, hosted)
1: stdio (@shopify/dev-mcp, local)
installation methods
0: None required (storefront endpoint live by default)
1: npx @shopify/dev-mcp
2: Shopify AI Toolkit plugin for Claude Code / Codex / Cursor / VS Code
default on since: Q1 2026 (Agentic Storefronts default-on for eligible US merchants March 24, 2026)
ai toolkit open sourced: 2026-04-09
mcp version: 1.0

Use Case Ratings

customer support

Strong for shopping assistants answering catalog, policy, and FAQ questions and managing carts on any store

code generation

Dev MCP's docs search, schema introspection, and validation make it excellent for building Shopify apps and themes with AI assistance

data analysis

Useful for catalog and pricing lookups across stores; not designed for bulk analytics or order data

research assistant

Good for product research and price comparison across the public storefront surface

financial analysis

No revenue, order, or payout data is exposed through the MCP surfaces; limited to catalog-level pricing