Additional menu

Get MemberPress today! Start getting paid for the content you create! Get MemberPress Now
  1. Home
  2. Knowledge Base
  3. Developer Documentation
  4. MCP
  5. Connecting AI Clients to MemberPress – Developer Reference

Connecting AI Clients to MemberPress – Developer Reference

MemberPress AI Foundation accepts AI client connections through three authentication methods. OAuth 2.1 with PKCE serves interactive clients such as Claude Desktop. Bearer tokens serve command-line and headless clients. WordPress Application Passwords provide a read-only fallback.

This reference explains each method, the endpoints behind it, and the configuration each supported client requires. The MCP Setup Wizard drives most connections; this document covers what the wizard does and the manual paths around it.

End users connecting Claude Desktop should follow the Setting Up Claude Desktop With MemberPress walkthrough instead.

Connection Methods at a Glance

MethodBest forScope behaviorSetup path
OAuth 2.1 (PKCE)Claude Desktop, Cursor, interactive clientsScopes granted at approval, capped by the access ceilingWizard → client Connectors UI → browser approval
Bearer tokenClaude Code (CLI), scripts, PostmanScopes granted at generation, capped by the access ceilingWizard → Bearer Token panel
Application PasswordRead-only fallback, legacy REST toolingHardcoded read-onlyWordPress user profile

All three methods produce a token record the MCP server validates on every request. The server enforces scopes and WordPress capabilities before dispatching any tool call. See the Agent Safety Measures Reference for the enforcement model.

Prerequisites

  • MemberPress AI Foundation installed and active;
  • A WordPress account in a role permitted to connect. Administrator is always permitted; the MCP Access Roles setting on the MCP Settings tab governs which other roles may connect AI clients, and per-user overrides can be managed with the Members plugin;
  • HTTPS on production sites. OAuth 2.1 requires HTTPS;
  • The MCP server endpoint: https://yourdomain.com/wp-json/mp-mcp/v1/mcp.

Important: The Token Expiration setting on the MCP Settings tab controls how long tokens remain valid before requiring re-authentication. It is a dropdown with four options: Never (default), 30 days, 90 days, and 1 year. Sites with strict security policies should set an expiration period.

OAuth 2.1 with PKCE

OAuth 2.1 with PKCE (S256) is the primary connection method. The setup wizard and the client's connector interface handle the full flow. No client secret is required.

The Flow

  1. The administrator copies the MCP server URL from the wizard's Connect step;
  2. The client registers the server (for example, Claude Desktop's Add custom connector dialog). The OAuth Client ID and Client Secret fields remain blank — the server supports dynamic client registration (RFC 7591);
  3. The client initiates the connection. A browser window opens the Authorize Application screen on the WordPress site;
  4. The screen displays the application name, the access level, and the redirect destination. The administrator clicks Approve;
  5. The browser shows a Connected confirmation. The client receives its token and loads the tool list.

The approval screen displays access as a plain label, not technical scope strings: “Read-only access” for a read-only grant, “Full access (read and write)” when the connection carries writes — multiple write scopes aggregate into the single full-access label. A Deny button cancels the flow.

OAuth Endpoints

The server registers these OAuth endpoints under mp-mcp/v1:

EndpointPurpose
/authorizeAuthorization code request (browser side)
/tokenExchanges the authorization code plus PKCE verifier for a Bearer token
/revokeToken revocation
OAuth discoveryAdvertises supported methods; code_challenge_methods_supported: ["S256"]
Dynamic client registrationRFC 7591 registration for clients without pre-shared credentials

PKCE enforcement is strict. The server validates code_challenge_method === "S256" and rejects any other value. The token exchange validates the code_verifier against the stored challenge.

Note: The server re-caps the authorization code's scope against the access ceiling at token issuance. Tightening the ceiling between /authorize and /token narrows the issued token.

Registration Rate Limit

The /register endpoint accepts 60 registrations per hour per IP. AI clients often register a new OAuth client on every connection attempt, and shared origin IPs can register frequently. A 429 response carries a Retry-After: 3600 header.

Redirect URI Allowlist

Dynamic client registration enforces a redirect-URI allowlist curated for known AI clients (for example, Claude.ai and Claude Desktop). A registration request that presents a redirect URI not on the allowlist is rejected with invalid_redirect_uri (“No valid redirect URIs provided.”). A third-party tool that cannot present an allowlisted callback — Postman, for instance — therefore cannot complete the OAuth flow and should use a Bearer token instead.

Bearer Tokens

Bearer tokens suit clients that cannot complete a browser approval flow: command-line tools, CI environments, and API testing tools such as Postman.

Generating a Token

  1. Open MemberPress > AI Settings > MCP Setup Wizard;
  2. Proceed to the Connect step;
  3. Expand Need a Bearer Token? (Manual Setup) (shown with the note “If OAuth is not working with your client…”);
  4. Enter a client name (the field defaults to “AI Assistant”). The name identifies the connection on the MCP Connected Clients tab;
  5. Click Generate Bearer Token and copy the token.

The token displays once. The panel warns that the token will not be shown again — the server stores only a hash, and the plaintext is returned exactly one time. Copy it before leaving the panel.

The panel also produces a ready-made configuration block for mcp-remote-based clients:

{
  "mcpServers": {
    "memberpress": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "<MCP_URL>", "--header", "Authorization: Bearer <TOKEN>"]
    }
  }
}

On a site served over http://, the panel inserts --allow-http into the args array. The wizard's Claude Code (CLI) setup instructions show the registration command, reproduced below.

Using the Token

Send the token in the Authorization header on every request:

# Call the MCP server with a Bearer token
curl -X POST https://yourdomain.com/wp-json/mp-mcp/v1/mcp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Replace YOUR_TOKEN with the generated token and yourdomain.com with the site domain.

Claude Code registers the server with a Bearer token in one command:

# Register MemberPress in Claude Code (CLI)
claude mcp add --transport http --scope user \
  --header="Authorization: Bearer YOUR_TOKEN" \
  memberpress "https://yourdomain.com/wp-json/mp-mcp/v1/mcp"

Warning: A Bearer token grants its full scope to anyone who holds it. Store tokens securely and revoke any token that may have leaked from the MCP Connected Clients tab.

Application Passwords

WordPress Application Passwords provide a read-only fallback when OAuth is unavailable. AI Foundation caps every Application Password connection at read scope regardless of the user's capabilities. WordPress Application Passwords carry no per-password scope vocabulary, so the cap prevents a stale password created for another integration from carrying write access into MCP.

Connecting

  1. Open Users > Profile in the WordPress admin;
  2. Scroll to Application Passwords and create a password named for the client;
  3. Copy the generated password. WordPress displays it once;
  4. Configure the client with HTTP Basic authentication: the WordPress username and the Application Password.

The server expects standard HTTP Basic authentication: an Authorization: Basic <base64> header encoding the WordPress username and the Application Password, per WordPress convention.

The connection appears on the MCP Connected Clients tab as Application Password: [username] after the first authenticated request — creating the Application Password alone produces no row. After that, the row's Last Used timestamp updates at most hourly.

Warning: Revoking an Application Password connection from the MCP Connected Clients tab deletes every WordPress Application Password the user holds, not only the MCP connection. Other REST integrations using that user's Application Passwords stop working. The revocation dialog states this before proceeding. To remove a single Application Password, use Users > Profile > Application Passwords instead.

Per-Client Configuration

The wizard's Connect step provides ready-made instructions for five clients plus the Bearer Token fallback. The blocks below reproduce the canonical configuration for each, using a placeholder domain in place of the live site URL.

Claude Desktop

Claude Desktop connects through its Connectors interface. No configuration file editing is required:

  1. Open Claude Desktop and go to Customize > Connectors;
  2. Click the + button and choose Add custom connector;
  3. Enter a name (for example, “MemberPress”) and paste the MCP server URL;
  4. Leave the optional OAuth Client ID and Client Secret fields blank (they sit collapsed under Advanced settings);
  5. Click Add, then Connect, and approve in the browser.

The full end-user walkthrough with screenshots lives in Setting Up Claude Desktop With MemberPress.

Cursor

  1. Open Cursor Settings > MCP;
  2. Click Add new MCP server;
  3. Set the type to URL and paste the MCP server URL;
  4. Complete the OAuth approval in the browser window that opens.

VS Code (GitHub Copilot)

Add the server to .vscode/mcp.json:

{
  "servers": {
    "memberpress": {
      "type": "http",
      "url": "https://yourdomain.com/wp-json/mp-mcp/v1/mcp"
    }
  }
}

Windsurf

Add the server to ~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "memberpress": {
      "serverUrl": "https://yourdomain.com/wp-json/mp-mcp/v1/mcp"
    }
  }
}

Claude Code (CLI)

Claude Code requires a Bearer token. Generate one from the wizard's Bearer Token panel, then run the registration command shown in the Bearer Tokens section above.

Managing Connections

The MCP Connected Clients tab lists every connection, including revoked ones (Status shows Active or Revoked). Its columns are Client Name, Owner, Access Level, Connected, Last Used, Status, and Actions. An authentication chip marks how each connection was issued — OAUTH for connector flows, WIZARD for wizard-generated Bearer tokens, APP PASSWORD for Application Password sessions. OAuth rows are named by their generated client identifier (mcp_…); wizard Bearer rows carry the client name entered at generation, so name the token something recognizable.

The Access Level column renders one chip per granted scope, in the wizard's bucket language (Read, Edit Content, Manage Members, Billing, Imports, Webhooks, Courses). A full-access connection shows two chips — Read and Full Access — because the token stores the read scope alongside the full meta-scope. The Revoke action notes the model directly: to change a connection's scopes, revoke and re-issue.

Revoking a connection takes effect on the next request: the server validates the token once per request, so a call already past that check runs to completion, and the revocation is observed on the request that follows. OAuth and Bearer revocations affect only the selected token. Application Password revocations carry the broader deletion behavior described above.

Disconnecting inside a client does not close the connection here. A row stays Active until it is revoked on this tab — Claude Desktop's local Disconnect, for example, does not notify the site. A standard revocation endpoint (/wp-json/mp-mcp/v1/revoke, RFC 7009, advertised in the OAuth discovery metadata) exists, but it fires only when a client proactively calls it.

The access ceiling (“Maximum access level for new connections” on the MCP Settings tab) caps the scopes any new connection receives. The ceiling applies at issuance only — existing connections keep their granted scopes. See the Agent Safety Measures Reference for the ceiling's enforcement paths.

Troubleshooting Connections

  • The browser approval never opens: confirm the site is publicly reachable and uses HTTPS. The wizard's Connect step displays a reachability banner;
  • 401 Unauthorized on every call: the token is missing, malformed, expired, or revoked. An expired token returns the distinct token_expired code; other failures return auth_required. The MCP route's 401 responses carry a WWW-Authenticate header (Bearer realm="mcp" plus a resource_metadata URL). Generate a new token or reconnect;
  • step=start_error in Claude Desktop's connector flow: OAuth registration is rate-limited to 60 attempts per hour per IP. A burst of reconnection attempts (or several clients behind one IP) can hit the limit. Wait for the window to reset — the response carries Retry-After: 3600 — and retry;
  • Write tools rejected on a working connection: the connection's scope or the token owner's WordPress capability does not permit the tool. See MCP Errors and Troubleshooting.
Was this article helpful?

Related Articles

computer girl

Get MemberPress today!

Start getting paid for the content you create.