MemberPress AI Foundation accepts AI client connections through three authentication methods. OAuth 2.1 with PKCE serves interactive clients such as Claude Desktop. Bearer tokens serve command-line and headless clients. WordPress Application Passwords provide a read-only fallback.
This reference explains each method, the endpoints behind it, and the configuration each supported client requires. The MCP Setup Wizard drives most connections; this document covers what the wizard does and the manual paths around it.
End users connecting Claude Desktop should follow the Configuración de Claude Desktop con MemberPress walkthrough instead.
Connection Methods at a Glance
| Method | Best for | Scope behavior | Setup path |
|---|---|---|---|
| OAuth 2.1 (PKCE) | Claude Desktop, Cursor, interactive clients | Scopes granted at approval, capped by the access ceiling | Wizard → client Connectors UI → browser approval |
| Bearer token | Claude Code (CLI), scripts, Postman | Scopes granted at generation, capped by the access ceiling | Wizard → Bearer Token panel |
| Application Password | Read-only fallback, legacy REST tooling | Hardcoded read-only | WordPress user profile |
All three methods produce a token record the MCP server validates on every request. The server enforces scopes and WordPress capabilities before dispatching any tool call. See the Agent Safety Measures Reference for the enforcement model.
Requisitos previos
- MemberPress AI Foundation installed and active;
- A WordPress account in a role permitted to connect. Administrator is always permitted; the MCP Access Roles setting on the MCP Settings tab governs which other roles may connect AI clients, and per-user overrides can be managed with the Members plugin;
- HTTPS on production sites. OAuth 2.1 requires HTTPS;
- The MCP server endpoint:
https://yourdomain.com/wp-json/mp-mcp/v1/mcp.
OAuth 2.1 with PKCE
OAuth 2.1 with PKCE (S256) is the primary connection method. The setup wizard and the client's connector interface handle the full flow. No client secret is required.
The Flow
- The administrator copies the MCP server URL from the wizard's Connect step;
- The client registers the server (for example, Claude Desktop's Add custom connector dialog). The OAuth Client ID and Client Secret fields remain blank — the server supports dynamic client registration (RFC 7591);
- The client initiates the connection. A browser window opens the Authorize Application screen on the WordPress site;
- The screen displays the application name, the access level, and the redirect destination. The administrator clicks Aprobar;
- The browser shows a Conectado confirmation. The client receives its token and loads the tool list.
The approval screen displays access as a plain label, not technical scope strings: “Read-only access” for a read-only grant, “Full access (read and write)” when the connection carries writes — multiple write scopes aggregate into the single full-access label. A Deny button cancels the flow.
OAuth Endpoints
The server registers these OAuth endpoints under mp-mcp/v1:
| Endpoint | Purpose |
|---|---|
/authorize | Authorization code request (browser side) |
/token | Exchanges the authorization code plus PKCE verifier for a Bearer token |
/revoke | Token revocation |
| OAuth discovery | Advertises supported methods; code_challenge_methods_supported: ["S256"] |
| Dynamic client registration | RFC 7591 registration for clients without pre-shared credentials |
PKCE enforcement is strict. The server validates code_challenge_method === "S256" and rejects any other value. The token exchange validates the code_verifier against the stored challenge.
Registration Rate Limit
En /registrarse endpoint accepts 60 registrations per hour per IP. AI clients often register a new OAuth client on every connection attempt, and shared origin IPs can register frequently. A 429 response carries a Retry-After: 3600 header.
Redirect URI Allowlist
Dynamic client registration enforces a redirect-URI allowlist curated for known AI clients (for example, Claude.ai and Claude Desktop). A registration request that presents a redirect URI not on the allowlist is rejected with invalid_redirect_uri (“No valid redirect URIs provided.”). A third-party tool that cannot present an allowlisted callback — Postman, for instance — therefore cannot complete the OAuth flow and should use a Bearer token instead.
Bearer Tokens
Bearer tokens suit clients that cannot complete a browser approval flow: command-line tools, CI environments, and API testing tools such as Postman.
Generating a Token
- Abrir MemberPress > AI Settings > MCP Setup Wizard;
- Proceed to the Conectar step;
- Expand Need a Bearer Token? (Manual Setup) (shown with the note “If OAuth is not working with your client…”);
- Enter a client name (the field defaults to “AI Assistant”). The name identifies the connection on the MCP Connected Clients tab;
- Haga clic en Generate Bearer Token and copy the token.
The token displays once. The panel warns that the token will not be shown again — the server stores only a hash, and the plaintext is returned exactly one time. Copy it before leaving the panel.
The panel also produces a ready-made configuration block for mcp-remote-based clients:
{
"mcpServers": {
"memberpress": {
"command": "npx",
"args": ["-y", "mcp-remote", "<MCP_URL>", "--header", "Authorization: Bearer <TOKEN>"]
}
}
}
On a site served over http://, the panel inserts --allow-http en el args array. The wizard's Claude Code (CLI) setup instructions show the registration command, reproduced below.
Using the Token
Send the token in the Autorización header on every request:
# Call the MCP server with a Bearer token
curl -X POST https://yourdomain.com/wp-json/mp-mcp/v1/mcp \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_TOKEN" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
Sustituir YOUR_TOKEN with the generated token and tudominio.com with the site domain.
Claude Code registers the server with a Bearer token in one command:
# Register MemberPress in Claude Code (CLI)
claude mcp add --transport http --scope user \
--header="Authorization: Bearer YOUR_TOKEN" \
memberpress "https://yourdomain.com/wp-json/mp-mcp/v1/mcp"
Contraseñas de aplicaciones
WordPress Application Passwords provide a read-only fallback when OAuth is unavailable. AI Foundation caps every Application Password connection at read scope regardless of the user's capabilities. WordPress Application Passwords carry no per-password scope vocabulary, so the cap prevents a stale password created for another integration from carrying write access into MCP.
Connecting
- Abrir Users > Profile in the WordPress admin;
- Desplácese hasta Contraseñas de aplicaciones and create a password named for the client;
- Copy the generated password. WordPress displays it once;
- Configure the client with HTTP Basic authentication: the WordPress username and the Application Password.
The server expects standard HTTP Basic authentication: an Authorization: Basic <base64> header encoding the WordPress username and the Application Password, per WordPress convention.
The connection appears on the MCP Connected Clients tab as Application Password: [username] after the first authenticated request — creating the Application Password alone produces no row. After that, the row's Last Used timestamp updates at most hourly.
Per-Client Configuration
The wizard's Connect step provides ready-made instructions for five clients plus the Bearer Token fallback. The blocks below reproduce the canonical configuration for each, using a placeholder domain in place of the live site URL.
Claude Desktop
Claude Desktop connects through its Connectors interface. No configuration file editing is required:
- Open Claude Desktop and go to Customize > Connectors;
- Haga clic en el botón + button and choose Add custom connector;
- Enter a name (for example, “MemberPress”) and paste the MCP server URL;
- Leave the optional OAuth Client ID and Client Secret fields blank (they sit collapsed under Advanced settings);
- Haga clic en Añadirentonces Conectar, and approve in the browser.
The full end-user walkthrough with screenshots lives in Configuración de Claude Desktop con MemberPress.
Cursor
- Abrir Cursor Settings > MCP;
- Haga clic en Add new MCP server;
- Set the type to URL and paste the MCP server URL;
- Complete the OAuth approval in the browser window that opens.
VS Code (GitHub Copilot)
Add the server to .vscode/mcp.json:
{
"servers": {
"memberpress": {
"type": "http",
"url": "https://yourdomain.com/wp-json/mp-mcp/v1/mcp"
}
}
}
Windsurf
Add the server to ~/.codeium/windsurf/mcp_config.json:
{
"mcpServers": {
"memberpress": {
"serverUrl": "https://yourdomain.com/wp-json/mp-mcp/v1/mcp"
}
}
}
Claude Code (CLI)
Claude Code requires a Bearer token. Generate one from the wizard's Bearer Token panel, then run the registration command shown in the Bearer Tokens section above.
Managing Connections
En MCP Connected Clients tab lists every connection, including revoked ones (Status shows Activo o Revoked). Its columns are Client Name, Propietario, Access Level, Conectado, Last Used, Estadoy Acciones. An authentication chip marks how each connection was issued — OAUTH for connector flows, WIZARD for wizard-generated Bearer tokens, APP PASSWORD for Application Password sessions. OAuth rows are named by their generated client identifier (mcp_…); wizard Bearer rows carry the client name entered at generation, so name the token something recognizable.
En Access Level column renders one chip per granted scope, in the wizard's bucket language (Read, Edit Content, Manage Members, Billing, Imports, Webhooks, Courses). A full-access connection shows two chips — Leer y Full Access — because the token stores the read scope alongside the full meta-scope. The Revocar action notes the model directly: to change a connection's scopes, revoke and re-issue.
Revoking a connection takes effect on the next request: the server validates the token once per request, so a call already past that check runs to completion, and the revocation is observed on the request that follows. OAuth and Bearer revocations affect only the selected token. Application Password revocations carry the broader deletion behavior described above.
Disconnecting inside a client does not close the connection here. A row stays Activo until it is revoked on this tab — Claude Desktop's local Disconnect, for example, does not notify the site. A standard revocation endpoint (/wp-json/mp-mcp/v1/revoke, RFC 7009, advertised in the OAuth discovery metadata) exists, but it fires only when a client proactively calls it.
The access ceiling (“Maximum access level for new connections” on the MCP Settings tab) caps the scopes any new connection receives. The ceiling applies at issuance only — existing connections keep their granted scopes. See the Agent Safety Measures Reference for the ceiling's enforcement paths.
Troubleshooting Connections
- The browser approval never opens: confirm the site is publicly reachable and uses HTTPS. The wizard's Connect step displays a reachability banner;
401 Unauthorizedon every call: the token is missing, malformed, expired, or revoked. An expired token returns the distincttoken_expiredcode; other failures returnauth_required. The MCP route's401responses carry aWWW-Authenticateheader (Bearer realm="mcp"plus aresource_metadataURL). Generate a new token or reconnect;step=start_errorin Claude Desktop's connector flow: OAuth registration is rate-limited to 60 attempts per hour per IP. A burst of reconnection attempts (or several clients behind one IP) can hit the limit. Wait for the window to reset — the response carriesRetry-After: 3600— and retry;- Write tools rejected on a working connection: the connection's scope or the token owner's WordPress capability does not permit the tool. See MCP Errors and Troubleshooting.
Related Documentation
- Guía general y de configuración de MemberPress AI Foundation — what AI Foundation provides, installation, and wizard overview;
- Referencia de herramientas MCP de MemberPress AI Foundation — the full tool catalog with scopes and capabilities per tool;
- Medidas de seguridad para los agentes de MemberPress AI Foundation — scopes, the access ceiling, confirmation tokens, and the kill switch;
- MemberPress AI Foundation MCP Errors and Troubleshooting — the complete error catalog;
- Configuración de Claude Desktop con MemberPress — end-user walkthrough for Claude Desktop.