mealie-mcp
This MCP server exposes the Mealie recipe manager REST API as tools, enabling an LLM to read and manage recipes, meal plans, shopping lists, cookbooks, households, and more.
Recipes: Create, read, update, delete, search, export, import, manage images/assets, comments, timeline, bulk actions, and parse ingredients.
Meal Plans: Create, read, update, delete meal plan entries; get today's meals; generate random meals based on rules; manage meal plan rules.
Shopping Lists: Create, read, update, delete shopping lists and items (individually or in bulk); add/remove recipe ingredients; manage label settings.
Cookbooks: Full CRUD operations, including bulk updates.
Households & Groups: View/update household and group preferences, members, permissions, statistics, and invite tokens; manage webhooks and event notifications.
Users: Get logged-in user info, update profile/password/image, manage API tokens, ratings, and favorites.
Authentication: Get token, OAuth login/callback, refresh token, logout.
Foods, Units & Organizers: Manage ingredient foods, units, categories, tags, and tools.
AI Providers: Create, read, update, delete AI providers and their settings.
Explore: Browse public recipes, categories, cookbooks, foods, households, tags, and tools.
App Info: Get application info, startup info, and theme settings.
Utilities: Parse ingredient text.
Provides tools for interacting with Mealie's REST API, enabling AI agents to manage recipes, meal plans, shopping lists, cookbooks, households, users, and other features of the Mealie self-hosted recipe manager.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mealie-mcpShow me my shopping list."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mealie-mcp
A Model Context Protocol (MCP) server for Mealie, the self-hosted recipe manager, meal planner and shopping-list app.
It exposes every endpoint of the Mealie REST API as an MCP tool, so an LLM (Claude, etc.) can read and manage your recipes, meal plans, shopping lists, cookbooks, households, users and more.
🧩 Broad API coverage, sane baseline — one tool per Mealie endpoint, trimmed to a safe baseline (~211 of ~259) so clients aren't overwhelmed and risky endpoints aren't reachable.
🔄 Auto-adapts to your Mealie version — on startup it fetches the OpenAPI schema from your instance, so the tools always match exactly what your server supports. A bundled snapshot is used as a fallback if the fetch fails.
🚀 Zero install — runs straight from
npx, ideal for MCPHub, Claude Desktop, Cursor, and any other MCP client.🔒 Safe by default — admin/server-ops endpoints are never exposed, plus read-only mode and per-category include/exclude filtering to narrow further.
🔑 Flexible auth — a static API token, or an OAuth2 client-credentials flow that fetches and refreshes access tokens for you.
Quick start
You need two things:
The base URL of your Mealie instance, e.g.
https://mealie.example.comA Mealie API token (see Getting an API token)
Run it with npx:
MEALIE_BASE_URL="https://mealie.example.com" \
MEALIE_API_TOKEN="your-long-lived-token" \
npx -y mealie-mcpThe server speaks MCP over stdio, so you normally won't run it by hand — your MCP client launches it for you using the config below.
Related MCP server: Mealie MCP Server
Client configuration
MCPHub / Claude Desktop / Cursor (generic MCP config)
Add an entry to your client's MCP servers config (for Claude Desktop this is
claude_desktop_config.json; MCPHub uses an equivalent mcpServers block):
{
"mcpServers": {
"mealie": {
"command": "npx",
"args": ["-y", "mealie-mcp"],
"env": {
"MEALIE_BASE_URL": "https://mealie.example.com",
"MEALIE_API_TOKEN": "your-long-lived-token"
}
}
}
}That's the only required configuration. Everything else is optional tuning.
Getting an API token
In Mealie:
Click your user avatar → Manage Your Profile.
Open the API Tokens section (
/user/profile/api-tokens).Create a token, give it a name, and copy it.
The token inherits the permissions of the user that created it, so create it
under a user/household with the access you want the LLM to have. To give the
model read-only-ish safety, also see MEALIE_READ_ONLY.
Configuration
All configuration is via environment variables.
Variable | Required | Default | Description |
| ✅ | — | Base URL of your Mealie instance, e.g. |
| – | — | Long-lived Mealie API token (sent as |
| – | — | IdP token endpoint. Setting this (plus client id/secret) enables the OAuth2 client-credentials flow, which takes precedence over |
| – | — | OAuth client id (required for the OAuth flow). |
| – | — | OAuth client secret (required for the OAuth flow). |
| – | — | Optional space-delimited OAuth scopes. |
| – | — | Optional OAuth audience (some IdPs, e.g. Auth0, need it to mint a Mealie-targeted token). |
| – |
| When |
| – | — | Comma-separated allow-list of tool names or category slugs to expose (e.g. |
| – | — | Comma-separated deny-list of tool names or category slugs to hide further (e.g. |
| – |
| Skip the live OpenAPI fetch and use the snapshot bundled with the package. |
| – |
| Override where the OpenAPI schema is fetched from. |
| – |
| Max length of generated tool names (clamped to 16–64). Lower it if your MCP client prefixes tool names (e.g. |
| – |
| Per-request timeout in milliseconds. |
| – |
| Extra attempts for idempotent ( |
| – |
| When |
| – | — | Optional |
Note: Only path and query parameters are exposed as tool inputs. The few Mealie endpoints that read a custom request header or cookie are not driven through those parameters —
Accept-Languageis forwarded viaMEALIE_ACCEPT_LANGUAGE, and authentication is handled globally.
Authenticating with OAuth (client credentials)
By default the server authenticates with a static MEALIE_API_TOKEN. As an
alternative — useful for headless/machine-to-machine setups — it can obtain an
access token from your identity provider using the OAuth2 client-credentials
grant, then send it as the Authorization: Bearer credential and refresh it
automatically (proactively before expiry, and reactively on a 401).
MEALIE_OAUTH_TOKEN_URL="https://idp.example.com/oauth/token"
MEALIE_OAUTH_CLIENT_ID="your-client-id"
MEALIE_OAUTH_CLIENT_SECRET="your-client-secret"
# Optional, IdP-dependent:
MEALIE_OAUTH_SCOPE="mealie"
MEALIE_OAUTH_AUDIENCE="https://mealie.example.com"When these are set, OAuth takes precedence and MEALIE_API_TOKEN is ignored.
Precondition: your Mealie must be a version that validates IdP-issued access tokens as bearer tokens (via the provider's JWKS). The client sends the credentials in the request body (
client_secret_post). If your IdP requires HTTP Basic client auth instead, open an issue.
The safe baseline (≈211 of 259 endpoints)
Mealie exposes ~259 endpoints, but the server ships a safe baseline of ~211 so clients aren't overwhelmed and risky endpoints aren't reachable at all. Two groups are permanently excluded — they can't be re-enabled by configuration:
Admin / server-ops endpoints (backups, maintenance, multi-tenant user/group/household management, debug, email config, AI providers). These are powerful, rarely what a recipe assistant needs, and a security footgun, so the server never exposes them. Manage your instance through Mealie's own UI/API.
Endpoints with little value to an LLM: password-reset and registration flows, the docker healthcheck route, the SSE stream duplicates of plain-JSON recipe-import endpoints, and zip/file download routes that return opaque bytes. (The
Users: Authenticationcategory is kept, since the server can authenticate via OAuth.)
You can narrow further from this baseline — but not widen past it — with
MEALIE_TOOLS / MEALIE_EXCLUDE_TOOLS using category slugs (or exact tool
names). Examples:
# Only recipes, meal plans and shopping lists:
MEALIE_TOOLS="recipe,households_mealplans,households_shopping"
# Baseline, but also drop group seeders + migrations:
MEALIE_EXCLUDE_TOOLS="groups_seeders,groups_migrations"
# Read-only recipe browsing assistant:
MEALIE_READ_ONLY=true
MEALIE_TOOLS="recipe,explore"How tools are named
Each tool name is derived from the Mealie OpenAPI tag (category) and operation.
Uniquely-named operations use their bare operation name (e.g. suggest_recipes);
operations whose name is reused across resources (the CRUD verbs get_all,
get_one, create_one, update_one, delete_one, …) are prefixed with their
category to stay unique and to keep them grouped. All names are kept well under
the 64-character tool-name limit. For example:
Tool | Method & path |
|
|
|
|
|
|
|
|
|
|
|
|
Each tool's input schema declares its path parameters, query parameters and
(where relevant) a body object — all generated directly from Mealie's OpenAPI
schema, so the model gets accurate, fully-typed arguments.
File uploads
Endpoints that upload files (recipe images, ZIP imports, backups, assets, …) take their file fields as absolute paths to local files, which the server reads and sends as multipart form data. The tool description tells the model which fields are file paths.
Troubleshooting: "name: String should have at most 64 characters"
Some MCP clients/hubs (e.g. MCPHub, remote connectors) prefix every tool name
with the server name — mcp__<server>__<tool> — and the combined string
must stay within the API's 64-character limit. If you hit this error:
Keep the server's name/alias short (
mealieis ideal).Lower the tool-name cap, e.g.
MEALIE_TOOL_NAME_MAX=30, until it fits.The error is global — Claude rejects the whole tool list if any tool (from any server) is too long, so the culprit may be a different server.
Categories
Category | Tools |
| 3 |
| 4 |
| 6 |
| 1 |
| 2 |
| 5 |
| 5 |
| 5 |
| 7 |
| 3 |
| 2 |
| 2 |
| 2 |
| 2 |
| 3 |
| 2 |
| 2 |
| 2 |
| 4 |
| 2 |
| 1 |
| 5 |
| 3 |
| 3 |
| 6 |
| 6 |
| 6 |
| 3 |
| 5 |
| 7 |
| 6 |
| 7 |
| 8 |
| 9 |
| 7 |
| 7 |
| 7 |
| 6 |
| 8 |
| 6 |
| 23 |
| 2 |
| 5 |
| 2 |
| 2 |
| 6 |
| 6 |
| 6 |
| 4 |
| 5 |
| 6 |
| 1 |
| 2 |
| 5 |
| 1 |
| 2 |
| 1 |
Development
git clone https://github.com/2fst4u/mealie-mcp.git
cd mealie-mcp
npm install
npm run build # compile TypeScript to dist/
npm test # run the test suite (node:test)
npm run typecheck # type-check without emitting
# Run from source against a Mealie instance:
MEALIE_BASE_URL="https://demo.mealie.io" npm run devUpdating the bundled OpenAPI snapshot
The server prefers the live schema from your own instance, but the bundled snapshot (used as a fallback) can be refreshed from any Mealie instance:
npm run refresh-spec -- https://demo.mealie.ioProject layout
Path | Purpose |
| Entry point: load config + spec, start stdio server. |
| Environment-variable configuration. |
| Resolve the |
| Fetch live OpenAPI schema with bundled fallback. |
| Generate one MCP tool per OpenAPI operation; built-in trimming. |
| Build self-contained JSON Schemas ( |
| Execute requests (JSON / urlencoded / multipart / binary). |
| MCP server wiring ( |
| Bundled fallback OpenAPI schema. |
Releases & publishing
This repo ships two GitHub Actions workflows:
CI (
.github/workflows/ci.yml) — runs type-check, build and tests on every pull request (and on non-mainbranch pushes) across Node 18/20/22.Release (
.github/workflows/release.yml) — on every push/merge tomainthat touches source files, builds and tests, auto-bumps the patch version, creates a GitHub Releasev<version>(with auto-generated notes), and publishes to npm.
Publishing to npm (Trusted Publishing / OIDC)
The release workflow publishes via npm Trusted Publishing, so there is no
NPM_TOKEN secret to store — GitHub Actions authenticates to npm with a
short-lived OIDC token, and npm generates build provenance automatically.
npm requires a package to exist before you can attach a Trusted Publisher, so there is a one-time bootstrap for the first ever publish:
Publish the first version manually from your machine (this also claims the package name):
npm install # ensure deps npm login # your normal npm account + 2FA npm publish --access publicConfigure the Trusted Publisher on npmjs.com: open the package page → Settings → Trusted Publisher → GitHub Actions, and enter:
Organization or user:
2fst4uRepository:
mealie-mcpWorkflow filename:
release.ymlEnvironment: (leave blank)
From then on, every merge to
mainthat touches source files auto-bumps the patch version and publishes automatically over OIDC — no tokens, no manual steps.
Requirements (handled by the workflow):
id-token: writepermission, Node ≥ 22.14, and npm ≥ 11.5.1. The publish step safely skips if the version is already on npm, so re-runs and the bootstrap version won't cause failures.
License
This project is an independent client for Mealie and is not affiliated with the Mealie project.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/2fst4u/mealie-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server