Sitecore XM Cloud MCP Server
Provides tools for interacting with Sitecore XM Cloud, enabling AI agents to perform authoring operations such as creating data templates via the Sitecore Authoring GraphQL API.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Sitecore XM Cloud MCP ServerCreate a new template for articles with Title and Content fields"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Sitecore XM Cloud MCP Server — Complete Documentation
This repository is a Next.js application that exposes a Model Context Protocol (MCP) server for Sitecore XM Cloud. AI clients (Cursor, Sitecore Agentic Studio, Claude Desktop, etc.) can connect to it and invoke tools that perform Sitecore authoring operations — today, primarily creating data templates via the Sitecore Authoring GraphQL API.
The app is designed to run locally or on Vercel, and it implements the OAuth discovery and proxy routes required for Sitecore Agentic Studio to authenticate against the MCP endpoint.
Table of Contents
Related MCP server: SitecoreMCP
1. Repo Details
Capability | How |
AI-driven Sitecore operations | MCP tool |
XM Cloud authentication | Server-side client credentials flow, token cached |
MCP over HTTP |
|
Sitecore Agentic Studio compatibility | OAuth discovery + proxy routes backed by Auth0 |
Direct REST testing |
|
In short: this repo is a bridge between AI MCP clients and Sitecore XM Cloud, with OAuth plumbing so enterprise Sitecore tools can connect securely.
2. High-level architecture
flowchart TB
subgraph clients [AI Clients]
Cursor[Cursor / Claude Desktop]
Agentic[Sitecore Agentic Studio]
REST[Direct REST callers]
end
subgraph nextjs [Next.js App - sitecore-mcp]
MCP["/api/mcp"]
OAuth["OAuth routes<br/>/.well-known/*"]
SitecoreAPI["/api/sitecore/*"]
Lib["src/lib/sitecore/*"]
end
subgraph external [External Services]
Auth0[Auth0]
XMCloud["Sitecore XM Cloud<br/>auth.sitecorecloud.io"]
GraphQL["Authoring GraphQL API"]
end
Cursor -->|MCP HTTP optional Bearer| MCP
Agentic -->|OAuth discovery + MCP| OAuth
Agentic --> MCP
REST --> SitecoreAPI
OAuth --> Auth0
MCP --> Lib
SitecoreAPI --> Lib
Lib -->|client_credentials| XMCloud
Lib -->|Bearer token| GraphQLData flow for a template creation:
MCP client calls
createTemplatetool on/api/mcp.MCP handler invokes
createSitecoreTemplate()in the library layer.Library obtains (or reuses cached) XM Cloud bearer token.
Library resolves parent folder path → GUID, then runs
createItemTemplateGraphQL mutation.Result is returned to the AI client as JSON text content.
3. Two separate authentication systems
A. Sitecore XM Cloud auth (server → Sitecore)
Who uses it: The Next.js server itself, when calling Sitecore GraphQL.
How: OAuth 2.0
client_credentialswith an XM Cloud Automation Client.Env vars:
SITECORE_CLIENT_ID,SITECORE_CLIENT_SECRET,SITECORE_AUTHORING_ENDPOINTToken endpoint:
https://auth.sitecorecloud.io/oauth/tokenAudience:
https://api.sitecorecloud.ioImplementation:
src/lib/sitecore/auth.ts— tokens are cached in memory until near expiry.
This auth is never exposed to MCP clients. The server holds Sitecore credentials and acts on behalf of the connected AI user.
B. MCP client OAuth (client → this app)
Who uses it: MCP clients like Sitecore Agentic Studio that require OAuth before accessing
/api/mcp.How: OAuth 2.0 Authorization Code flow with PKCE, proxied through this app to Auth0.
Env vars:
AUTH0_DOMAIN,AUTH0_AUDIENCE,AUTH0_WEB_CLIENT_ID,AUTH0_WEB_CLIENT_SECRET,MCP_BASE_URLImplementation: OAuth routes under
/oauth/*and/.well-known/*.
When a client hits /api/mcp without a Bearer token, withMcpOAuthChallenge returns 401 Unauthorized with a WWW-Authenticate header pointing to resource metadata — this triggers the client's OAuth discovery flow.
Note: The current OAuth middleware only checks that a Bearer token is present; it does not validate the JWT against Auth0. Full token verification would be a natural next hardening step.
4. Project structure
sitecore-mcp/
├── src/
│ ├── app/
│ │ ├── page.tsx # Landing page with setup hints
│ │ ├── layout.tsx # Root layout
│ │ ├── api/
│ │ │ ├── mcp/
│ │ │ │ ├── route.ts # Main MCP endpoint (auth-wrapped)
│ │ │ │ ├── mcpServer.ts # MCP tool definitions
│ │ │ │ ├── sse/route.ts # SSE transport (GET)
│ │ │ │ └── message/route.ts # SSE message channel (POST)
│ │ │ └── sitecore/
│ │ │ ├── token/route.ts # Debug: verify Sitecore auth
│ │ │ └── templates/route.ts # REST alternative to MCP tool
│ │ ├── oauth/
│ │ │ ├── authorize/route.ts # Start OAuth → redirect to Auth0
│ │ │ ├── callback/route.ts # Auth0 callback → redirect to Sitecore
│ │ │ ├── token/route.ts # Exchange code for Auth0 tokens
│ │ │ └── register/route.ts # Dynamic client registration (stub)
│ │ └── .well-known/
│ │ ├── oauth-authorization-server/ # OAuth server metadata
│ │ └── oauth-protected-resource/ # Protected resource metadata
│ │ └── api/mcp/ # Resource-specific metadata for MCP
│ └── lib/
│ └── sitecore/
│ ├── config.ts # Sitecore env config
│ ├── auth.ts # XM Cloud token acquisition + cache
│ ├── graphql.ts # GraphQL client with 401 retry
│ ├── createTemplate.ts # Template creation business logic
│ ├── oauthMetadata.ts # OAuth discovery JSON builders
│ └── withMcpOAuthChallenge.ts # 401 + WWW-Authenticate middleware
├── .env.example
├── vercel.json # 60s maxDuration for MCP routes
└── package.jsonKey dependencies:
Package | Role |
| App framework and API route hosting |
| Vercel adapter for MCP (Streamable HTTP + SSE) |
| MCP protocol SDK |
| Tool input schema validation |
5. Route reference — what each endpoint does and why it exists
MCP routes
Route | Methods | Auth | Purpose |
| GET, POST, DELETE | Bearer required (GET/POST) | Primary MCP endpoint. Streamable HTTP transport. Sitecore Agentic Studio connects here. Wrapped with |
| GET | None | SSE transport entry point. Required by |
| POST | None | SSE message channel. Clients POST MCP messages here when using the SSE transport pattern. |
Why three MCP routes?
The MCP spec supports multiple transports. mcp-handler splits SSE into an event stream (/sse) and a message POST endpoint (/message), while Streamable HTTP uses a single /mcp route. Supporting both maximizes client compatibility (Cursor, Claude, Agentic Studio, etc.).
OAuth discovery routes (.well-known)
Route | Method | Purpose |
| GET | Returns protected resource metadata — tells OAuth clients which authorization server protects this resource. |
| GET | Resource-specific metadata for the MCP endpoint. Referenced in the |
| GET | Returns authorization server metadata — issuer, authorize/token/register endpoints, supported grant types, PKCE methods, scopes. |
Why these exist?
Sitecore Agentic Studio (and the MCP OAuth spec) require clients to auto-discover how to authenticate. When /api/mcp returns 401 with resource_metadata=".../.well-known/oauth-protected-resource/api/mcp", the client fetches that URL, learns the authorization server, and starts the OAuth flow — no manual OAuth config in the client.
OAuth proxy routes
Route | Method | Purpose |
| POST | Dynamic Client Registration (DCR) stub. Returns a fixed client ID/secret so Agentic Studio can "register" without a real DCR server. |
| GET | Authorization entry point. Receives PKCE params from Sitecore, encodes state, redirects user to Auth0 login. |
| GET | Auth0 callback handler. Receives Auth0 auth code, fixes localhost redirect quirks, redirects back to Sitecore with the code. |
| POST | Token exchange proxy. Sitecore sends the auth code here; this route exchanges it with Auth0 and returns access/id/refresh tokens. |
Why a proxy instead of pointing Sitecore directly at Auth0?
Sitecore Agentic Studio expects the MCP server's own domain to be the OAuth issuer (per MCP protected-resource spec). This app acts as an OAuth facade: discovery endpoints live on your MCP domain, while Auth0 handles real identity. The callback route also contains a workaround for Sitecore's https://0.0.0.0:3000 localhost redirect issue.
Sitecore REST routes (testing / direct API)
Route | Method | Purpose |
| GET | Verifies XM Cloud credentials work. Returns auth endpoint, audience, token expiry — does not return the raw token (security). |
| POST | REST alternative to the MCP |
Why REST routes when MCP exists?
They let developers debug Sitecore connectivity independently of MCP/OAuth complexity. If template creation fails, you can isolate whether the problem is Sitecore auth or MCP client auth.
UI
Route | Purpose |
| Simple landing page documenting endpoints, auth flow. |
6. MCP tools
Currently one tool is registered in mcpServer.ts:
createTemplate
Creates a Sitecore data template under a parent folder using the createItemTemplate GraphQL mutation.
Input parameters:
Parameter | Type | Required | Description |
| string | Yes | Name of the new data template |
| string | Yes | Parent folder item path (e.g. |
| array | No | Template sections with fields. Currently only the first section is sent to GraphQL. |
Section/field shape:
{
"sections": [
{
"name": "Content",
"fields": [
{ "name": "Title", "type": "Single-Line Text" },
{ "name": "Body", "type": "Rich Text" }
]
}
]
}Success response:
{
"success": true,
"template": {
"id": "{GUID}",
"name": "My Template",
"fields": [{ "name": "Title", "type": "Single-Line Text" }]
}
}Internal steps:
Resolve
parentPath→ parent GUID (path lookup via GraphQL, or normalize if already a GUID).Build and execute
createItemTemplatemutation against the Authoring GraphQL endpoint.Return created template ID, name, and fields.
7. Core library modules
config.ts
Loads and validates Sitecore environment variables. Defaults auth endpoint and audience to standard XM Cloud values.
auth.ts
Calls
client_credentialsagainst Sitecore auth endpoint.Caches token in memory with 60-second expiry buffer.
Exposes
clearSitecoreTokenCache()for retry on 401.
graphql.ts
Generic GraphQL executor for the Authoring API.
Automatically attaches Sitecore bearer token.
Retries once on 401 after clearing token cache.
Throws on HTTP errors or GraphQL
errorsarray.
createTemplate.ts
Business logic for template creation.
Path → GUID resolution.
GraphQL mutation builder with string escaping.
Structured
{ success, template?, error? }result type.
oauthMetadata.ts
Builds OAuth discovery JSON payloads.
Reads
AUTH0_AUDIENCEas the protected resource identifier.Points authorization server metadata back to this app's
/.well-known/oauth-authorization-server.
withMcpOAuthChallenge.ts
Middleware wrapper for MCP routes.
Returns 401 +
WWW-Authenticate: Bearer resource_metadata="..."when no Bearer token.Passes through to handler when Bearer is present.
8. Environment variables
Copy .env.example to .env.local for local development.
Sitecore XM Cloud (required for template operations)
Variable | Description |
| XM Cloud Automation Client ID |
| XM Cloud Automation Client secret |
| Authoring GraphQL URL, e.g. |
| Optional. Default: |
| Optional. Default: |
Auth0 / MCP OAuth (required for Sitecore Agentic Studio)
Variable | Description |
| Auth0 tenant domain, e.g. |
| Auth0 API identifier — also used as the protected resource URL (typically your deployed app URL) |
| Auth0 application client ID |
| Auth0 application client secret |
| Public base URL of this app, e.g. |
App
Variable | Description |
| Public app URL (referenced in |
9. Setup and running locally
Prerequisites
Node.js 18+
XM Cloud Automation Client credentials (from XM Cloud Deploy)
Auth0 tenant (only if using Sitecore Agentic Studio OAuth)
Steps
# 1. Install dependencies
npm install
# 2. Configure environment
cp .env.example .env.local
# Edit .env.local with your credentials
# 3. Add MCP_BASE_URL to .env.local
# MCP_BASE_URL=http://localhost:3000
# 4. Start dev server
npm run devApp runs at http://localhost:3000.
Verify Sitecore connectivity
curl http://localhost:3000/api/sitecore/tokenExpected: { "success": true, "expiresIn": ..., ... }
Create a template via REST
curl -X POST http://localhost:3000/api/sitecore/templates \
-H "Content-Type: application/json" \
-d '{
"templateName": "Test Template",
"parentPath": "/sitecore/templates/Feature",
"sections": [{
"name": "Content",
"fields": [{ "name": "Title", "type": "Single-Line Text" }]
}]
}'10. Usage examples
Sitecore Agentic Studio
Point Agentic Studio at your deployed MCP URL:
https://your-app.vercel.app/api/mcpAgentic Studio will automatically run the OAuth discovery flow using the /.well-known and /oauth routes.
11. Quick reference — all endpoints
Endpoint | Method | Category |
| GET | UI |
| GET, POST, DELETE | MCP (auth on GET/POST) |
| GET | MCP SSE transport |
| POST | MCP SSE messages |
| GET | Sitecore debug |
| POST | Sitecore REST |
| GET | OAuth discovery |
| GET | OAuth discovery (MCP) |
| GET | OAuth discovery |
| POST | OAuth DCR stub |
| GET | OAuth start |
| GET | OAuth Auth0 callback |
| POST | OAuth token exchange |
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/JagadeeshMaroju/sitecore-custom-mcp-connector-createtemplate'
If you have feedback or need assistance with the MCP directory API, please join our Discord server