Sitecore XM Cloud MCP Server
Provides tools for interacting with Sitecore XM Cloud, enabling AI agents to perform authoring operations such as creating data templates via the Sitecore Authoring GraphQL API.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Sitecore XM Cloud MCP ServerCreate a new template for articles with Title and Content fields"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Sitecore XM Cloud MCP Server — Complete Documentation
This repository is a Next.js application that exposes a Model Context Protocol (MCP) server for Sitecore XM Cloud. AI clients (Cursor, Sitecore Agentic Studio, Claude Desktop, etc.) can connect to it and invoke tools that perform Sitecore authoring operations — today, primarily creating data templates via the Sitecore Authoring GraphQL API.
The app is designed to run locally or on Vercel, and it implements the OAuth discovery and proxy routes required for Sitecore Agentic Studio to authenticate against the MCP endpoint.
Table of Contents
1. What problem does this solve?
Without this repo
AI assistants have no native way to talk to Sitecore XM Cloud.
Sitecore authoring operations (like creating templates) require authenticated GraphQL calls with XM Cloud Automation Client credentials.
Sitecore Agentic Studio expects MCP servers to support OAuth 2.0 protected resource discovery — a standard way for clients to discover how to authenticate before calling
/api/mcp.
With this repo
Capability | How |
AI-driven Sitecore operations | MCP tool |
XM Cloud authentication | Server-side client credentials flow, token cached |
MCP over HTTP |
|
Sitecore Agentic Studio compatibility | OAuth discovery + proxy routes backed by Auth0 |
Direct REST testing |
|
In short: this repo is a bridge between AI MCP clients and Sitecore XM Cloud, with OAuth plumbing so enterprise Sitecore tools can connect securely.
2. High-level architecture
flowchart TB
subgraph clients [AI Clients]
Cursor[Cursor / Claude Desktop]
Agentic[Sitecore Agentic Studio]
REST[Direct REST callers]
end
subgraph nextjs [Next.js App - sitecore-mcp]
MCP["/api/mcp"]
OAuth["OAuth routes<br/>/.well-known/*"]
SitecoreAPI["/api/sitecore/*"]
Lib["src/lib/sitecore/*"]
end
subgraph external [External Services]
Auth0[Auth0]
XMCloud["Sitecore XM Cloud<br/>auth.sitecorecloud.io"]
GraphQL["Authoring GraphQL API"]
end
Cursor -->|MCP HTTP optional Bearer| MCP
Agentic -->|OAuth discovery + MCP| OAuth
Agentic --> MCP
REST --> SitecoreAPI
OAuth --> Auth0
MCP --> Lib
SitecoreAPI --> Lib
Lib -->|client_credentials| XMCloud
Lib -->|Bearer token| GraphQLData flow for a template creation:
MCP client calls
createTemplatetool on/api/mcp.MCP handler invokes
createSitecoreTemplate()in the library layer.Library obtains (or reuses cached) XM Cloud bearer token.
Library resolves parent folder path → GUID, then runs
createItemTemplateGraphQL mutation.Result is returned to the AI client as JSON text content.
3. Two separate authentication systems
This is the most important concept to understand. The repo uses two independent auth flows for two different purposes:
A. Sitecore XM Cloud auth (server → Sitecore)
Who uses it: The Next.js server itself, when calling Sitecore GraphQL.
How: OAuth 2.0
client_credentialswith an XM Cloud Automation Client.Env vars:
SITECORE_CLIENT_ID,SITECORE_CLIENT_SECRET,SITECORE_AUTHORING_ENDPOINTToken endpoint:
https://auth.sitecorecloud.io/oauth/tokenAudience:
https://api.sitecorecloud.ioImplementation:
src/lib/sitecore/auth.ts— tokens are cached in memory until near expiry.
This auth is never exposed to MCP clients. The server holds Sitecore credentials and acts on behalf of the connected AI user.
B. MCP client OAuth (client → this app)
Who uses it: MCP clients like Sitecore Agentic Studio that require OAuth before accessing
/api/mcp.How: OAuth 2.0 Authorization Code flow with PKCE, proxied through this app to Auth0.
Env vars:
AUTH0_DOMAIN,AUTH0_AUDIENCE,AUTH0_WEB_CLIENT_ID,AUTH0_WEB_CLIENT_SECRET,MCP_BASE_URLImplementation: OAuth routes under
/oauth/*and/.well-known/*.
When a client hits /api/mcp without a Bearer token, withMcpOAuthChallenge returns 401 Unauthorized with a WWW-Authenticate header pointing to resource metadata — this triggers the client's OAuth discovery flow.
Note: The current OAuth middleware only checks that a Bearer token is present; it does not validate the JWT against Auth0. Full token verification would be a natural next hardening step.
4. Project structure
sitecore-mcp/
├── src/
│ ├── app/
│ │ ├── page.tsx # Landing page with setup hints
│ │ ├── layout.tsx # Root layout
│ │ ├── api/
│ │ │ ├── mcp/
│ │ │ │ ├── route.ts # Main MCP endpoint (auth-wrapped)
│ │ │ │ ├── mcpServer.ts # MCP tool definitions
│ │ │ │ ├── sse/route.ts # SSE transport (GET)
│ │ │ │ └── message/route.ts # SSE message channel (POST)
│ │ │ └── sitecore/
│ │ │ ├── token/route.ts # Debug: verify Sitecore auth
│ │ │ └── templates/route.ts # REST alternative to MCP tool
│ │ ├── oauth/
│ │ │ ├── authorize/route.ts # Start OAuth → redirect to Auth0
│ │ │ ├── callback/route.ts # Auth0 callback → redirect to Sitecore
│ │ │ ├── token/route.ts # Exchange code for Auth0 tokens
│ │ │ └── register/route.ts # Dynamic client registration (stub)
│ │ └── .well-known/
│ │ ├── oauth-authorization-server/ # OAuth server metadata
│ │ └── oauth-protected-resource/ # Protected resource metadata
│ │ └── api/mcp/ # Resource-specific metadata for MCP
│ └── lib/
│ └── sitecore/
│ ├── config.ts # Sitecore env config
│ ├── auth.ts # XM Cloud token acquisition + cache
│ ├── graphql.ts # GraphQL client with 401 retry
│ ├── createTemplate.ts # Template creation business logic
│ ├── oauthMetadata.ts # OAuth discovery JSON builders
│ └── withMcpOAuthChallenge.ts # 401 + WWW-Authenticate middleware
├── .env.example
├── vercel.json # 60s maxDuration for MCP routes
└── package.jsonKey dependencies:
Package | Role |
| App framework and API route hosting |
| Vercel adapter for MCP (Streamable HTTP + SSE) |
| MCP protocol SDK |
| Tool input schema validation |
5. Route reference — what each endpoint does and why it exists
MCP routes
Route | Methods | Auth | Purpose |
| GET, POST, DELETE | Bearer required (GET/POST) | Primary MCP endpoint. Streamable HTTP transport. Sitecore Agentic Studio connects here. Wrapped with |
| GET | None | SSE transport entry point. Required by |
| POST | None | SSE message channel. Clients POST MCP messages here when using the SSE transport pattern. |
Why three MCP routes?
The MCP spec supports multiple transports. mcp-handler splits SSE into an event stream (/sse) and a message POST endpoint (/message), while Streamable HTTP uses a single /mcp route. Supporting both maximizes client compatibility (Cursor, Claude, Agentic Studio, etc.).
OAuth discovery routes (.well-known)
Route | Method | Purpose |
| GET | Returns protected resource metadata — tells OAuth clients which authorization server protects this resource. |
| GET | Resource-specific metadata for the MCP endpoint. Referenced in the |
| GET | Returns authorization server metadata — issuer, authorize/token/register endpoints, supported grant types, PKCE methods, scopes. |
Why these exist?
Sitecore Agentic Studio (and the MCP OAuth spec) require clients to auto-discover how to authenticate. When /api/mcp returns 401 with resource_metadata=".../.well-known/oauth-protected-resource/api/mcp", the client fetches that URL, learns the authorization server, and starts the OAuth flow — no manual OAuth config in the client.
OAuth proxy routes
Route | Method | Purpose |
| POST | Dynamic Client Registration (DCR) stub. Returns a fixed client ID/secret so Agentic Studio can "register" without a real DCR server. |
| GET | Authorization entry point. Receives PKCE params from Sitecore, encodes state, redirects user to Auth0 login. |
| GET | Auth0 callback handler. Receives Auth0 auth code, fixes localhost redirect quirks, redirects back to Sitecore with the code. |
| POST | Token exchange proxy. Sitecore sends the auth code here; this route exchanges it with Auth0 and returns access/id/refresh tokens. |
Why a proxy instead of pointing Sitecore directly at Auth0?
Sitecore Agentic Studio expects the MCP server's own domain to be the OAuth issuer (per MCP protected-resource spec). This app acts as an OAuth facade: discovery endpoints live on your MCP domain, while Auth0 handles real identity. The callback route also contains a workaround for Sitecore's https://0.0.0.0:3000 localhost redirect issue.
Sitecore REST routes (testing / direct API)
Route | Method | Purpose |
| GET | Verifies XM Cloud credentials work. Returns auth endpoint, audience, token expiry — does not return the raw token (security). |
| POST | REST alternative to the MCP |
Why REST routes when MCP exists?
They let developers debug Sitecore connectivity independently of MCP/OAuth complexity. If template creation fails, you can isolate whether the problem is Sitecore auth or MCP client auth.
UI
Route | Purpose |
| Simple landing page documenting endpoints, auth flow, and Cursor MCP config snippet. |
6. MCP tools
Currently one tool is registered in mcpServer.ts:
createTemplate
Creates a Sitecore data template under a parent folder using the createItemTemplate GraphQL mutation.
Input parameters:
Parameter | Type | Required | Description |
| string | Yes | Name of the new data template |
| string | Yes | Parent folder item path (e.g. |
| array | No | Template sections with fields. Currently only the first section is sent to GraphQL. |
Section/field shape:
{
"sections": [
{
"name": "Content",
"fields": [
{ "name": "Title", "type": "Single-Line Text" },
{ "name": "Body", "type": "Rich Text" }
]
}
]
}Success response:
{
"success": true,
"template": {
"id": "{GUID}",
"name": "My Template",
"fields": [{ "name": "Title", "type": "Single-Line Text" }]
}
}Internal steps:
Resolve
parentPath→ parent GUID (path lookup via GraphQL, or normalize if already a GUID).Build and execute
createItemTemplatemutation against the Authoring GraphQL endpoint.Return created template ID, name, and fields.
7. Core library modules
config.ts
Loads and validates Sitecore environment variables. Defaults auth endpoint and audience to standard XM Cloud values.
auth.ts
Calls
client_credentialsagainst Sitecore auth endpoint.Caches token in memory with 60-second expiry buffer.
Exposes
clearSitecoreTokenCache()for retry on 401.
graphql.ts
Generic GraphQL executor for the Authoring API.
Automatically attaches Sitecore bearer token.
Retries once on 401 after clearing token cache.
Throws on HTTP errors or GraphQL
errorsarray.
createTemplate.ts
Business logic for template creation.
Path → GUID resolution.
GraphQL mutation builder with string escaping.
Structured
{ success, template?, error? }result type.
oauthMetadata.ts
Builds OAuth discovery JSON payloads.
Reads
AUTH0_AUDIENCEas the protected resource identifier.Points authorization server metadata back to this app's
/.well-known/oauth-authorization-server.
withMcpOAuthChallenge.ts
Middleware wrapper for MCP routes.
Returns 401 +
WWW-Authenticate: Bearer resource_metadata="..."when no Bearer token.Passes through to handler when Bearer is present.
8. Environment variables
Copy .env.example to .env.local for local development.
Sitecore XM Cloud (required for template operations)
Variable | Description |
| XM Cloud Automation Client ID |
| XM Cloud Automation Client secret |
| Authoring GraphQL URL, e.g. |
| Optional. Default: |
| Optional. Default: |
Auth0 / MCP OAuth (required for Sitecore Agentic Studio)
Variable | Description |
| Auth0 tenant domain, e.g. |
| Auth0 API identifier — also used as the protected resource URL (typically your deployed app URL) |
| Auth0 application client ID |
| Auth0 application client secret |
| Public base URL of this app, e.g. |
App
Variable | Description |
| Public app URL (referenced in |
9. Setup and running locally
Prerequisites
Node.js 18+
XM Cloud Automation Client credentials (from XM Cloud Deploy)
Auth0 tenant (only if using Sitecore Agentic Studio OAuth)
Steps
# 1. Install dependencies
npm install
# 2. Configure environment
cp .env.example .env.local
# Edit .env.local with your credentials
# 3. Add MCP_BASE_URL to .env.local
# MCP_BASE_URL=http://localhost:3000
# 4. Start dev server
npm run devApp runs at http://localhost:3000.
Verify Sitecore connectivity
curl http://localhost:3000/api/sitecore/tokenExpected: { "success": true, "expiresIn": ..., ... }
Create a template via REST
curl -X POST http://localhost:3000/api/sitecore/templates \
-H "Content-Type: application/json" \
-d '{
"templateName": "Test Template",
"parentPath": "/sitecore/templates/Feature",
"sections": [{
"name": "Content",
"fields": [{ "name": "Title", "type": "Single-Line Text" }]
}]
}'10. End-to-end flows
Flow A: Cursor / local MCP client (no OAuth)
sequenceDiagram
participant Cursor
participant MCP as /api/mcp
participant Sitecore as XM Cloud GraphQL
Cursor->>MCP: MCP initialize (may skip auth locally)
MCP-->>Cursor: tools/list → createTemplate
Cursor->>MCP: tools/call createTemplate
MCP->>Sitecore: client_credentials → Bearer token
MCP->>Sitecore: createItemTemplate mutation
Sitecore-->>MCP: template created
MCP-->>Cursor: JSON resultFor local dev, you may hit /api/mcp directly. In production with OAuth enabled, clients must present a Bearer token.
Flow B: Sitecore Agentic Studio (full OAuth)
sequenceDiagram
participant Studio as Agentic Studio
participant MCP as /api/mcp
participant Meta as /.well-known/*
participant OAuth as /oauth/*
participant Auth0
Studio->>MCP: GET /api/mcp (no token)
MCP-->>Studio: 401 WWW-Authenticate + resource_metadata URL
Studio->>Meta: GET /.well-known/oauth-protected-resource/api/mcp
Meta-->>Studio: authorization_servers, scopes
Studio->>Meta: GET /.well-known/oauth-authorization-server
Meta-->>Studio: authorize, token, register endpoints
Studio->>OAuth: POST /oauth/register
OAuth-->>Studio: client_id + client_secret (stub)
Studio->>OAuth: GET /oauth/authorize?code_challenge=...
OAuth->>Auth0: redirect to Auth0 login
Auth0-->>OAuth: GET /oauth/callback?code=...
OAuth-->>Studio: redirect with Auth0 code
Studio->>OAuth: POST /oauth/token (code)
OAuth->>Auth0: exchange code
Auth0-->>OAuth: access_token
OAuth-->>Studio: tokens
Studio->>MCP: MCP requests with Bearer token
MCP-->>Studio: tool responsesFlow C: Template creation (internal)
sequenceDiagram
participant Tool as createTemplate
participant Auth as auth.ts
participant GQL as graphql.ts
participant SC as Sitecore API
Tool->>Auth: getSitecoreAccessToken()
alt token cached
Auth-->>Tool: cached token
else token expired
Auth->>SC: POST client_credentials
SC-->>Auth: access_token
Auth-->>Tool: new token
end
Tool->>GQL: resolve parent path → GUID
GQL->>SC: item query
SC-->>GQL: itemId
Tool->>GQL: createItemTemplate mutation
GQL->>SC: mutation
SC-->>GQL: templateId, name, fields
GQL-->>Tool: result11. Usage examples
Cursor MCP configuration
Add to Cursor MCP settings (local, no auth):
{
"mcpServers": {
"sitecore": {
"url": "http://localhost:3000/api/mcp"
}
}
}For production with OAuth, your client must support Bearer token auth and the MCP OAuth discovery flow.
Claude Desktop (stdio bridge)
If your client only supports stdio:
{
"mcpServers": {
"sitecore": {
"command": "npx",
"args": ["-y", "mcp-remote", "http://localhost:3000/api/mcp"]
}
}
}Sitecore Agentic Studio
Point Agentic Studio at your deployed MCP URL:
https://your-app.vercel.app/api/mcpAgentic Studio will automatically run the OAuth discovery flow using the /.well-known and /oauth routes.
12. Deployment notes
Platform: Vercel (see
.vercel/project.json).Function timeout:
vercel.jsonsetsmaxDuration: 60for MCP routes — MCP sessions and GraphQL calls can be long-running.Runtime: All API routes use
export const runtime = "nodejs"(required for MCP and OAuth).Dynamic: All routes use
dynamic = "force-dynamic"— no static caching.
After deploying, set all environment variables in the Vercel dashboard, especially:
MCP_BASE_URL=https://your-app.vercel.appAUTH0_AUDIENCE=https://your-app.vercel.app
Auth0 callback URL must include:
https://your-app.vercel.app/oauth/callbackQuick reference — all endpoints
Endpoint | Method | Category |
| GET | UI |
| GET, POST, DELETE | MCP (auth on GET/POST) |
| GET | MCP SSE transport |
| POST | MCP SSE messages |
| GET | Sitecore debug |
| POST | Sitecore REST |
| GET | OAuth discovery |
| GET | OAuth discovery (MCP) |
| GET | OAuth discovery |
| POST | OAuth DCR stub |
| GET | OAuth start |
| GET | OAuth Auth0 callback |
| POST | OAuth token exchange |
Summary
This repo is a Sitecore-aware MCP server built on Next.js. It lets AI tools create Sitecore data templates by handling XM Cloud authentication server-side, while exposing standard MCP and OAuth discovery endpoints so clients like Sitecore Agentic Studio can connect securely. The routes exist because MCP requires specific transport endpoints, OAuth clients require .well-known discovery documents, and Sitecore Agentic Studio requires an OAuth proxy layer in front of Auth0 — each route serves a distinct part of that end-to-end integration.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/JagadeeshMaroju/sitecore-custom-mcp-connector-createtemplate'
If you have feedback or need assistance with the MCP directory API, please join our Discord server