zotio
The zotio server is a command-orchestration layer for the zotio CLI, allowing agents and MCP hosts to search, analyze, and manage Zotero libraries safely.
Core Tools
context— Get API domain context, resource taxonomy, auth requirements, and query tips. Recommended as the first call.command_search— Discover and inspect available zotio CLI commands by name or natural-language query (e.g., "export bibtex", "find duplicates").command_run— Execute any supported zotio CLI command (e.g.,items enrich,library health,tags audit). Write operations use preview-first semantics (--dry-run,--max-changes,--allow-destructive) and require explicit{"yes": true}to apply changes.search— Full-text search across all locally synced Zotero data using FTS5 syntax (AND, OR, NOT, phrase quotes).sql— Run read-only SQL queries against the local SQLite mirror for ad-hoc aggregations and joins.
What You Can Accomplish
Library health & CI gating: Run health checks with presets (
quick,citation,systematic-review,all) and failure thresholdsHygiene & integrity: Find duplicates, citekey conflicts, missing PDFs/abstracts/DOIs, retracted papers, and tag inconsistencies
Enrichment: Fill missing metadata from CrossRef, OpenAlex, Semantic Scholar, and Unpaywall
Import pipeline: Scan, resolve, and apply bulk imports with a preview-first safety envelope
Vault sync: Keep Obsidian/Logseq notes in sync with Zotero (pull, push, conflict resolution)
Export & analytics: BibTeX/CSL-JSON exports, library stats, reading list management, and annotations
Safe writes: Every mutation is preview-first; destructive ops require explicit opt-in; changes are journaled and reversible where possible
Syncs Zotero items to an Obsidian vault for note-taking and knowledge management.
Enriches Zotero items by resolving missing metadata and supporting import through Semantic Scholar's API.
Generates badge JSON artifacts from library health checks for real-time status badges.
Provides CLI and MCP server to manage, audit, and sync Zotero libraries with local reads, preview-first writes, health checks, and CI integration.
brew install orgmentem/tap/zotio # or grab a signed binary from Releases
zotio init # guided setup: detect Zotero, key, first sync, health check
zotio library health --for citation --fail-on high # is this library fit to cite? (exit 11 if not)
zotio items retract-check # are you citing retracted papers?
zotio items bibcheck thesis.tex --fail-on-unknown # does every \cite{} resolve to your library?
zotio search 'automation trust' --data-source local # offline full-text search
zotio items enrich --missing-doi --dry-run # resolve DOIs from CrossRef/OpenAlex — preview onlyNo Zotero yet? Try the sandbox — a bundled sample library (34 classic papers, one genuinely retracted) that needs no desktop app and no API key:
zotio demo # seed the sandbox + print a tour
ZOTIO_DEMO=1 zotio library health --for citationWhy zotio
Zotero's GUI is great for reading and citing. It is painful the moment you need to operate on a library at scale: find every article missing a PDF, catch duplicate \cite{} keys before a submission, export a week of highlights, keep an Obsidian vault in sync, or hand an AI agent trustworthy context. Existing CLIs and pyzotero give you raw API access — then you write the glue, and you own the risk.
zotio is the glue, hardened:
Reads are local and free. Point at your running desktop app — no API key, no cloud round-trip, works offline against a synced mirror.
Writes are preview-first. Every mutation shows a plan before it touches anything. Gates cap blast radius; irreversible ops require an explicit opt-in; an append-only journal lets you undo the reversible ones.
Context is bounded and provenance-tagged. Every result says where it came from and how fresh it is — so a human or an agent knows whether to trust it.
zotionever calls an LLM; it does the assembly and budgeting a model is bad at, then hands off.
It is not "every Zotero endpoint in a terminal." It is the tool you reach for when the GUI gets too manual: find the problems that bite downstream, fix them safely, ingest with review, and give agents a surface they can trust.
Related MCP server: Zotero MCP
How it works
Reads stay on your machine. Writes split by intent: creating a new item (with its attachments/PDFs) prefers the local desktop connector (localhost:23119, no key — the same channel the browser "Save to Zotero" button uses), while everything else — field edits, deletes, enrichment, tag ops, moves, and collections create/update — routes to the Zotero Web API and needs a configured key. The connector path is a preference, not a guarantee: --via auto uses it only on a personal library with the desktop running, and falls back to the Web API otherwise (group libraries always go to the cloud). Either way it's preview-first, the version-read happens locally, and the applied change is replayed into your local mirror so a follow-up read sees it without another sync.
Plane | Backend | Needs a key? |
Read | Local Zotero API ( | No |
Write — new item | Local desktop connector ( | No (connector path) |
Write — everything else | Zotero Web API ( | Yes — configured once |
External | CrossRef · OpenAlex · Semantic Scholar · Unpaywall · OpenCitations | No (feeds enrich/import) |
Local-only | Files, desktop launch, vault, introspection | No |
Run zotio doctor any time to see connectivity, cache freshness, and a writes: line telling you whether write-back is available or read-only.
The flagship: library health
One command that answers a real question — "is this library fit for the next thing I'm going to do with it?" — instead of making you run six separate audits and eyeball the output.
library health composes the checks that already exist (citekey conflicts, duplicates, missing metadata, tag drift, broken attachments) into one ranked, finding-typed report. You pick what "ready" means with --for:
| Prepares for | Checks |
| anything obviously broken | citekey conflicts, duplicates, broken attachments |
| a manuscript bibliography | missing/duplicate citekeys, citation-core fields, duplicates |
| a PRISMA screening corpus | duplicates, screenable metadata (title/abstract), full-text PDFs |
| a full sweep | every registered check |
$ zotio library health --for quick
Health: needs attention
Scope: library · 846 items · source local · synced 1d ago · preset quick
High (13)
[duplicate_candidates] doi="10.1002/bdm.2118" (2 items)
[duplicate_candidates] title="Social psychology" (3 items)
... 11 more
Skipped (precondition unmet)
broken_attachment_file — live check (needs Zotero desktop running); off by default.
Fix: zotio library health --for quick --verify-files
Remediation plan (preview-first)
duplicate_candidates — zotio items duplicates resolve --doi (preview first; add --yes after review)Three things make it trustworthy, not just convenient:
It gates CI.
--fail-on critical|high|anyexits11when the bar isn't met — drop it in a pre-submission hook.--require-fresh 24hexits12if your local mirror is stale.It never lies by omission. A check that needs the desktop app (broken attachments) doesn't silently vanish — it becomes a loud skip with a remedy, and if that skip is gate-relevant the run exits
9(setup required) rather than falsely passing.It points at the real fixer. Findings carry a
recommended_actionnaming the exact existing command (items enrich,items duplicates resolve,tags audit fix) — health diagnoses, dedicated commands treat.
CI for your bibliography
--badge renders any health run as a shields.io endpoint JSON artifact — healthy green, findings yellow, gate-failure red, setup required orange:
# .github/workflows/bibliography.yml (excerpt)
- run: zotio sync
- run: zotio library health --for citation --fail-on high --badge > badge.json
# exit 11 fails the job when the bar isn't met; badge.json says why
# publish badge.json anywhere shields can reach (gh-pages, gist, artifact host), then:
# https://img.shields.io/endpoint?url=https://<you>.github.io/<repo>/badge.jsonYour thesis or review repo gets a live bibliography | healthy badge — and a failing build the moment a citekey conflict or duplicate slips in. Add --check-retractions to extend the gate to retracted papers (Crossref's Retraction Watch data), and gate the manuscript itself with zotio items bibcheck paper.tex --fail-on-unknown. The zotio-action packages this — install, sync, gate, and diff against a baseline so it fails only on new problems (guide).
See it running for real: zotio's own docs deploy publishes a live badge off the maintainer's real Zotero library (workflow, guide).
Safe by default: the write engine
Every write command — items enrich, tags audit fix, items duplicates resolve, items preprint-check fix, items create/update/move/delete, import apply, vault push — flows through one mutation envelope with identical, predictable semantics.
Preview is the default. You get a plan/result envelope with zero changes.
--yesapplies;--dry-runalways wins.--agentdoes not auto-apply. Agent mode sets JSON + non-interactive defaults, but a write still needs an explicit--yes.Gates cap the blast radius.
--max-changesdefaults to 500 (50 under--agent); irreversible ops (merge, permanent delete, empty-trash) refuse to run without--allow-destructive.Read-your-writes. An applied write is replayed into the local mirror immediately, and the post-write item state comes back in the envelope — a re-audit sees the fix with no follow-up
sync.Journaled + reversible. Every applied run is recorded append-only (
journal list/journal show).journal undo <run-id>reverses the reversible ops (tag renames, collection membership) and loudly refuses the rest (merges, deletions, field overwrites) rather than guessing.
Import without making a mess
Bulk-import references through a review checkpoint. Nothing hits your library until you've seen — and can edit — the manifest.
zotio import scan ~/Downloads/papers # read-only: triage new vs duplicate vs attach-candidate
zotio import resolve ~/Downloads/papers -o manifest.json # resolve DOI/PMID/arXiv/ISBN → editable manifest
# ... review and edit manifest.json ...
zotio import apply manifest.json --dry-run # preview the writes
zotio import apply manifest.json --yes # schema-valid creation via the Web APIScan classifies a folder of PDFs against your existing library — extracting DOIs from filenames or the PDF bytes — so you never re-import what you already have.
Resolve turns findings into an editable JSON manifest, enriching create-entries from CrossRef. This is the human touchpoint.
Apply creates schema-valid items, preview-first, with an explicit
--attach-mode none|linked-filecontract (stored-file upload is deferred, and says so).
One-shot importers are there too: import doi|pmid|arxiv|isbn|url|file|pdf.
Conflict-safe vault round-trip
Keep an Obsidian or Logseq vault in step with Zotero in both directions — without ever clobbering your prose.
zotio vault sync # Zotero → one Markdown note per item (idempotent)
zotio vault push --dry-run # your ## Notes region → a managed Zotero child note
zotio vault pull --dry-run # remote note edits → your ## Notes region (fast-forward only)Each note has a managed region (frontmatter + a fenced annotations block, refreshed on every sync) and your region (## Notes, prose preserved untouched). Write-back is fast-forward only: if both sides changed, zotio never merges blindly — it writes a reviewable conflict artifact under _vault-zotero-conflicts/ and reports it, so divergence becomes something you resolve on purpose (vault resolve --keep-vault | --keep-remote | --recreate), never a silent overwrite. Run vault audit for a read-only preflight before any push.
Configure the vault once in ~/.config/zotio/config.toml:
[vault]
root = "~/Vaults/dev" # ~ is expanded; base output dir
notes_dir = "Zotero" # notes land in <root>/<notes_dir>
format = "obsidian" # or "logseq"More that the GUI and pyzotero don't give you
Library hygiene, integrity & analytics
items retract-check— check every DOI against Crossref's Retraction Watch data: retractions, expressions of concern, and corrections, with notice DOIs and dates. Opt into thelibrary healthgate with--check-retractions. (This one reads the network.)collections gaps— citation-graph gap analysis: rank the papers your collection cites most that are missing from your library (OpenCitations + Semantic Scholar), thenimport doithem. (Network too.)items bibcheck <manuscript>— parse\cite{}/@citekeyfrom.texor pandoc Markdown and resolve every key against your library — unknown and ambiguous keys flagged,--fail-on-unknownexits 11 for CI.tags audit— group tags that differ only by case or variant, with item counts and ready-to-run merge commands. On a real 840-tag library it surfaced 53 duplicate groups in one pass.library stats— a one-command dashboard: items by type and year, top venues, PDF coverage (e.g. 684/792 (86%)).items audit— count and list items missing PDFs, abstracts, DOIs, tags, or citation-core fields;--verify-fileschecks PDFs actually exist on disk.items duplicates— detect likely duplicates by DOI or title (attachments/notes excluded), thenduplicates resolveto merge safely.items citekey-conflicts— find missing or duplicate Better BibTeX keys before they break a LaTeX build.items venues·items authors·items stale·items unfiled·items missing-pdf— slice your library by publication, creator, staleness, filing, and PDF gaps.
Reading & synthesis
items summarize— assemble a bounded, synthesis-ready bundle for an item or collection (citation + abstract + your annotations + a capped fulltext excerpt + known metadata gaps + a synthesis prompt) and hand it to any LLM.zotiodoes the budgeting; it never calls the model.annotations export·annotations timeline·annotations search— pull highlights and notes as Markdown or JSON, ordered by date or searched by text.reading-list— ato-readtag queue with anadd→start→donelifecycle for triaging what to read next.items note-template— generate a pre-filled Obsidian/Logseq reading note for an item.items open— print or launch azotero://deep link to an item, collection, or PDF (cross-platform).library wrapped— your Zotero year in review: items by month and type, top venues and authors, annotation activity, PDF coverage — with a shareable SVG card:
Enrichment (reads external APIs, writes Zotero)
items enrich— fill missing DOIs and abstracts from CrossRef → OpenAlex → Semantic Scholar, attach open-access PDF links from Unpaywall, and record provenance in each item's Extra field.--validateruns a read-only DOI discrepancy report against CrossRef and OpenCitations.items preprint-check— find arXiv preprints that now have a published CrossRef record;preprint-check fixupgrades them with the journal DOI — preview-first, journaled, and it never overwrites a conflicting DOI.
Export & reproducibility
collections export— a whole collection and its subcollections as one BibTeX or CSL-JSON file, structure preserved in comments.export snapshot— a reproducible, resumable, fully paginated JSONL export with a<output>.lock.jsoncontent lockfile (sorted key+version + sha256) for drift detection and clean review handoffs.
Freshness & schema
sync·watch·tail— populate the mirror, keep it fresh with periodic incremental syncs, or stream live changes.watch --healthdiffslibrary healthbetween cycles and reports new findings to stdout or a webhook — hear about drift the cycle it appears.schema drift— after a Zotero upgrade, detect item-type / field / creator-field changes against a saved baseline.
Built for agents
zotio publishes a machine-readable trust model so an MCP host, CI job, or shell script can discover what's safe, fresh, and writable before it acts.
--agenton any command: JSON + compact + non-interactive + no color, in one flag. (It never auto-applies writes.)capabilities— the full registry (122 commands), each tagged withoperation,data_sources,write_target,destructive, andrequirespreconditions.agent-context— a structured description of the whole CLI, embedding the registry and discovery hints.which "<capability in your words>"— resolve a natural-language query to the command that does it.Stable envelopes — one mutation plan/result shape, one finding shape, one exit-code contract. Learn the grammar once.
Scope grammar — one selection vocabulary across reads, audits, exports, and enrich:
collection:KEY tag:NAME query:TEXT item:KEY saved-search:KEY (needs live desktop)Exit codes: 0 ok · 2 usage · 3 not-found · 4 auth · 5 API · 7 rate-limited · 9 precondition/setup · 10 config · 11 quality-gate failed · 12 freshness-gate failed.
Install
zotio comes in three pieces you can install independently: the CLI (the engine — everything runs through it), the agent skill (drives the CLI inside coding agents), and the MCP server (exposes the CLI to MCP hosts like Claude Desktop). Most people want the CLI; add the skill or MCP server for your agent of choice.
1. The CLI — zotio
Homebrew (macOS / Linux):
brew install orgmentem/tap/zotioThis installs both zotio and the zotio-mcp MCP server; brew upgrade tracks new releases.
Prebuilt binaries: every GitHub release ships archives for macOS, Linux, and Windows (amd64/arm64) with cosign-signed checksums and SBOMs. Unpack and put zotio on your PATH; on macOS clear the Gatekeeper quarantine (xattr -d com.apple.quarantine zotio), on Unix chmod +x zotio.
From source:
git clone https://github.com/OrgMentem/zotio && cd zotio && go build -o zotio ./cmd/zotioThen let the CLI walk you through setup — Zotero detection, the local-API toggle, an optional Web API key, first sync, and a health check:
zotio init2. The agent skill
A focused skill — bundled in this repo as SKILL.md — that teaches a coding agent to drive the CLI directly (the most efficient path; no MCP server in the middle).
Recommended — the skills CLI (works across Claude Code, Cursor, Codex, Cline, opencode, and 40+ agents):
npx skills add OrgMentem/zotio # detect your agents and install
npx skills add OrgMentem/zotio --list # preview without installing
npx skills add OrgMentem/zotio -g # install globally (all projects)Manual:
Claude Code: copy
SKILL.mdinto~/.claude/skills/zotio/SKILL.md(or your project's.claude/skills/zotio/).Any other agent: point it at the raw file —
https://raw.githubusercontent.com/OrgMentem/zotio/main/SKILL.md— or paste it into your agent's skill store.
3. The MCP server — zotio-mcp
zotio-mcp ships alongside the CLI — the Homebrew formula and every release archive include both binaries. Register it:
# Claude Code
claude mcp add zotero zotio-mcp -e ZOTERO_API_KEY=<your-key>For Claude Desktop, every release ships per-platform MCPB bundles — download the .mcpb for your platform, double-click it, and Claude Desktop walks you through the install.
Install the zotio-mcp binary and add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"zotero": {
"command": "zotio-mcp",
"env": { "ZOTERO_API_KEY": "<your-key>" }
}
}
}The ZOTERO_API_KEY is optional for read-only local-desktop use (the local API needs no key); set it to enable writes and reach group libraries.
Authentication
Reads go to your Zotero desktop app at localhost:23119 — no API key required while Zotero is running. First enable the local API in Zotero: Settings → Advanced → "Allow other applications to communicate with Zotero."
Creating items and saving attachments also works keyless — those go through the same local desktop connector.
Editing writes (items update/delete/move, items enrich, tags mutations, vault push/pull/resolve, most of import apply) route to the Zotero Web API and need a key. Configure it once:
printf %s "$ZOTERO_API_KEY" | zotio auth set-token --stdin # or export ZOTERO_API_KEY=<key>Generate a key at https://www.zotero.org/settings/keys. The first Web API write prints a one-time stderr notice naming the target. A key is also needed to read group libraries or to read while the desktop app is closed. Run zotio doctor to see a writes: line reporting whether write-back is available.
Use
Use the CLI directly
# 1. Verify Zotero is running and reachable
zotio doctor
# 2. Sync your library to local SQLite for offline search + analytics
zotio sync
# 3. See the shape of your library
zotio library stats
# 4. Certify it for a citation handoff (exit 11 if it fails the bar)
zotio library health --for citation --fail-on high
# 5. Search offline
zotio search 'automation trust' --data-source local --json
# 6. Export a week of highlights for synthesis
zotio annotations timeline --since 2026-05-01 --format markdown > this-week.mdUse the skill in a coding agent
Once installed (above), invoke /zotio <query> in Claude Code. The skill drives the CLI directly — the most efficient path, no MCP server in the middle.
Use the MCP server in an agent host
Once registered (above), the MCP server exposes a command-orchestration facade (command_search / command_run) rather than one tool per endpoint — agents discover and drive the CLI the same way a human would (see notes/adr/0001-mcp-command-surface.md; switch surfaces via ZOTIO_MCP_SURFACE). It also serves Zotero context as resources — zotero://context, zotero://agent-context, zotero://status, zotero://schema, zotero://freshness, zotero://health/{scope}, zotero://capabilities, and bounded graph resources (collections/{key}/tree, items/{key}/children|attachments|context) — plus guided prompts (prepare-library-health, prepare-import, sync-vault-safely).
Output formats
zotio collections list # human table (JSON when piped)
zotio collections list --json # JSON for scripting and agents
zotio collections list --json --select id,name,status # only the fields you need
zotio collections list --dry-run # show the request without sending
zotio collections list --agent # JSON + compact + non-interactive + no colorAlso available: --csv, --plain, --quiet, --compact, and --deliver stdout|file:<path>|webhook:<url>.
Health check & troubleshooting
zotio doctor # config, credentials, connectivity, cache freshness, writabilitydoctor: connection refused— open Zotero desktop and enable Settings → Advanced → "Allow other applications to communicate with Zotero."items missing-pdf/ analytics return nothing — runzotio syncfirst to populate the local mirror.annotations exportoutputs empty sections — PDF annotations must be made in Zotero's built-in PDF reader, not an external app.citekey-conflictsfinds no keys — install the Better BibTeX extension; citation keys live in theextrafield.Authentication errors (exit 4) —
zotio doctorto check credentials; verifyecho $ZOTERO_API_KEY.
Configuration
Config file: ~/.config/zotio/config.toml. Static request headers can be set under [headers]; per-command overrides take precedence.
Variable | Required | Description |
| No for reads | Required for writes (routed to the Zotero Web API), group libraries, and access while the desktop app is closed. Local desktop reads need no key. Configure once by piping the token into |
Command reference
Run zotio --help for the full command list, or zotio <command> --help for any subcommand. Ask the CLI directly when you know the goal but not the command:
zotio which "export bibtex for a collection"agent-context · analytics · annotations · auth · capabilities · collections · doctor · export · groups · import · init · items · journal · library · profile · reading-list · schema · search · searches · sync · tags · tail · vault · version · watch · which · workflow
Sources & inspiration
Built by studying these projects and resources:
cli-anything-zotero — TypeScript
54yyyu/zotero-mcp — Python
pyzotero — Python
kujenba/zotero-mcp — Python
jbaiter/zotero-cli — Python
dhondta/zotero-cli — Python
Licensed under MIT.
Zotero is a registered trademark of the Corporation for Digital Scholarship. zotio is an independent project and is not affiliated with or endorsed by Zotero or the Corporation for Digital Scholarship.
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/OrgMentem/zotio'
If you have feedback or need assistance with the MCP directory API, please join our Discord server