OPSG MCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@OPSG MCP Serverrequery transaction status for RefNo INV-001"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
OPSG MCP Server
A local Model Context Protocol (MCP) server for the OPSG (legacy iPay88) payment gateway. It lets AI agents (Claude Desktop, Claude Code, Cursor, and any other MCP client) help you operate against the OPSG SOAP and JSON APIs using your own merchant credentials.
The server runs locally on your machine (stdio transport). Your Merchant Key never leaves your computer except inside signed requests sent directly to the gateway.
⚠️ OPSG has NO sandbox. Both environments (
payment.ipay88.com.myandnode1.ipay88.com.my) are live gateways. Capture, void, refund, and payment tools move real money. Money-moving tools are marked destructive so AI clients ask for confirmation, and refunds are disabled unless explicitly enabled.
Features
Transaction management (SOAP / JSON APIs):
Tool | Endpoint | Purpose |
|
| Transaction status + details (Version 5, no signature) |
|
| Capture (settle) a pre-auth — returns parsed response fields |
|
| Void an uncaptured authorization |
|
| Bank VOID API, Versions 1.0–4.0 (V4 uses CaptureId) |
|
| Refund a transaction (disabled by default — see below) |
|
| Delete a stored card token |
Payment initiation (SOAP — real charges):
Tool | Purpose |
| Merchant Hosted card sale / bind / token charge via |
| Retail e-wallet: User Scan (QR generation) or Merchant Scan (barcode) |
Integration helpers (no network):
Tool | Purpose |
| Signed auto-submit HTML form for |
| Signed payload for |
| Compute/debug the signature for any of the 9 flows |
Reference lookups (offline): opsg_lookup_payment_ids (hosted + retail QR/Scan PaymentIds), opsg_flow_reference (endpoints, transports, signature algorithms).
Related MCP server: Bayarcash MCP Server
Prerequisites
Node.js 18+
OPSG/iPay88 Merchant Code and Merchant Key
Installation
git clone https://github.com/fredericktvf/opsg-mcp-server.git
cd opsg-mcp-server
npm install
npm run buildConfiguration
Variable | Required | Default | Description |
| ✓ | – | Your merchant code |
| ✓ | – | Your merchant key (keep secret) |
| – |
|
|
| – |
| Set |
| – |
| Comma-separated tool whitelist (least privilege) |
| – |
| Gateway request timeout (ms) |
Claude Desktop / Claude Code
{
"mcpServers": {
"opsg": {
"command": "node",
"args": ["/path/to/opsg-mcp-server/dist/index.js"],
"env": {
"OPSG_MERCHANT_CODE": "M00000",
"OPSG_MERCHANT_KEY": "<<YOUR_MERCHANT_KEY>>",
"OPSG_ENVIRONMENT": "production",
"OPSG_ENABLE_REFUNDS": "false",
"OPSG_TOOLS": "all"
}
}
}
}Windows Node/IPv6 note: if gateway calls fail with "fetch failed" while the gateway works in your browser, add "NODE_OPTIONS": "--dns-result-order=ipv4first" to the env block and fully restart your MCP client.
Recommended read-only production config
"OPSG_TOOLS": "opsg_requery_transaction,opsg_generate_signature,opsg_lookup_payment_ids,opsg_flow_reference"Signature formulas (reference)
Amounts are stripped of dots/commas before signing (1.00 → 100).
Flow | Algorithm | Base string |
Hosted payment (entry.asp) | HMAC-SHA512 | Key + Code + RefNo + Amount + Currency + Xfield1 + PromoCode |
Tokenization BT | HMAC-SHA512 | Key + Code + RefNo + CCNo + CCMonth + CCYear + CCCVV + Amount + Currency |
Tokenization SC/UC | HMAC-SHA512 | Key + Code + RefNo + TokenId + Amount + Currency (+ Plan for SC) |
Tokenization CCC | HMAC-SHA512 | Key + Code + RefNo + TokenId + Amount + Currency + MidPAN |
MH Gateway (sales) | SHA256 | Key + Code + RefNo + CCNo + CCMonth + CCYear + CVV2 + Amount + Currency + Xfield1 |
MH Gateway (SC) | SHA256 | Key + Code + RefNo + TokenId + Amount + Currency + Xfield1 |
Retail e-wallet | HMAC-SHA512 | Key + Code + RefNo + Amount + Currency + xField1 + BarcodeNo + TerminalID |
Capture | HMAC-SHA512 | Key + Code + TransId + Amount + Currency |
Void Auth | SHA256 | Key + Code + TransId + Amount + Currency |
Refund | SHA256 | Code + Key + TransId + RefundAmount + PayeeACNo |
Unbind Card | HMAC-SHA512 | Code + Key + TokenID |
Bank Void V1–V4 | HMAC-SHA512 | Key + Code + (CCTransId | CaptureId for V4) + Amount + Currency |
Note the two easy-to-miss quirks: Refund and Unbind Card put MerchantCode before MerchantKey, and MH Gateway / Refund / Void Auth use plain SHA256 while everything else uses HMAC-SHA512.
Security notes
No sandbox exists. Treat every call as production. Use small amounts and real transaction IDs you intend to act on.
Refunds are opt-in (
OPSG_ENABLE_REFUNDS=true). Capture, voids, unbind, and payment tools are always destructive-flagged so MCP clients prompt for confirmation.Tool whitelisting via
OPSG_TOOLS— expose only what you need.Merchant key masking — debug base strings mask your key.
Card data — MH Gateway and BT/CCC tokenization flows carry PANs; PCI DSS applies.
Development
npm run dev # run from source with tsx
npm run build # compile to dist/
npx @modelcontextprotocol/inspector node dist/index.jsSupport
Refer to the OPSG Developer Portal (/developer/simulator/opsg/) for the interactive API console and reference.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/fredericktvf/opsg-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server