MCP for Flarum
This server gives MCP-compatible AI clients comprehensive access to a Flarum forum's API, along with documentation, development references, and optional extension management.
Forum Resource Management (Read)
List/browse resources (
flarum_list): Any Flarum resource collection (discussions, posts, users, tags, groups, etc.) with filtering, sorting, pagination, and relationship includesGet a single resource (
flarum_get): Fetch one resource by type and IDSearch discussions (
flarum_search): Full-text search across discussionsWhoami (
flarum_whoami): Check forum info and the current API key's user/permissions
Forum Resource Management (Write)
Create/update/delete resources (
flarum_create,flarum_update,flarum_delete): Full CRUD on any Flarum resource via JSON:API, including moderation actions (lock, sticky, approve, hide, change groups)Start a discussion (
flarum_create_discussion): Create a new thread with title, content, and optional tagsReply (
flarum_reply): Post a reply to an existing discussionRaw API request (
flarum_request): Make arbitrary HTTP requests to any endpoint, including custom extension routes
Official Documentation Tools
Search, list, and read Flarum 2.0 docs (
flarum_docs_search,flarum_docs_list,flarum_docs_get) — works without an API key, even in read-only mode
Extension Development Reference
Dev guide (
flarum_dev): Comprehensive reference for building Flarum 2.0 extensions — scaffolding, frontend (TypeScript), backend (API/models/migrations), i18n, testing, CI, releasing, and porting from 1.x
Troubleshooting Guide
flarum_troubleshoot: Plain-language guidance for admins on diagnosing issues, reading logs, common errors, and preparing support requests
Optional Extension Management (requires FLARUM_EXTENSIONS=1 and flarum/extension-manager)
Search Packagist, install, update, remove, enable, or disable extensions via Composer; supports dry-run and update checks
Key Constraints
Supports read-only mode (
FLARUM_MODE=read) to block all mutating operationsConfigurable via environment variables (URL, API key, user context, timeouts, HTTP transport)
Provides tools for searching Packagist for installable Flarum extensions, checking compatibility, installing, updating, removing, and managing extensions via Composer.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP for Flarumsearch for discussions about AI"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP for Flarum
A Model Context Protocol server for Flarum.
It gives any MCP-compatible AI client (Claude Code, Claude Desktop, Cursor, VS Code, Windsurf, Zed, and others) full access to a Flarum forum's API: read and search discussions and posts, create threads and replies, manage users, tags and groups, moderate content, change settings, and call any third-party extension endpoint.
Flarum's whole API is uniform JSON:API, so a small set of generic tools covers the entire surface, including extensions, rather than hundreds of hand-written ones.
Tools
Generic (full API coverage):
Tool | What it does |
| List/search any resource type with filters, includes, sort, pagination |
| Fetch one resource by type and id |
| Create any resource |
| Update any resource (also lock/sticky/approve for moderation) |
| Delete any resource |
| Raw escape hatch for any endpoint |
Convenience:
Tool | What it does |
| Forum info + the user the API key acts as |
| Full-text discussion search |
| Start a thread (title + content + optional tags) |
| Reply to a discussion |
Official docs (on by default):
Search and read Flarum's official 2.0 documentation so the AI can check how a setting, permission, extender, or REST endpoint is meant to work before acting. These read the public docs only (never your forum or its key), so they work in any mode, including read-only and with no API key. They read the live docs, so results always reflect the current 2.0 documentation. Turn them off with FLARUM_DOCS=0.
Tool | What it does |
| Search the 2.0 docs; returns ranked pages with snippets |
| Read a full docs page as Markdown (by slug, path, or URL) |
| List/browse the available 2.0 docs pages |
Extension development (on by default):
A development reference for building or reviewing a Flarum 2.0 extension: scaffolding and architecture, composer.json, the TypeScript frontend, backend (API resources/models/migrations), i18n, testing, static analysis & CI, and releasing. Combines the conventions the official docs establish, the de-facto FriendsOfFlarum standard, and patterns that prevent real production bugs. Static content, so it works in any mode, including read-only and with no API key. Turn it off with FLARUM_DEV=0.
Tool | What it does |
| Returns the extension-development reference; optional |
Extension management (opt-in, off by default):
Registered only when FLARUM_EXTENSIONS=1 and the forum has the official flarum/extension-manager installed. These drive Composer on the server, so they need an admin key and write mode. See Managing extensions.
Tool | What it does |
| Search Packagist for installable extensions, language packs, or themes |
| Dry-run compatibility check for a package (changes nothing) |
| Install an extension (optionally enable it after) |
| Update one extension ( |
| Uninstall an extension |
| Enable/disable an installed extension (no Composer; instant) |
| Check Packagist for available updates |
| Bulk update: |
| Read/set |
| List install/update job history and Composer output (poll async jobs) |
Managed hosting only (not available to self-hosters):
Two capabilities exist only on the Link Robins managed tier. They are gated on environment that only the hosting stack injects (DIAG_URL and SNAPSHOT_URL), and those point at Link Robins' own infrastructure: a self-hoster cannot set them to anything useful, so the diagnostic tools never register and the snapshot hook stays a no-op. Setting them by hand does nothing because there is no backend to answer.
Capability | Gate | What it does |
|
| Read-only troubleshooting of a managed forum (boot errors, post-update breakage, mail/queue failures) via the hosting control plane, which works even when Flarum won't boot. See docs/managed-troubleshooting.md. |
Pre-change snapshot |
| Best-effort restore point taken before the first write of a session. See |
Everything above this section (generic, convenience, docs, dev, and extension-management tools) is available to self-hosters. These two only activate when their hosting control-plane env vars (DIAG_URL / SNAPSHOT_URL) are set, which point at Link Robins' managed platform — so in practice they're managed-hosting-only, but nothing in the code is closed off. The MCP is MIT-licensed.
Related MCP server: discord-mcp-server
Configuration
Variable | Required | Description |
| yes | Your forum's base URL, e.g. |
| for writes / private data | A Flarum API key (from the |
| optional | Act as this user id when using a master API key |
| optional |
|
| optional |
|
| optional | On by default. Set |
| optional | On by default. Set |
| optional | Request timeout in ms (default 30000) |
| optional | Override the |
Behind Cloudflare or a WAF
Many Flarum forums sit behind Cloudflare. Some WAF configurations block requests whose User-Agent looks scripted or empty, returning Cloudflare error 1010 (browser_signature_banned) before the request ever reaches Flarum. The server sends a descriptive, identifiable User-Agent by default for exactly this reason, so the common case works out of the box.
If your forum still blocks it, allowlist the tool rather than loosening your firewall:
Allowlist the User-Agent. In Cloudflare, add a WAF rule like
User-Agent contains "mcp-for-flarum"→ Skip / Allow. The default UA ismcp-for-flarum/<version> (+https://github.com/linkrobins/mcp-for-flarum).Or allowlist the server IP (best for a hosted/single-source deployment).
Or set a custom UA with
FLARUM_USER_AGENTto match an existing allow rule.
Do not work around this by spoofing a browser User-Agent: it is fragile and makes the traffic impossible to allowlist or audit.
Getting an API key
Flarum has no admin UI for API keys yet. Create one directly in the database:
INSERT INTO api_keys (`key`, user_id, created_at)
VALUES (REPLACE(UUID(), '-', ''), 1, NOW());Use the resulting key as FLARUM_API_KEY. Setting user_id (or FLARUM_USER_ID) makes the key act as that user, so its permissions are exactly that user's permissions.
Managing extensions
Set FLARUM_EXTENSIONS=1 to let the AI install, update, remove, enable, and disable extensions. This is off by default because it runs Composer on your server and can change what code your forum runs, which is far more powerful than editing content. It requires all of:
The official
flarum/extension-managerinstalled and enabled on the forum.Write mode (not
FLARUM_MODE=read) and an API key whose user is an admin.A server that can actually run Composer: the PHP functions
proc_openandescapeshellargavailable, andvendor/,storage/,composer.json, andcomposer.lockwritable.
How long-running installs are reported depends on your forum's queue:
Background queue (Redis, database, etc. with a running worker): the call returns once the job finishes. The tools poll the manager's task list for you and return the Composer output. If no worker is consuming jobs, the call times out and says so rather than hanging.
Synchronous (
syncqueue, or the manager's "run jobs in background" setting off): the request blocks until Composer finishes and returns the result inline. Very large updates can hit PHP/gateway timeouts even though Composer keeps running.
flarum_ext_install does not enable the extension unless you pass enable: true. Use flarum_ext_why_not first to confirm a package is compatible with your Flarum version. For bulk or major updates, take a backup first.
Enabling can break a forum. The manager refuses to install an extension whose published Flarum compatibility doesn't match your version, but that check is best-effort: it reads the latest stable release's declared flarum/core constraint, is skipped when Packagist is unreachable or the package declares nothing, and the version Composer actually installs can differ from the one it checked. So an extension can pass the check and still fail to boot when enabled, taking the whole site down (every page, including the admin panel and this tool's own API, starts returning a 500). The manager cannot then disable it for you: recovery means removing the extension from the extensions_enabled setting in the database and composer remove-ing it by hand. This is why install does not auto-enable by default, and why a backup before enabling unfamiliar extensions is worth it.
Install & run
Self-host it with the official Docker image, or build it from source. (It is intentionally not published to npm.)
Option 1: Docker (recommended)
For a local Claude client (stdio):
docker run -i --rm \
-e FLARUM_URL=https://discuss.example.com \
-e FLARUM_API_KEY=xxxxx \
ghcr.io/linkrobins/mcp-for-flarumClaude Code:
claude mcp add flarum -- docker run -i --rm -e FLARUM_URL=https://discuss.example.com -e FLARUM_API_KEY=xxxxx ghcr.io/linkrobins/mcp-for-flarumClaude Desktop / Cursor / Windsurf (JSON config):
{
"mcpServers": {
"flarum": {
"command": "docker",
"args": ["run", "-i", "--rm", "-e", "FLARUM_URL", "-e", "FLARUM_API_KEY", "ghcr.io/linkrobins/mcp-for-flarum"],
"env": {
"FLARUM_URL": "https://discuss.example.com",
"FLARUM_API_KEY": "xxxxx"
}
}
}
}Option 2: From source (no Docker)
git clone https://github.com/linkrobins/mcp-for-flarum.git
cd mcp-for-flarum
npm install && npm run build
FLARUM_URL=https://discuss.example.com FLARUM_API_KEY=xxxxx node dist/index.jsThen point your client's command at node /absolute/path/to/mcp-for-flarum/dist/index.js.
Prefer not to run anything?
A managed, hosted version is offered by Link Robins, no install, no key management, and usable from web clients. See linkrobins.com.
Hosting (HTTP transport)
The same binary can run as a long-lived web service over Streamable HTTP, so you can host it instead of running it locally. This is what web-based clients (which can't spawn a local process) connect to.
Start in HTTP mode with --http (or MCP_TRANSPORT=http):
FLARUM_URL=https://discuss.example.com \
FLARUM_API_KEY=xxxxx \
MCP_AUTH_TOKEN=a-long-random-secret \
PORT=3000 \
node dist/index.js --httpIt serves:
POST /mcp, the MCP endpoint (Streamable HTTP, stateless)GET /health, health check for load balancers / uptime monitors
Hosting-specific configuration:
Variable | Default | Description |
|
| Set to |
|
| HTTP port |
|
| Bind address. Fails closed: it refuses to bind a non-localhost address unless |
| (none) | If set, requests must send |
| (none) | Optional managed-hosting hook. When set, the server fires a best-effort |
|
| Bearer token sent with the |
Security: a hosted instance can read, write, and delete on the forum its key targets. Always run it behind TLS, set
MCP_AUTH_TOKEN(or front it with your own auth/OAuth proxy), and give the API key's user the least privilege it needs. The Flarum API key stays server-side and is never exposed to clients.
Docker (hosted mode)
docker run -p 3000:3000 \
-e MCP_TRANSPORT=http \
-e HOST=0.0.0.0 \
-e FLARUM_URL=https://discuss.example.com \
-e FLARUM_API_KEY=xxxxx \
-e MCP_AUTH_TOKEN=a-long-random-secret \
ghcr.io/linkrobins/mcp-for-flarumHOST=0.0.0.0 is needed so the published port is reachable; the server only allows it because MCP_AUTH_TOKEN is set.
Or use the included docker-compose.yml: set your values and docker compose up -d.
Development
npm install
npm run build
FLARUM_URL=... FLARUM_API_KEY=... node dist/index.jsLicense
MIT © Link Robins. Free and open source — self-host it, modify it, and use it however you like.
Trademarks
Flarum is a trademark of the Flarum Foundation. This is an independent project that works with Flarum via its API; it is not affiliated with, endorsed by, or sponsored by the Flarum Foundation.
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/karl-bullock/mcp-for-flarum'
If you have feedback or need assistance with the MCP directory API, please join our Discord server