SezzleOps MCP
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@SezzleOps MCPReconcile the latest settlement and show mismatches"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Sezzle Merchant MCP
An unofficial, experimental, security-focused Model Context Protocol server for safe Sezzle merchant operations, settlement reconciliation, webhook monitoring, and integration diagnostics.
This project is unofficial and is not affiliated with, endorsed by, or maintained by Sezzle.
No Sezzle logos are used. Sezzle trademarks belong to their respective owner.
Project maturity
This project is an unofficial, experimental integration.
Its deterministic business logic, permission model, mutation guards, and mocked API integration are tested. However, the Sezzle API adapter has not yet been validated with real merchant sandbox credentials.
Do not enable production financial mutations until the sandbox validation checklist has been completed.
Production-oriented and security-focused design does not mean production readiness. Live Sezzle sandbox validation is still required before production use.
Analyze today’s Sezzle orders, identify uncaptured authorizations and refund mismatches, reconcile the latest settlement, inspect webhook health, and prepare safe actions without executing anything until I approve them.
Sezzle Merchant MCP is not a thin API wrapper. It adds deterministic money validation, mutation previews, explicit approval gates, permission-based tool registration, reconciliation evidence, webhook correlation, Integration Doctor findings, secure support routing, and redacted audit records around the documented Sezzle merchant API.
Related MCP server: safe-oas2mcp
Features
Sandbox-first startup with read-only mode enabled by default.
Documented Sezzle v2 merchant API adapter with in-memory token renewal.
Capture, refund, release, session, reference, checkout, and webhook mutation previews.
Literal
confirm: true, expiring preview binding, fresh-state validation, and idempotency.Integer minor-unit money and
bigintarithmetic; no floating-point financial calculations.Lossless parsing of settlement decimals and four-decimal interest-account values.
Deterministic settlement matching, duplicate suppression, mismatch detection, expected payout, confidence, and evidence.
Raw-byte HMAC-SHA256 webhook verification before parsing, idempotent ingestion, and occurrence-time timelines.
Stable-code Integration Doctor findings and go-live checklists.
PII-minimized support policy tools with merchant-reference ownership verification.
Structured JSON logs to stderr, redacted resources, and durable audit metadata.
MCP stdio and stateless Streamable HTTP transports.
Memory and SQLite storage, Docker, Compose, CI, Dependabot, ESLint, Prettier, and Vitest.
Architecture
flowchart LR
Client[MCP client] --> Transport[stdio or Streamable HTTP]
Transport --> Registry[Permission-filtered MCP registry]
Registry --> Services[Operation services]
Services --> Guards[Preview, confirmation, ownership, idempotency]
Services --> Domain[Money, reconciliation, diagnostics, support policy]
Services --> API[Versioned Sezzle v2 adapter]
API --> Auth[In-memory token manager]
API --> HTTP[Timeout, retry, concurrency, correlation]
HTTP --> Sezzle[Documented Sezzle merchant API]
Services --> Storage[Memory or SQLite]
Storage --> Audit[Redacted audit evidence]
Storage --> Events[Verified webhook event timeline]MCP registration is intentionally thin. Services own workflows, domain modules own deterministic calculations, API modules own paths and wire schemas, and storage modules own previews, idempotency, audit events, and webhook records. See ARCHITECTURE.md for design decisions and documented API ambiguities.
Safety Model
The default configuration is:
SEZZLE_ENV=sandbox
SEZZLE_READ_ONLY=true
SEZZLE_REQUIRE_CONFIRMATION=true
SEZZLE_PERMISSION_PROFILE=read
MCP_TRANSPORT=stdioMutation tools are not registered while SEZZLE_READ_ONLY=true. They are absent from tools/list; they do not remain visible and return permission errors.
Financial and high-impact operations use two steps:
Call the preview tool, or call a combined mutation tool with
confirm: false.Review current state, requested change, financial impact, validation, warnings, expiry, and audit ID.
Repeat the unchanged request with the returned
preview_idand literalconfirm: true.
Execution fails if the preview expired, was already used, belongs to another merchant/target/environment, has a different request hash, or current state changed. The model cannot infer confirmation from natural language.
Example capture:
{
"tool": "sezzle_preview_capture",
"arguments": {
"order_uuid": "order-uuid",
"amount": { "amount_in_cents": 2500, "currency": "USD" }
}
}After reviewing the preview:
{
"tool": "sezzle_capture_order",
"arguments": {
"order_uuid": "order-uuid",
"amount": { "amount_in_cents": 2500, "currency": "USD" },
"preview_id": "preview-from-first-call",
"confirm": true
}
}Successful execution is reported only after a successful Sezzle API response. Reauthorization additionally requires authorization.approved === true; HTTP 200 alone is not treated as approval.
Supported Tools
The generated tool inventory currently verifies 55 tools, 6 resources, and 5 prompts. The active permission profile and read-only setting determine which tools are registered.
Authentication, sessions, and orders
sezzle_authenticate_merchantsezzle_get_merchant_contextsezzle_create_payment_sessionsezzle_get_payment_sessionsezzle_cancel_active_checkoutsezzle_get_ordersezzle_update_order_referencesezzle_preview_capturesezzle_capture_ordersezzle_preview_refundsezzle_refund_ordersezzle_preview_release_authorizationsezzle_release_authorizationsezzle_reauthorize_order
Settlements, reports, and reconciliation
sezzle_list_settlement_summariessezzle_get_settlement_detailssezzle_get_order_reportsezzle_get_interest_balancesezzle_get_interest_activitysezzle_reconcile_settlementsezzle_find_unmatched_orderssezzle_detect_refund_mismatchessezzle_detect_capture_mismatchessezzle_detect_fee_anomaliessezzle_explain_payout_differencesezzle_generate_finance_daily_brief
Webhooks
sezzle_list_webhookssezzle_create_webhooksezzle_update_webhooksezzle_delete_webhooksezzle_send_test_webhooksezzle_verify_webhook_signaturesezzle_ingest_webhook_eventsezzle_list_webhook_eventssezzle_get_webhook_eventsezzle_inspect_webhook_healthsezzle_find_missing_order_eventssezzle_detect_out_of_order_eventssezzle_detect_duplicate_webhook_events
Integration Doctor
sezzle_diagnose_integrationsezzle_validate_session_payloadsezzle_validate_redirect_urlssezzle_audit_auth_capture_flowsezzle_detect_stuck_authorizationssezzle_detect_uncaptured_orderssezzle_detect_duplicate_refundssezzle_test_webhook_configurationsezzle_generate_go_live_checklist
Support and audit
sezzle_explain_order_status_for_supportsezzle_classify_support_requestsezzle_draft_customer_responsesezzle_determine_safe_support_routesezzle_identify_required_escalationsezzle_list_audit_eventssezzle_get_audit_event
Permission Profiles
Set SEZZLE_PERMISSION_PROFILE to one profile:
Profile | Registered capabilities |
| Auth context, sessions, orders, settlements, reports, and Integration Doctor |
| Read capabilities plus capture/refund/release/session/order previews, reconciliation, and write tools when enabled |
| Subscription management, signature verification, ingestion, timelines, and health |
| Five isolated support tools; raw order read tools are not registered |
| All capabilities and audit inspection |
read is the default. Read-only mode independently removes every mutation tool from any profile.
Installation
Requirements:
Node.js 20 or later
npm
A Sezzle sandbox merchant account for API-backed testing
git clone https://github.com/onatozmenn/sezzle-merchant-mcp.git
cd sezzle-merchant-mcp
npm ci
npm run build
npm run inspect-toolsAvailable scripts:
npm run dev
npm run build
npm run start
npm run test
npm run test:watch
npm run test:coverage
npm run lint
npm run typecheck
npm run format
npm run format:check
npm run inspect-tools
npm run docker:build
npm run docker:runSandbox Setup
Create or obtain a Sezzle sandbox merchant account.
Generate sandbox API keys in the sandbox Merchant Dashboard.
Copy
.env.exampleto.env.Keep
SEZZLE_ENV=sandbox,SEZZLE_READ_ONLY=true, andSEZZLE_PERMISSION_PROFILE=readinitially.Set
SEZZLE_MERCHANT_UUID,SEZZLE_API_KEY, andSEZZLE_API_SECRET.Build and connect an MCP client.
Validate authentication, read tools, Integration Doctor, and previews before enabling writes.
The default base URL is https://sandbox.gateway.sezzle.com. A custom loopback HTTP base URL is accepted only for mock integration tests.
Production Setup
Production is fail-closed. It requires all of:
SEZZLE_ENV=production
SEZZLE_API_BASE_URL=https://gateway.sezzle.com
SEZZLE_MERCHANT_UUID=your-production-merchant-uuid
SEZZLE_API_KEY=your-production-public-key
SEZZLE_API_SECRET=your-production-private-key
SEZZLE_READ_ONLY=true
SEZZLE_REQUIRE_CONFIRMATION=trueThe authenticated merchant UUID must match SEZZLE_MERCHANT_UUID. Run the go-live checklist in read-only mode first. Enable an appropriate permission profile, then set SEZZLE_READ_ONLY=false only after review. Unsafe write mode with SEZZLE_REQUIRE_CONFIRMATION=false is rejected at startup.
Use a secret manager, encrypted SQLite storage, TLS termination, transport authentication, restrictive host/origin allowlists, monitoring, and backup/retention controls. Do not place production secrets in MCP client JSON committed to source control.
Claude Desktop
Build the server, then add it to the Claude Desktop MCP configuration. Use an absolute path:
{
"mcpServers": {
"sezzle-ops": {
"command": "node",
"args": ["C:\\absolute\\path\\to\\sezzle-merchant-mcp\\dist\\index.js"],
"env": {
"SEZZLE_ENV": "sandbox",
"SEZZLE_READ_ONLY": "true",
"SEZZLE_PERMISSION_PROFILE": "read"
}
}
}
}Inject credentials through the operating system or a secret-aware launcher rather than checking them into configuration files.
Claude Code
Create a project-local .mcp.json that is excluded from source control when it contains credentials:
{
"mcpServers": {
"sezzle-ops": {
"type": "stdio",
"command": "node",
"args": ["/absolute/path/to/sezzle-merchant-mcp/dist/index.js"],
"env": {
"SEZZLE_ENV": "sandbox",
"SEZZLE_READ_ONLY": "true",
"SEZZLE_PERMISSION_PROFILE": "read"
}
}
}
}Restart the MCP session after changing environment variables.
Cursor
Add the same stdio definition to Cursor's MCP configuration:
{
"mcpServers": {
"sezzle-ops": {
"command": "node",
"args": ["/absolute/path/to/sezzle-merchant-mcp/dist/index.js"],
"env": {
"SEZZLE_ENV": "sandbox",
"SEZZLE_READ_ONLY": "true",
"SEZZLE_PERMISSION_PROFILE": "read"
}
}
}
}For VS Code, add the same stdio definition to your local user or workspace MCP settings after npm run build. Editor-local .vscode/ configuration is intentionally excluded from the public repository.
HTTP Transport
Enable stateless Streamable HTTP:
MCP_TRANSPORT=http
MCP_HTTP_HOST=127.0.0.1
MCP_HTTP_PORT=3000The MCP endpoint is http://127.0.0.1:3000/mcp; health is GET /health. Browser origins are rejected unless loopback or listed in MCP_HTTP_ALLOWED_ORIGINS.
Every non-loopback bind requires both:
MCP_HTTP_AUTH_TOKEN=a-long-random-transport-token
MCP_HTTP_ALLOWED_HOSTS=mcp.example.com
MCP_HTTP_ALLOWED_ORIGINS=https://trusted-client.exampleTerminate TLS at a trusted reverse proxy and send Authorization: Bearer <token>. /health is intentionally unauthenticated and contains no merchant state. HTTP request bodies are limited to 1 MB; webhook ingestion tool inputs are additionally schema-limited.
Docker
Build and run stdio:
npm run docker:build
npm run docker:runFor HTTP plus persistent SQLite, set MCP_HTTP_AUTH_TOKEN in .env and run:
docker compose up --buildCompose uses a non-root image, read-only root filesystem, dropped capabilities, a dedicated SQLite volume, and a health check.
Example Workflows
Daily operations review
Read
sezzle://config,sezzle://permissions, andsezzle://capabilities.Authenticate and verify the merchant/environment.
Fetch scoped order/report evidence.
Run
sezzle_detect_uncaptured_orders, reconciliation, and webhook health checks.Prepare capture/refund/release previews.
Present audit IDs, warnings, and expected financial impact.
Stop without executing unless the user separately approves a specific preview.
Refund workflow
Call
sezzle_preview_refundwith an integer minor-unit amount.Confirm the current captured, refunded, and remaining-refundable amounts.
Resolve warnings or validation failures.
Call
sezzle_refund_orderwith the unchanged request,preview_id, andconfirm: true.Treat the returned transaction UUID and request ID as API evidence.
Webhook Setup
Sezzle documents HMAC-SHA256 over the exact raw webhook body using the merchant signing secret. Configure the value separately:
SEZZLE_WEBHOOK_SECRET=your-signing-secretUse sezzle_create_webhook in write-enabled webhooks or admin mode. It previews URL/event-set changes before confirmation.
For ingestion:
Preserve the exact request bytes as a UTF-8 string.
Pass the exact raw body and
Sezzle-Signaturevalue tosezzle_verify_webhook_signature.Call
sezzle_ingest_webhook_eventwith literalconfirm: trueonly after verification policy allows storage.Invalid signatures are rejected before JSON parsing.
Event UUID and payload hash deduplicate repeated delivery.
Timelines order by
occurredAt, not receipt order.
Public event tools return metadata and correlation IDs, not raw bodies. SQLite preserves verified raw bodies because correlation and forensic requirements depend on them; protect and retain that database as merchant-sensitive data.
Reconciliation Example
Reconciliation accepts merchant orders and normalized settlement line items as structured input. Amounts are integer cents:
{
"input": {
"currency": "USD",
"merchant_orders": [
{
"record_id": "merchant-1001",
"order_reference": "order_1001",
"sezzle_order_uuid": "sezzle-order-uuid",
"currency": "USD",
"order_amount_in_cents": 10000,
"captured_amount_in_cents": 8000,
"refunded_amount_in_cents": 1000,
"expected_fee_in_cents": 480
}
],
"sezzle_records": [
{
"record_id": "capture-row-1",
"type": "CAPTURE",
"order_uuid": "sezzle-order-uuid",
"external_reference_id": "order_1001",
"amount_in_cents": 8000,
"currency": "USD"
}
],
"actual_settlement": { "amount_in_cents": 6520, "currency": "USD" },
"fee_tolerance_in_cents": 0
}
}Every result includes summary, matched, unmatchedMerchantRecords, unmatchedSezzleRecords, amountMismatches, feeAnomalies, confidence, and evidence. Duplicate rows are excluded before payout arithmetic. Currency conversion is never inferred.
Integration Doctor Example
{
"input": {
"now": "2026-07-16T12:00:00Z",
"configured_environment": "sandbox",
"credential_environment": "sandbox",
"api_base_url": "https://sandbox.gateway.sezzle.com",
"orders": [],
"webhooks": {
"subscribed_events": ["order.authorized"],
"required_events": ["order.authorized", "order.captured"],
"invalid_signature_count": 0,
"missing_events": [],
"out_of_order_count": 0
}
}
}Findings contain stable code, severity, title, explanation, evidence, recommendedAction, and safeToAutomate: false. The engine reports evidence; it does not execute repairs.
MCP Resources
sezzle://configsezzle://permissionssezzle://capabilitiessezzle://diagnostic-codessezzle://audit-summary(adminonly)sezzle://webhook-health(webhooksoradmin)
Resources never expose API keys, secrets, bearer tokens, signatures, raw webhook bodies, or customer records.
MCP Prompts
sezzle_daily_operations_reviewsezzle_settlement_reconciliationsezzle_integration_go_live_reviewsezzle_webhook_incident_investigationsezzle_support_case_review
Prompts are profile-aware and direct the model to collect evidence before interpretation, use deterministic arithmetic, distinguish facts from recommendations, prepare previews, and avoid unsupported success claims.
Security Considerations
Never log or commit API keys, bearer tokens, webhook signatures, raw payloads, customer PII, or payment details.
Tokens remain in memory and are refreshed before the documented expiry. A 401 triggers one reacquisition; a mutation is replayed only when it carries documented idempotency.
Safe GETs respect timeouts, exponential backoff,
Retry-After, and concurrency limits.Webhook subscription/session/reference mutations are not retried automatically because their endpoints do not document idempotency.
Settlement JSON decimals use a lossless parser. CSV decimals are converted from text directly to scaled integers.
Support order access requires authenticated merchant access and a matching merchant reference. Returned order projections exclude customer fields.
SQLite preserves raw verified webhook bodies. Use encrypted storage, strict access, backups, and retention controls.
Remote HTTP requires transport authentication, allowed hosts, TLS termination, and network controls.
Review SECURITY.md before production deployment.
Known Limitations
GET /v2/orders/reportis available by request only and supports a maximum seven-day range.Interest endpoints require enrollment in Sezzle's interest account program.
Settlement details are CSV; schema changes by Sezzle may require adapter updates.
The Sezzle documentation currently links to
https://gateway.sezzle.com/v2api.yaml, which returns 404. This project uses the publishedhttps://docs.sezzle.com/openapi.yaml.Authorization event examples and their component schema use two documented shapes; the adapter supports those two shapes only.
The upcharge API is marked in development and not available for production, so it is intentionally not exposed.
No documented endpoint lists arbitrary current merchant orders. Integration Doctor and reconciliation accept scoped structured records rather than scraping a dashboard.
The order report API includes customer fields; Sezzle Merchant MCP removes them from its normalized response.
Streamable HTTP is stateless. Durable workflow state belongs in SQLite; multi-node shared storage is not implemented.
SQLite data is not application-level encrypted. Use encrypted disks/volumes and platform access controls.
OAuth is not bundled. Remote deployments use a configured bearer token and should sit behind a production identity-aware reverse proxy.
Support drafting is deterministic policy templating, not an embedded LLM. The MCP client may use the returned facts/policy to assist drafting.
Roadmap
Shared transactional storage for multi-node HTTP deployments.
Pluggable secret-manager and encrypted-record integrations.
Configurable webhook retention and deletion policies.
OAuth/OIDC deployment adapter for remote MCP clients.
OpenAPI contract drift automation against published Sezzle specifications.
Additional reconciliation import adapters that preserve deterministic core types.
Source of Truth
Sezzle documentation index: https://docs.sezzle.com/llms.txt
Sezzle OpenAPI specification: https://docs.sezzle.com/openapi.yaml
MCP TypeScript SDK v1 documentation: https://ts.sdk.modelcontextprotocol.io/
MCP TypeScript SDK v1 source: https://github.com/modelcontextprotocol/typescript-sdk/tree/v1.x
No endpoint absent from the published Sezzle OpenAPI specification is intentionally exposed.
License
MIT. See LICENSE.
This server cannot be installed
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/onatozmenn/sezzle-merchant-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server