Magento MCP Server

auth_whoami

Identify the currently authenticated admin user in your Magento session. Returns user details for session verification.

Instructions

Return current admin user info for the active session.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`params`	No	Action parameters as a JSON object

Implementation Reference

src/actions/auth.ts:98-124 (handler)

The auth.whoami tool handler: returns current admin user info for the active session. It calls Magento API endpoint /V1/users/me, falling back to returning username, base_url, and default_scope from session context if the API call fails.

  name: 'auth.whoami',
  description: 'Return current admin user info for the active session.',
  riskTier: RiskTier.Safe,
  requiresAuth: true,
  handler: async (_params: Record<string, unknown>, context: ActionContext) => {
    const token = context.getToken();
    const baseUrl = context.getBaseUrl();

    if (!token || !baseUrl) {
      return { error: { code: ErrorCodes.NOT_AUTHENTICATED, message: 'No active session' } };
    }

    // Try to get current admin user info from Magento
    try {
      const client = context.getClient();
      const userInfo = await client.get('/V1/users/me');
      return userInfo;
    } catch {
      // If the endpoint isn't available, return what we know
      return {
        username: context.username,
        base_url: baseUrl,
        default_scope: context.getDefaultScope(),
      };
    }
  },
},

src/index.ts:51-61 (registration)

The auth.whoami tool is registered via createAuthActions(sessionStore) which returns an array of ActionDefinitions including auth.whoami. In index.ts, all actions are iterated and registered as MCP tools using mcpServer.tool(), with dots replaced by underscores (auth.whoami -> auth_whoami).

const allActions: ActionDefinition[] = [
  ...createAuthActions(sessionStore),
  ...createScopeActions(sessionStore),
  ...createPromotionsActions(planStore, guardrails, config),
  ...createCatalogActions(planStore, guardrails, idempotencyLedger, config),
  ...createPricingActions(planStore, guardrails, idempotencyLedger, config),
  ...createCmsActions(planStore, guardrails, config),
  ...createSeoActions(planStore, guardrails, config),
  ...createDiagnosticsActions(),
  ...createCacheActions(guardrails, config),
];

src/index.ts:75-159 (registration)

Each ActionDefinition is registered as an MCP tool with name conversion (dots to underscores), description, schema, and a wrapper handler that checks auth, builds ActionContext, executes the handler, and audits results.

// Register each action as an MCP tool
for (const action of allActions) {
  // Convert dots to underscores for MCP tool names (e.g. "auth.login" -> "auth_login")
  const toolName = action.name.replace(/\./g, '_');

  mcpServer.tool(
    toolName,
    action.description,
    { params: z.record(z.unknown()).optional().describe('Action parameters as a JSON object') },
    async (args) => {
      const params = (args.params || {}) as Record<string, unknown>;

      // Check authentication
      if (action.requiresAuth) {
        const token = sessionStore.getToken(sessionId);
        if (!token) {
          return {
            content: [{ type: 'text' as const, text: JSON.stringify({ error: { code: 'NOT_AUTHENTICATED', message: 'Not authenticated. Call auth_login first.' } }, null, 2) }],
            isError: true,
          };
        }
      }

      // Build action context
      const context: ActionContext = {
        sessionId,
        getToken: () => sessionStore.getToken(sessionId),
        getBaseUrl: () => sessionStore.getBaseUrl(sessionId),
        getDefaultScope: () => sessionStore.getDefaultScope(sessionId),
        getOAuthCredentials: () => sessionStore.getOAuthCredentials(sessionId),
        getClient: () => {
          const baseUrl = sessionStore.getBaseUrl(sessionId);
          const token = sessionStore.getToken(sessionId);
          if (!baseUrl) throw new Error('No active session');
          const client = new MagentoRestClient(baseUrl, token);
          const oauth = sessionStore.getOAuthCredentials(sessionId);
          if (oauth) client.setOAuth(oauth);
          return client;
        },
        username: sessionStore.getUsername(sessionId),
      };

      try {
        const result = await action.handler(params, context);

        // Audit log
        const auditRecord: AuditRecord = {
          timestamp: new Date().toISOString(),
          username: context.username,
          action: action.name,
          scope: context.getDefaultScope(),
          params,
          result_summary: summarizeResult(result),
          plan_id: (params['plan_id'] as string) || null,
          reason: (params['reason'] as string) || null,
        };
        auditLogger.log(auditRecord);

        return {
          content: [{ type: 'text' as const, text: JSON.stringify(result, null, 2) }],
        };
      } catch (err) {
        const errorMessage = err instanceof Error ? err.message : String(err);

        // Audit the error
        const auditRecord: AuditRecord = {
          timestamp: new Date().toISOString(),
          username: context.username,
          action: action.name,
          scope: null,
          params,
          result_summary: `ERROR: ${errorMessage}`,
          plan_id: null,
          reason: null,
        };
        auditLogger.log(auditRecord);

        return {
          content: [{ type: 'text' as const, text: JSON.stringify({ error: errorMessage }, null, 2) }],
          isError: true,
        };
      }
    },
  );
}

src/protocol/types.ts:62-126 (helper)

The ActionDefinition interface and ActionContext interface used by auth.whoami. ActionDefinition defines the shape of a tool handler, and ActionContext provides the methods (getToken, getBaseUrl, getClient, etc.) used by the whoami handler.

export interface ActionDefinition {
  name: string;
  description: string;
  riskTier: RiskTier;
  requiresAuth: boolean;
  inputSchema?: Record<string, unknown>;
  handler: (params: Record<string, unknown>, context: ActionContext) => Promise<unknown>;
}

// ── Action Context (passed to every handler) ────────────────────────────────

export interface ActionContext {
  sessionId: string;
  getToken: () => string | null;
  getBaseUrl: () => string | null;
  getDefaultScope: () => StoreScope | null;
  getOAuthCredentials: () => import('../client/magentoRest').OAuthCredentials | null;
  getClient: () => import('../client/magentoRest').MagentoRestClient;
  username: string | null;
}

// ── Store / Scope ───────────────────────────────────────────────────────────

export interface StoreScope {
  website_code?: string;
  store_code?: string;
  store_view_code?: string;
  scope?: 'global';
}

// ── Audit Record ────────────────────────────────────────────────────────────

export interface AuditRecord {
  timestamp: string;
  username: string | null;
  action: string;
  scope: StoreScope | null;
  params: Record<string, unknown>;
  result_summary: string;
  plan_id: string | null;
  reason: string | null;
}

// ── Plan (for two-phase commit) ─────────────────────────────────────────────

export interface BulkPlan {
  plan_id: string;
  action: string;
  created_at: string;
  expires_at: string;
  payload: unknown;
  affected_count: number;
  sample_diffs?: unknown[];
  warnings?: string[];
}

// ── Idempotency ─────────────────────────────────────────────────────────────

export interface IdempotencyEntry {
  key: string;
  action: string;
  created_at: string;
  result_summary: string;
}

src/validation/schemas.ts:35-39 (schema)

AuthLoginSchema used by auth.login, but auth.whoami has no dedicated input schema since it takes no parameters (the handler uses only the context).

export const AuthLoginSchema = z.object({
  base_url: z.string().url('base_url must be a valid URL').optional(),
  username: z.string().min(1).optional(),
  password: z.string().min(1).optional(),
});

Tool Definition Quality

B3.4/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations, the description carries full burden. It implies a read operation ('Return ... info') but doesn't state that it is non-destructive, requires no special permissions beyond being logged in, or disclose any side effects. Lacks explicit behavioral clarity.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

A single sentence that is direct and free of extraneous information. Every word adds value.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a simple read tool with 0 required params and no output schema, the description is adequate but lacks return format details or prerequisites. With siblings for auth, the description could explain when this is useful (e.g., to verify session authenticity).

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters2/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has one generic parameter 'params' described as 'Action parameters as a JSON object' with additionalProperties allowed. The description adds no meaning beyond this schema, not even hinting what keys the object might accept (e.g., no fields like 'fields' or 'expand'). Schema coverage is 100%, but the description fails to compensate for the vague parameter schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description uses a specific verb (Return) and clear resource (current admin user info) with context (for the active session). It distinguishes this from siblings like auth_login and auth_logout, which are about authentication state changes.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description does not provide any guidance on when to use this tool or alternatives. No context about prerequisites, such as requiring an active session, or when not to use it.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/thomastx05/magento-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server