Sitecore MCP Server: Connection to Any Sitecore Instance
Sitecore Model Context Protocol server works with the existing Sitecore API: GraphQL API, Item Service API, Sitecore PowerShell Remoting. It doesn’t introduce anything extra. At least, for now. It means that you should be able to configure the Sitecore MCP server to work with any Sitecore instance. It includes XM Cloud. Below will be a description of how to configure your instance to open these API endpoints.
Certificates
Sitecore MCP server is based on Node.js. Node.js fetch API has strict rules about HTTPS connections. Certificates should be valid. And it is not enough to have a self-signed certification. Also, unfortunately, Sitecore Portal may generate a certificate that is not accepted by Node.js. I have this problem when deploying to the Sitecore Demo Portal (which is based on XM Cloud). The certificate is OK for the browser, but it is not OK for Node.js.
There are two options, how you can solve it:
- Set
NODE_TLS_REJECT_UNAUTHORIZED=0environment variable. It is ok to do for local work, but when you set it for remote work, you become vulnerable to a man-in-the-middle attack. - Use
NODE_EXTRA_CA_CERTSenvironment variable to set additional certificates that are valid. It works for both locally signed certificates and certificates for remote servers that don’t comply with security standards.
GraphQL API
GraphQL API Sitecore configuration is less restrictive compared to Item Service and SPE remoting. If something doesn’t work: double-check your URL and your API key. No additional configuration on the Sitecore side is required for local, remote, or XM Cloud instances.
Item Service
If you are working on a local machine, Item Service may not work. It has restrictions on hostname and non-secure connections. Also, security policies may not allow the usage of Sitecore Item Service. You can fix it by adding this configuration patch:
<settings>
<!-- Item Service requires https by default, for local instance we disable this
requirement. -->
<setting name="Sitecore.Services.AllowToLoginWithHttp">
<patch:attribute name="value">true</patch:attribute>
</setting>
<setting name="Sitecore.Services.SecurityPolicy">
<patch:attribute name="value" value="Sitecore.Services.Infrastructure.Web.Http.Security.ServicesOnPolicy, Sitecore.Services.Infrastructure" />
</setting>
</settings>
Sitecore PowerShell Remoting
There is the official documentation, how to enable Sitecore PowerShell Remoting. However, it is a little bit outdated for Sitecore XM Cloud or a local instance based on Sitecore XM Cloud images.
SITECORE_SPE_ELEVATION
Sitecore disabled the execution of SPE scripts by default on XM Cloud. And the first thing that we should do is to allow it. We need to set SITECORE_SPE_ELEVATION="Allow" environment variable.
Login redirects
Sitecore added SSO for all services on Sitecore Portals. If you are not logged in, you are redirected to the login page. It breaks Item Service REST API authentication and SPE Remoting authentication. For some reason, Sitecore fixed it only for Item Services. We need to apply the same approach for SPE by adding this configuration:
<pipelines>
<httpRequestBegin>
<processor type="Sitecore.Pipelines.HttpRequest.RequireAuthentication, Sitecore.Kernel" resolve="true">
<IgnoreRules hint="list:AddIgnoreRule">
<prefix hint="spe">^\/sitecore\smodules\/PowerShell.*</prefix>
</IgnoreRules>
</processor>
</httpRequestBegin>
<owin.cookieAuthentication.validateIdentity>
<processor type="Sitecore.Owin.Authentication.Pipelines.CookieAuthentication.ValidateIdentity.ValidateSiteNeutralPaths, Sitecore.Owin.Authentication">
<siteNeutralPaths hint="list">
<!-- This entry corrects the infinite loop of ExecuteCommand in the SPE Console -->
<path hint="spe 1">/sitecore%20modules/PowerShell</path>
<path hint="spe 2">/sitecore modules/PowerShell</path>
<path hint="spe 3">/-/script/</path>
</siteNeutralPaths>
</processor>
</owin.cookieAuthentication.validateIdentity>
</pipelines>
Enable Sitecore PowerShell Remoting
Now, we can enable Sitecore PowerShell Remoting services and allow authorization for the user that we will use for the MCP server.
<powershell>
<services>
<restfulv1>
<patch:attribute name="enabled">true</patch:attribute>
<authorization>
<add Permission="Allow" IdentityType="User" Identity="sitecore\ai" />
</authorization>
</restfulv1>
<restfulv2>
<patch:attribute name="enabled">true</patch:attribute>
<authorization>
<add Permission="Allow" IdentityType="User" Identity="sitecore\ai" />
</authorization>
</restfulv2>
<remoting>
<patch:attribute name="enabled">true</patch:attribute>
<authorization>
<add Permission="Allow" IdentityType="User" Identity="sitecore\ai" />
</authorization>
</remoting>
<fileDownload>
<patch:attribute name="enabled">true</patch:attribute>
<authorization>
<add Permission="Allow" IdentityType="User" Identity="sitecore\ai" />
</authorization>
</fileDownload>
<fileUpload>
<patch:attribute name="enabled">true</patch:attribute>
<authorization>
<add Permission="Allow" IdentityType="User" Identity="sitecore\ai" />
</authorization>
</fileUpload>
<mediaDownload>
<patch:attribute name="enabled">true</patch:attribute>
<authorization>
<add Permission="Allow" IdentityType="User" Identity="sitecore\ai" />
</authorization>
</mediaDownload>
<mediaUpload>
<patch:attribute name="enabled">true</patch:attribute>
<authorization>
<add Permission="Allow" IdentityType="User" Identity="sitecore\ai" />
</authorization>
</mediaUpload>
</services>
</powershell>
There is an easy way to check Sitecore PowerShell configuration. You need to start PowerShell ISE locally(on your machine, not in Sitecore), connect to Sitecore using your credentials, and run a command. If you are able to run the command, then it will work for the Sitecore MCP server as well. If you see the error, then something is still missing.
Conclusion
Now, you know how to allow connection to Sitecore Item Service, GraphQL, and SPE remoting endpoint. It allows the connection of the Sitecore MCP server to any Sitecore instance: local, remote, or XM Cloud. If you need any extra help with adding it to your agentic workflow, feel free to contact us!