orderdesk-mcp by ebabcock80 - MCP Server

OrderDesk MCP Server

A native Model Context Protocol (MCP) server for OrderDesk integration with AI assistants like Claude Desktop and ChatGPT. Features HTTP MCP endpoint for remote connections, professional web admin interface, smart order merge workflow with deduplication, and comprehensive production monitoring.

Status: ✅ Production-Ready with HTTP MCP + WebUI | CI: 🟢 All Checks Passing | Tests: 110/110 (100%)

🚀 Features

Core MCP Features

HTTP MCP Endpoint: Remote access via /mcp POST endpoint - connect from Claude Desktop, ChatGPT, or any MCP client
Native MCP Protocol: Full protocol support (initialize, tools/list, tools/call, prompts/list, resources/list, notifications)
Smart Order Updates: Fetch → Merge → Upload workflow with deduplication prevents data loss
Multi-Tenant Architecture: Secure tenant isolation with encrypted credentials
Advanced Order Filtering: 20+ search parameters (folder, customer, dates, email, etc.)
Store Config Caching: Auto-fetch and cache OrderDesk folders and settings
Comprehensive API Coverage: Orders, products, stores with full CRUD operations
Docker Ready: Multi-stage Docker build with health checks and persistent storage
npx mcp-remote Compatible: Easy setup with npx -y mcp-remote http://your-server.com/mcp?token=YOUR_KEY

🎨 WebUI Admin Interface (Phase 5) ⭐

Professional Dashboard: Visual overview of stores, API status, and quick actions
Store Management: Full CRUD operations for OrderDesk store registrations
Interactive API Console: Test all 13 MCP tools directly from your browser
Secure Authentication: JWT sessions with master key login
Mobile Responsive: Works on desktop, tablet, and mobile
Real-time Feedback: Instant response display with syntax highlighting
Request History: Track your last 10 API requests
Settings Page: View configuration and system information

👥 NEW: User Management + Optional Public Signup (Phase 6) ⭐

User Management: Master key holders can view and manage all users
Activity Tracking: Monitor user logins, activity, and store usage
Cascade Delete: Remove users and ALL their data (stores, audit logs, sessions)
Optional Public Signup: Enable/disable public registration with ENABLE_PUBLIC_SIGNUP
Email Verification: Secure signup flow with magic link verification
Master Key Generation: Cryptographically secure keys (64-char URL-safe)
One-Time Display: Master key shown once with copy/download options
Rate Limiting: 3 signups per hour per IP (configurable)
Self-Service: Users can sign up, verify email, and get their master key automatically

Access the WebUI: Set ENABLE_WEBUI=true in .env and visit http://localhost:8000/webui

🛠️ Implemented MCP Tools (11 Total)

v0.1.0-alpha includes 11 fully functional MCP tools accessible via HTTP MCP endpoint:

Tenant & Store Management (6 Tools)

tenant_use_master_key - Authenticate with master key (auto-provision support)
stores_register - Register OrderDesk store with encrypted credentials
stores_list - List all stores for authenticated tenant
stores_use_store - Set active store for session context
stores_delete - Remove store registration
stores_resolve - Debug tool for store lookup by ID or name

Order Operations (3 Tools)

orders_list - List orders with advanced filtering (20+ parameters, 15s cache)
orders_get - Fetch single order by ID (15s cache)
orders_update - Update order with smart merge workflow, deduplication, and automatic retry (5 attempts on conflict)

Product Operations (2 Tools)

products_list - List products with search and pagination (60s cache)
products_get - Fetch single product by ID (60s cache)

HTTP MCP Endpoint Features

Authentication: Via Authorization: Bearer TOKEN header or ?token=TOKEN query parameter
Remote Access: Connect from Claude Desktop, ChatGPT, or any MCP client using npx mcp-remote
Copy-Paste Setup: WebUI Settings page generates ready-to-use configuration
Smart Deduplication: Prevents duplicate notes when updating orders
Full Protocol Support: initialize, tools/list, tools/call, prompts/list, resources/list, notifications

Coming in Future Phases

Enhanced order operations (create, delete) - Currently via API
Customer operations (Phase 8+)
Folder operations (Phase 8+)
Reports and analytics (Phase 8+)

✅ CI/CD Status

All GitHub Actions Checks Passing: 🟢

Check	Status	Details
Lint & Format	✅ Passing	ruff + black (0 errors)
Type Check	✅ Passing	mypy (0 errors)
Unit Tests	✅ Passing	110/110 tests (100%)
Coverage	✅ Passing	>80% (threshold: 55%)
Docker Build	✅ Passing	Multi-stage build successful
MCP Endpoints	✅ Passing	9/9 integration tests

View Results: GitHub Actions

Quality Metrics:

🎯 100% test pass rate (110/110 unit tests, 9/9 MCP endpoint tests)
🎯 0 linting errors (ruff + black)
🎯 0 type errors (mypy with Python 3.12)
🎯 0 Pydantic warnings (V2 ready)
🎯 >80% code coverage (exceeds 55% threshold)
🎯 Production-ready with HTTP MCP + WebUI
🎯 Smart merge workflow with note deduplication

🚀 Quick Start

Option 1: HTTP MCP Endpoint (Recommended for Claude Desktop & ChatGPT) ⭐

The easiest way to get started! Deploy the server once and connect from any MCP client.

Step 1: Deploy with Docker Compose

# Clone the repository
git clone https://github.com/ebabcock80/orderdesk-mcp.git
cd orderdesk-mcp

# Start the server (includes WebUI on port 8080)
docker-compose up -d

Step 2: Access the WebUI

Navigate to: http://localhost:8080/webui

Login with the default master key: dev-admin-master-key-change-in-production-VNS09qKDdt
Add your OrderDesk store (store ID + API key)
Go to Settings page
Enter your master key to generate the MCP configuration
Copy the generated JSON configuration

Step 3: Connect Claude Desktop

Paste the configuration into ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "OrderDesk": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "http://localhost:8080/mcp?token=YOUR_MASTER_KEY_HERE"
      ]
    }
  }
}

Step 4: Restart Claude Desktop

That's it! Claude can now access all your OrderDesk data.

Try asking:

"List my OrderDesk stores"
"Show me the last 10 orders"
"Add a note to order 123456"

Option 2: Stdio MCP (Advanced - for local development)

For advanced users who want stdio-based MCP connections.

Step 1: Build the Docker Image

git clone https://github.com/ebabcock80/orderdesk-mcp.git
cd orderdesk-mcp
docker build -t orderdesk-mcp:latest .

Step 2: Configure Your AI Assistant

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "orderdesk": {
      "command": "docker",
      "args": [
        "run", "--rm", "-i",
        "-v", "/path/to/your/data:/app/data",
        "-e", "MCP_KMS_KEY=YOUR_GENERATED_KEY_HERE",
        "-e", "DATABASE_URL=sqlite:///./data/app.db",
        "orderdesk-mcp:latest"
      ]
    }
  }
}

Note: Generate MCP_KMS_KEY with: python -c "import secrets; print(secrets.token_urlsafe(32))"

Testing the Connection

Once configured, test with your AI assistant:

"List my OrderDesk stores"
"Show me recent orders from store DR"
"Add a note to order 342635621 saying 'Customer requested gift wrap'"

🎨 WebUI Quick Start

Access the Web Admin Interface

The OrderDesk MCP Server includes an optional professional web admin interface for managing stores, testing APIs, and monitoring the system.

Step 1: Configure WebUI

Edit your .env file:

# Enable WebUI
ENABLE_WEBUI=true

# Set JWT secret (generate with: openssl rand -base64 48)
JWT_SECRET_KEY=your-secure-random-64-char-key-here

# Session settings
SESSION_TIMEOUT=3600
SESSION_COOKIE_SECURE=true
SESSION_COOKIE_SAMESITE=strict

# Phase 6: User Management + Optional Public Signup
ENABLE_PUBLIC_SIGNUP=false  # Set to true for public/SaaS deployments
REQUIRE_EMAIL_VERIFICATION=true

# Email Configuration (for public signup)
EMAIL_PROVIDER=console  # Use 'smtp' for production
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USERNAME=your-email@gmail.com
SMTP_PASSWORD=your-app-password
SMTP_USE_TLS=true
SMTP_FROM_EMAIL=noreply@yourdomain.com

# Signup Rate Limiting
SIGNUP_RATE_LIMIT_PER_HOUR=3
SIGNUP_VERIFICATION_EXPIRY=900  # 15 minutes

Step 2: Start the Server

# Using Docker Compose (recommended for production)
docker-compose -f docker-compose.production.yml up -d

# Or run locally with uvicorn
uvicorn mcp_server.main:app --host 0.0.0.0 --port 8000

Step 3: Access the WebUI

Navigate to: http://localhost:8000/webui

Features:

🔐 Login with your master key
📊 Dashboard with store overview
🏪 Manage stores (add, edit, delete, test connection)
🧪 Interactive API console (test all 13 MCP tools)
⚙️ Settings and configuration display

WebUI Screenshots

Dashboard:

Store count and quick actions
Recent activity
API status indicators

API Console:

Select any of 13 MCP tools
Dynamic form generation
Instant JSON response display
Request history tracking

🔧 Critical Features

Smart Order Merge Workflow with Deduplication ⭐

The server implements an intelligent order update system:

Fetch: Retrieves the complete current order from OrderDesk
Merge: Intelligently merges your changes with existing data
- Appends new notes instead of replacing
- Deduplicates notes (case-insensitive comparison)
- Preserves all existing fields not being updated
Upload: Sends the complete merged order back to OrderDesk
Retry: Automatic conflict resolution (up to 5 attempts)

Example:

Existing order: {order_items: [...], order_notes: [{content: "Note 1"}, {content: "Note 2"}]}
Your change: {order_notes: [{content: "Note 3"}]}
Result: {order_items: [...], order_notes: [{content: "Note 1"}, {content: "Note 2"}, {content: "Note 3"}]}

This prevents data loss and duplicate entries.

HTTP MCP Endpoint

Remote Access: Connect from anywhere using HTTP POST to /mcp
Authentication: Via Authorization: Bearer TOKEN header or ?token=TOKEN query parameter
Compatible: Works with Claude Desktop, ChatGPT, or any MCP client
Easy Setup: Use npx mcp-remote http://your-server.com/mcp?token=YOUR_KEY
Copy-Paste Config: WebUI Settings page generates ready-to-use configuration

Multi-Tenant Architecture

Secure tenant isolation with per-tenant encryption keys
Master key authentication with auto-provisioning
Encrypted credential storage (AES-256-GCM)
Complete audit trail per tenant

📋 Environment Variables

Required Variables

Variable	Description	Example
`MCP_KMS_KEY`	Base64-encoded encryption key (32+ bytes)	`dGVzdC1rbXMta2V5...`

Core Settings

Variable	Description	Default
`PORT`	Server port	`8080`
`DATABASE_URL`	Database connection URL	`sqlite:///data/app.db`
`LOG_LEVEL`	Logging verbosity	`INFO`
`TRUST_PROXY`	Trust proxy headers (X-Forwarded-For)	`false`

Authentication & Security

Variable	Description	Default
`ADMIN_MASTER_KEY`	Admin master key for WebUI login (⚠️ change in production!)	`dev-admin-master-key-change-in-production-VNS09qKDdt`
`AUTO_PROVISION_TENANT`	Auto-create tenants for unknown master keys	`true`
`JWT_SECRET_KEY`	JWT signing key (required if WebUI enabled)	Auto-generated
`SESSION_TIMEOUT`	Session timeout in seconds	`86400` (24h)
`CSRF_SECRET_KEY`	CSRF token secret	Auto-generated

WebUI Settings

Variable	Description	Default
`ENABLE_WEBUI`	Enable web admin interface	`false`
`PUBLIC_URL`	Public URL for MCP client config generation	`http://localhost:8080`
`SESSION_COOKIE_SECURE`	Require HTTPS for cookies	`true`
`SESSION_COOKIE_HTTPONLY`	HttpOnly flag for cookies	`true`
`SESSION_COOKIE_SAMESITE`	SameSite cookie attribute	`Strict`

Rate Limiting

Variable	Description	Default
`RATE_LIMIT_RPM`	API requests per minute	`120`
`WEBUI_RATE_LIMIT_LOGIN`	Login attempts per IP per minute	`5`
`WEBUI_RATE_LIMIT_SIGNUP`	Signup attempts per IP per minute	`2`
`WEBUI_RATE_LIMIT_API_CONSOLE`	API console requests per user per minute	`30`
`SIGNUP_RATE_LIMIT_PER_HOUR`	Signups per IP per hour	`3`

Public Signup (Optional - Phase 6)

Variable	Description	Default
`ENABLE_PUBLIC_SIGNUP`	Allow public email signups	`false`
`REQUIRE_EMAIL_VERIFICATION`	Require email verification	`true`
`SIGNUP_VERIFICATION_EXPIRY`	Verification link expiry (seconds)	`900` (15 min)

Email Settings (for Public Signup)

Variable	Description	Default
`EMAIL_PROVIDER`	Email provider: `console`, `smtp`	`console`
`SMTP_HOST`	SMTP server hostname	-
`SMTP_PORT`	SMTP server port	`587`
`SMTP_USERNAME`	SMTP username	-
`SMTP_PASSWORD`	SMTP password	-
`SMTP_USE_TLS`	Use TLS for SMTP	`true`
`SMTP_FROM_EMAIL`	Default sender email	-

Caching

Variable	Description	Default
`CACHE_BACKEND`	Cache backend: `memory`, `sqlite`, `redis`	`memory`
`REDIS_URL`	Redis connection URL	`redis://redis:6379/0`
`CACHE_TTL_ORDERS`	Cache TTL for orders (seconds)	`15`
`CACHE_TTL_PRODUCTS`	Cache TTL for products (seconds)	`60`
`CACHE_TTL_CUSTOMERS`	Cache TTL for customers (seconds)	`60`
`CACHE_TTL_STORE_SETTINGS`	Cache TTL for store settings (seconds)	`300`

HTTP Client

Variable	Description	Default
`HTTP_TIMEOUT`	HTTP client timeout (seconds)	`30`
`HTTP_MAX_RETRIES`	Max retries for HTTP 429/5xx	`3`
`MUTATION_MAX_RETRIES`	Max retries for mutation conflicts	`5`

Monitoring

Variable	Description	Default
`ENABLE_METRICS`	Enable Prometheus metrics endpoint	`true`
`ENABLE_DETAILED_HEALTH`	Enable detailed health check	`true`
`ENABLE_AUDIT_LOG`	Enable audit logging	`true`
`AUDIT_LOG_RETENTION_DAYS`	Audit log retention (days)	`90`

Testing (Optional)

Variable	Description	Default
`ORDERDESK_TEST_ENABLED`	Enable integration tests	`false`
`ORDERDESK_TEST_STORE_ID`	Test store ID	-
`ORDERDESK_TEST_API_KEY`	Test API key	-

Quick Setup

Create a .env file with minimum required settings:

# Required
MCP_KMS_KEY=dGVzdC1rbXMta2V5LWZvci1kZXZlbG9wbWVudC0zMi1ieXRlcy1taW5pbXVt

# Admin Access (⚠️ CHANGE IN PRODUCTION!)
ADMIN_MASTER_KEY=dev-admin-master-key-change-in-production-VNS09qKDdt

# WebUI (Optional)
ENABLE_WEBUI=true
PUBLIC_URL=http://localhost:8080

# That's it for development!

🏭 Production Features

Monitoring & Observability

Prometheus Metrics: 15+ production metrics (request latency, cache hit rates, error tracking)
Health Checks: 4 endpoints (/health, /health/live, /health/ready, /health/detailed)
Structured Logging: JSON logs with correlation IDs and secret redaction
Audit Trail: Complete logging of all MCP tool calls

Deployment Options

Docker Compose: Single-server deployment with nginx + PostgreSQL + Redis
Kubernetes: Full manifests with health probes and autoscaling
Multi-Instance: Load balancing with automatic failover
SSL/TLS: Let's Encrypt, self-signed, or Cloudflare integration

Security

A+ Security Rating: OWASP Top 10 compliant
Encryption: AES-256-GCM for credentials, HKDF for key derivation
Authentication: bcrypt master keys, JWT sessions, CSRF protection
Rate Limiting: Token bucket algorithm, per-tenant limits
Audit Logging: Complete activity tracking

Performance

Smart Caching: Multi-backend (memory/SQLite/Redis) with configurable TTLs
Conflict Resolution: Automatic retry with exponential backoff
Connection Pooling: Efficient database and HTTP client pooling
Response Times: <50ms (cached), <2s (uncached)

See for complete setup instructions.

🏗️ Architecture

Dual Interface Design

The server provides two interfaces for maximum flexibility:

1. MCP Protocol (AI Assistant Interface)

Native stdio communication
13 registered tools for AI assistants
Safe order updates (fetch-merge-update)
Comprehensive error handling

2. WebUI (Human Admin Interface)

Browser-based admin dashboard
Visual store management
Interactive API testing console
Mobile-responsive design

Core Components

Authentication: Master key + JWT sessions
Storage: SQLite/PostgreSQL with encrypted credentials
Caching: Multi-backend with selective invalidation
HTTP Client: Automatic retries with exponential backoff
Monitoring: Prometheus metrics + health checks

📖 Usage Guide

Getting Started with OrderDesk

First, add your OrderDesk store:

"Add my OrderDesk store with ID 42174 and API key abc123"

List your stores to verify:
```
"Show me all my OrderDesk stores"
```

Browse your orders:

"List my recent orders from OrderDesk"
"Show me pending orders"
"Get orders from folder 123"

Common Use Cases

Order Management

"Get details for order 12345"
"Update order 12345 status to shipped with tracking number 1Z999AA1234567890"
"Move order 12345 to the 'Shipped' folder"
"Add a note to order 12345: 'Customer requested expedited shipping'"

Product Operations

"List all products in my store"
"Search for products containing 'widget'"
"Get details for product ID 5678"

Customer Management

"List all customers"
"Search for customer 'john@example.com'"
"Get customer details for ID 999"

Folder Organization

"List all order folders"
"Create a new folder called 'Priority Orders'"
"Move order 12345 to the 'Priority Orders' folder"

Advanced Operations

Safe Order Updates

The server automatically handles safe order updates:

Fetches the complete current order data
Merges your changes with existing data
Sends the complete updated order back to OrderDesk
Prevents data loss from partial updates

Batch Operations

"List the last 100 orders"
"Show me all orders from the last 30 days"
"Get all pending orders in folder 456"

🔧 MCP Tool Reference

Store Management

Create Store

{
  "tool": "create_store",
  "arguments": {
    "store_id": "your-store-id",
    "api_key": "your-api-key",
    "name": "My Store"
  }
}

List Stores

{
  "tool": "list_stores",
  "arguments": {}
}

Order Operations

List Orders

{
  "tool": "list_orders",
  "arguments": {
    "store_id": "your-store-id",
    "api_key": "your-api-key",
    "limit": 50,
    "offset": 0,
    "status": "pending",
    "folder_id": 123
  }
}

Get Order

{
  "tool": "get_order",
  "arguments": {
    "store_id": "your-store-id",
    "api_key": "your-api-key",
    "order_id": 12345
  }
}

Update Order (Safe)

{
  "tool": "update_order",
  "arguments": {
    "store_id": "your-store-id",
    "api_key": "your-api-key",
    "order_id": 12345,
    "order_data": {
      "status": "shipped",
      "tracking_number": "1Z999AA1234567890"
    }
  }
}

🚀 Recent Updates

Latest Release (October 18, 2025) ⭐

HTTP MCP Endpoint + Smart Order Merge Workflow

✅ HTTP MCP Endpoint: Remote access via /mcp POST endpoint for Claude Desktop, ChatGPT, and any MCP client
✅ Smart Order Merge: Fetch-merge-upload workflow with intelligent note deduplication (case-insensitive)
✅ MCP Protocol Complete: Full support for initialize, tools/list, tools/call, prompts/list, resources/list, notifications
✅ Advanced Order Filtering: 20+ search parameters (folder, customer, dates, email, shipping, etc.)
✅ Store Config Caching: Auto-fetch OrderDesk folders and settings on store registration
✅ Tool Naming Fixed: All tools follow MCP spec (service_method format)
✅ Deduplication: Prevents duplicate notes when adding order notes
✅ Response Unwrapping: Properly extracts order data from OrderDesk API envelope
✅ Cache Improvements: Added invalidate_pattern method for granular cache control

Commits: 7e33927, de3fffb, 6929cbe, fbc8192

Key Improvements

🔧 110 Tests Passing: Comprehensive test coverage (up from 76)
🔧 All CI Checks Green: Lint, format, type check, unit tests, Docker build
🔧 Zero Type Errors: Full mypy compliance with Python 3.12
🔧 Production Documentation: CI_STATUS.md, TESTING_SUMMARY.md added
🔧 WebUI MCP Config Generator: Copy-paste ready configuration on Settings page

📚 Documentation

Core Documentation

- This file, quick start and overview
- Complete CI status with all test results
- MCP endpoint testing and integration guide
- Deep dive into security architecture

Setup Guides

- Complete setup instructions
- API endpoint reference
- MCP tool operation guide
- Complete MCP tool reference

Testing & CI

- Automated MCP endpoint testing
- GitHub Actions CI configuration
- Python project configuration and dependencies

🤝 Contributing

Fork the repository
Create a feature branch
Make your changes
Add tests
Submit a pull request

📄 License

MIT License - see file for details.

🔧 Troubleshooting

Common Issues

Docker Connection Problems

# Check if Docker is running
docker --version

# Verify the image was built correctly
docker images | grep orderdesk-mcp

# Check container logs
docker logs <container_id>

MCP Server Not Starting

# Verify environment variables
echo $MCP_KMS_KEY
echo $DATABASE_URL

# Check data directory permissions
ls -la data/

# Test with verbose logging
docker run --rm -i \
  -v $(pwd)/data:/app/data \
  -e SERVER_MODE=mcp \
  -e MCP_KMS_KEY="your-key" \
  -e LOG_LEVEL=debug \
  orderdesk-mcp:latest

OrderDesk API Errors

401 Unauthorized: Check your store_id and api_key
404 Not Found: Verify the endpoint exists in OrderDesk API v2
500 Server Error: Check OrderDesk service status

Data Persistence Issues

# Ensure data directory exists and is writable
mkdir -p data
chmod 755 data

# Check database file
ls -la data/app.db

Getting Help

Check the logs: Look for error messages in the Docker container logs
Verify configuration: Ensure all environment variables are set correctly
Test connectivity: Try a simple tool call like health_check
Check OrderDesk: Verify your OrderDesk account and API credentials

🆘 Support

Issues: GitHub Issues
Documentation: This README and inline code comments
MCP Integration: See tool schemas and examples above
OrderDesk API: OrderDesk API Documentation

Contributing

Found a bug or want to add a feature? We welcome contributions!

Fork the repository
Create a feature branch: git checkout -b feature/amazing-feature
Make your changes and test them
Commit your changes: git commit -m 'Add amazing feature'
Push to the branch: git push origin feature/amazing-feature
Open a Pull Request

License

This project is licensed under the MIT License - see the file for details.