This project is not covered by Drupal’s security advisory policy.
MO MCP Server turns your Drupal site into a self-contained Model Context Protocol (MCP) server so AI assistants like Claude, Cursor, and GitHub Copilot can query and interact with it directly - no middleware, no third-party proxy, no contrib dependencies.
It exposes a spec-compliant JSON-RPC endpoint at POST /mo-mcp-server that any MCP-compatible AI client can connect to. Once connected, AI agents can read site data, search content, inspect installed modules, and run configured administrative commands - all governed by Drupal's existing role-based permission system.
Why MO MCP Server?
AI coding tools and agent frameworks increasingly rely on MCP to understand the systems they work with. MO MCP Server gives your Drupal site a voice in those conversations - exposing real site context through a protocol AI agents already speak, with zero external dependencies and full administrative control over what gets shared.
Features
Built-in tools (ready to use after installation):
- site_info - Returns the site name, slogan, and Drupal core version. Read-only.
- module_status - Lists every installed module with version and package information. Read-only.
- content_search - Searches published nodes by content type with optional title keyword filtering. Respects Drupal's entity access grants - users only see content they have permission to view. Read-only.
- drush_command - Runs an administrator-allowlisted Drush command. Hidden entirely from AI clients until an allowlist is configured. Marked destructive.
MCP Studio - no-code custom tool builder:
- Build and publish additional MCP tools through the Drupal admin UI with no PHP required.
- Static response tools - Define a description, an optional JSON Schema for inputs, and a Twig template that renders the response using call arguments as context.
- Entity action tools - A single engine drives create, update, delete, and load operations on any Drupal content entity type. Choose entity type, bundle, operation, and exposed fields - the MCP input schema is generated automatically. Drupal entity access checks are enforced at execution time.
- Each Studio tool auto-registers its own Drupal permission that administrators can assign to roles from the standard Permissions page.
Administration and security:
- Dashboard summary cards showing total tools, enabled tools, and read-only tools.
- Per-tool enable/disable toggle - disabled tools are invisible in
tools/listand cannot be called. - Filterable tool table by name, status, and behavior (read-only / destructive / standard).
- Per-tool description override - replace the developer-supplied description with a site-specific explanation that AI clients will see.
- Drush allowlist configured from the admin UI - discovers available commands automatically and presents them as a checklist.
- Two static permissions (
use mo_mcp_serverandadminister mo_mcp_server) plus one dynamic ability permission per tool, all manageable from the standard Drupal Permissions page. - Full MCP protocol support:
initialize,notifications/initialized,ping,tools/list,tools/call. Single and batch JSON-RPC requests supported. Protocol version: 2024年11月05日.
Post-Installation
- Navigate to
Administration > Configuration > Web services > MCP Server(/admin/config/services/mo-mcp-server). - The JSON-RPC endpoint URL is shown at the top of the settings page.
Copy it - this is what you paste into your AI client's MCP server configuration. - Enable or disable individual tools from the tools table on the settings page. All four built-in tools are enabled by default.
- To use the
drush_commandtool, scroll to the Drush section on the settings page, discover available commands, check the ones you want to permit, and save. - To create custom tools, navigate to the MCP Studio tab and click Add MCP Studio tool.
Additional Requirements
- Drupal core 10.3 or 11.x - No earlier versions supported.
- PHP 8.1+
- No third-party PHP packages beyond those bundled with Drupal core.
- NHI Guardian (this module's dependency) - provides the authentication and enforcement layer for requests arriving at the MCP endpoint.
- Drush (optional) - required only if using the
drush_commandtool.
Recommended modules/libraries
- NHI Guardian - Pair with NHI Guardian to enforce JWT or API key authentication on the MCP endpoint, with full audit logging and scope-based access control for each AI agent.
Supporting this Module
MO MCP Server is developed and maintained by miniOrange. For custom tool development, functionality improvements, contact us at miniorange.com.
Helpful Links -
- The rest of our Drupal Arsenal.
- Dedicated Slack Channel for round the clock support.
Project information
- Project categories: Content display, Developer tools, Integrations
- Created by vengat_the_wizard on , updated
- shield alertThis project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.