README

Beta — This extension is under active development. APIs and behavior may change between releases.

TYPO3 CMS extension that implements an MCP (Model Context Protocol) server for TYPO3 administration. It exposes 48+ tools for managing pages, content elements, files, backend users, and custom extension records via the MCP protocol, allowing AI assistants to interact with your TYPO3 instance.

This extension is designed primarily for direct, fully autonomous AI operation — changes take effect immediately, with no approval queue between the AI and the live site. The goal is to let AI agents build, update, and maintain TYPO3 sites end-to-end without human intervention.

Workspace support is also available when typo3/cms-workspaces is installed: the AI can switch into a workspace, make draft changes, and use the workspace tools to publish or discard them. This is a secondary mode for cases where review-before-publish is required — direct mode remains the primary use case.

Example Prompts

These are the kinds of tasks an AI agent can accomplish autonomously through this MCP server:

• "Create a new 'Services' page under the homepage with three subpages: Web Development, Consulting, and Support. Add introductory text content to each."
• "Translate all pages and content elements under page 12 to German and French."
• "Upload the product images from these URLs and attach them to the corresponding news records."
• "Reorganize the page tree: move all blog posts from 2023 under a new '2023 Archive' page."
• "Create a contact form page with a header, text element explaining our office hours, and an address content element."
• "Review all pages under 'Products' and update their SEO meta descriptions based on their content."
• "Set up the site structure for a new microsite: landing page, about, pricing with three tiers, FAQ, and contact — add placeholder content to each."
• "Find all hidden pages in the site and list them with their paths so I can decide which to publish or delete."
• "Add a news record for today's product launch, upload the press release PDF, and link it as a file reference."

Requirements

• PHP 8.3+
• TYPO3 v13.4 or v14.x

Installation

composer require marekskopal/typo3-mcp-server

After installation:

1. Activate the extension in TYPO3 backend or via CLI:

   vendor/bin/typo3 extension:setup

2. Run database migrations to create the required OAuth tables:

   vendor/bin/typo3 database:updateschema

Setup

The MCP server supports two transports:

• HTTP transport — for remote AI clients connecting over the network (requires OAuth)
• stdio transport — for local AI tools running on the same machine (no OAuth needed)

stdio Transport (Recommended for Local Use)

For AI tools running on the same server as TYPO3 (Claude Desktop, Cursor, Windsurf, VS Code, etc.), use the stdio transport. No OAuth setup is required — the server runs as a backend user directly:

vendor/bin/typo3 mcp:server

Use --user to specify which backend user to run as (defaults to admin):

vendor/bin/typo3 mcp:server --user editor

HTTP Transport

For remote AI clients, the MCP server is available at /mcp on your TYPO3 instance. It uses the Streamable HTTP transport (MCP protocol version 2025-03-26).

HTTP transport requires OAuth 2.1 authentication. See the Authentication section below.

AI Client Configuration

Claude Desktop

Add to your Claude Desktop config file:

• macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
• Windows: %APPDATA%\Claude\claude_desktop_config.json

stdio (local):

{
  "mcpServers": {
    "typo3": {
      "command": "php",
      "args": ["vendor/bin/typo3", "mcp:server", "--user", "admin"],
      "cwd": "/path/to/your/typo3/project"
    }
  }
}

HTTP (remote):

{
  "mcpServers": {
    "typo3": {
      "url": "https://your-typo3-site.com/mcp"
    }
  }
}

OAuth authentication is handled automatically — Claude Desktop will open a browser window for the authorization flow.

Claude Code (CLI)

stdio (local):

claude mcp add typo3 -- php vendor/bin/typo3 mcp:server

Or add to your project's .mcp.json:

{
  "mcpServers": {
    "typo3": {
      "command": "php",
      "args": ["vendor/bin/typo3", "mcp:server"]
    }
  }
}

HTTP (remote):

claude mcp add --transport http typo3 https://your-typo3-site.com/mcp

Or in .mcp.json:

{
  "mcpServers": {
    "typo3": {
      "url": "https://your-typo3-site.com/mcp"
    }
  }
}

Cursor

Add to .cursor/mcp.json in your project root:

stdio (local):

{
  "mcpServers": {
    "typo3": {
      "command": "php",
      "args": ["vendor/bin/typo3", "mcp:server"],
      "cwd": "/path/to/your/typo3/project"
    }
  }
}

HTTP (remote):

{
  "mcpServers": {
    "typo3": {
      "url": "https://your-typo3-site.com/mcp"
    }
  }
}

Windsurf

Add to ~/.codeium/windsurf/mcp_config.json:

stdio (local):

{
  "mcpServers": {
    "typo3": {
      "command": "php",
      "args": ["vendor/bin/typo3", "mcp:server"],
      "cwd": "/path/to/your/typo3/project"
    }
  }
}

HTTP (remote):

{
  "mcpServers": {
    "typo3": {
      "url": "https://your-typo3-site.com/mcp"
    }
  }
}

VS Code (Copilot)

Add to your VS Code settings (.vscode/settings.json):

stdio (local):

{
  "mcp": {
    "servers": {
      "typo3": {
        "command": "php",
        "args": ["vendor/bin/typo3", "mcp:server"],
        "cwd": "/path/to/your/typo3/project"
      }
    }
  }
}

HTTP (remote):

{
  "mcp": {
    "servers": {
      "typo3": {
        "url": "https://your-typo3-site.com/mcp"
      }
    }
  }
}

Other MCP Clients

Any MCP-compatible client can connect via either transport:

• stdio: Run php vendor/bin/typo3 mcp:server — communicates via stdin/stdout, no auth needed
• HTTP: Connect to https://your-typo3-site.com/mcp — requires OAuth 2.1 with PKCE. Server metadata is available at /.well-known/oauth-authorization-server for auto-discovery.

Authentication

HTTP transport uses OAuth 2.1 with PKCE (S256). Each token is linked to a backend user — all operations respect that user's TYPO3 permissions.

The stdio transport does not require OAuth — the user is specified via the --user flag.

OAuth Features

• Authorization Code flow with PKCE — standard OAuth 2.1 for MCP clients
• Dynamic Client Registration (RFC 7591) — clients can self-register
• Token Revocation (RFC 7009) — revoke access and refresh tokens
• Protected Resource Metadata (RFC 9728) — auto-discovery of auth requirements

OAuth Endpoints

Token Lifetimes

Configurable via Settings > Extension Configuration > ms_mcp_server:

Rate Limiting

OAuth endpoints are protected by IP-based rate limiting with configurable per-endpoint limits:

Returns 429 Too Many Requests with Retry-After header when exceeded.

Backend Module

The System > MCP Server backend module provides:

• Register and manage OAuth clients
• Edit client settings (name, redirect URIs, linked backend user)
• View active tokens per client with status (active/refreshable/expired)
• Revoke individual tokens
• Discover extension tables — scan installed extensions, enable/disable for MCP tool generation, customize label/prefix

Tools Reference

Pages

Target positioning (for pages_copy): Use a positive target to place as child of that page. Use a negative target to place after a specific page (e.g., target: -42 means "after page 42").

Content Elements

Target positioning (for content_move, content_copy): Positive target = place at top of that page. Negative target = place after element with that UID.

File Management

All file tools accept an optional storageUid parameter (default: 1 for fileadmin).

File References

Schema and Search

Search operators: eq, neq, like (default), gt, gte, lt, lte, in (comma-separated), null, notNull.

Search examples:

// Simple LIKE search
{"title": "hello"}

// Advanced operators
{"uid": {"op": "gt", "value": "10"}, "title": {"op": "eq", "value": "Home"}}

// Combined with sorting
orderBy: "title", orderDirection: "DESC"

Translation

Batch Operations

All batch tools work on any TCA table.

Cache

Backend Users & Groups

Restricted to admin backend users only. Sensitive be_users columns (password, mfa) are never returned; soft-deleted records are always excluded.

Workspaces

Registered only when typo3/cms-workspaces is installed. Direct (live-mode) operation is the primary use case for this extension — these tools enable a secondary draft/publish workflow when review is required. After workspace_switch, all subsequent reads and writes (pages_*, content_*, etc.) operate on the chosen workspace.

Dynamic Extension Tools

Additional CRUD tools are registered automatically for tables configured via EXTCONF or enabled through the Extension Tables backend module (auto-discovery). News is pre-configured and generates 6 tools:

See Adding Support for Other Extensions to register your own tables.

Resources Reference

Resources provide read-only context about the TYPO3 instance. AI clients can read these to understand the environment before taking actions.

Prompts Reference

Prompts provide guided multi-step workflows that instruct the AI through complex tasks.

Adding Support for Other Extensions

Option 1: Auto-discovery (no code changes)

Go to System > MCP Server > Manage Extension Tables, click Discover Extension Tables, then enable the tables you want. The extension scans TCA for installed extension tables and lets you toggle them on/off with customizable labels and prefixes.

Option 2: Code configuration

Register custom tables in your extension's ext_localconf.php:

$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['ms_mcp_server']['tables']['tx_blog_domain_model_post'] = [
    'label' => 'Blog Post',
    'prefix' => 'blog_post',
];

This automatically creates 6 tools (blog_post_list, blog_post_get, blog_post_create, blog_post_update, blog_post_delete, blog_post_move) with fields resolved from TCA.

Optional overrides:

$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['ms_mcp_server']['tables']['tx_blog_domain_model_post'] = [
    'label' => 'Blog Post',
    'prefix' => 'blog_post',
    'listFields' => ['uid', 'pid', 'title', 'datetime'],    // Fields shown in list results
    'readFields' => ['title', 'datetime', 'bodytext'],       // Fields returned by get
    'writableFields' => ['title', 'datetime', 'bodytext'],   // Fields accepted by create/update
];

Maintenance

Clean up expired tokens, stale session files, and rate limit entries:

vendor/bin/typo3 mcp:cleanup

Run this periodically via TYPO3 Scheduler or cron.

Architecture

HTTP request → McpServerMiddleware (Bearer auth)
             → ErrorHandlingContainer (wraps tools with error handling)
             → McpServerFactory (auto-discovers tools via DI tags)
             → MCP SDK Server (StreamableHttpTransport)
             → Tool execution → JSON response

Tools, resources, and prompts are auto-discovered via DI container tags — no manual registration needed. Adding a new tool is as simple as creating a class with a #[McpTool] attribute.

Error handling is centralized in ErrorHandlingProxy. Tool classes contain only business logic — no try/catch boilerplate, no logger injection.

Audit logging records every tool and resource invocation to TYPO3's sys_log table — visible in the backend log module with user ID, tool name, execution time, and outcome.

Development

composer install

# Static analysis (PHPStan level max)
vendor/bin/phpstan analyse

# Code style (Slevomat Coding Standard)
vendor/bin/phpcs
vendor/bin/phpcbf

# Tests (545 tests)
vendor/bin/phpunit

License

GPL-2.0-or-later