Statamic MCP v2.0: Out of Beta
Statamic MCP v2 is released. OAuth 2.1 for ChatGPT, file and database storage drivers, a full CP dashboard, 21 scoped permissions, audit logging, and a router architecture that replaced 140+ tools with 11. Statamic 6 only.
Statamic MCP v2.0 is out. After weeks of rewriting the entire package from scratch, it's production-ready and available on Packagist. Statamic 6.6+ only, PHP 8.3+.
composer require cboxdk/statamic-mcp
php artisan mcp:statamic:installThis is a ground-up rebuild. If you read my post about redesigning the tool architecture, v2 delivers on everything described there and adds a lot more.
11 tools instead of 140+
The biggest architectural change: every individual MCP tool (statamic.blueprints.list, statamic.entries.create, etc.) is gone. In their place are 11 domain routers where the action is a parameter:
statamic-blueprints - list, get, create, update, delete, scan, generate, validate
statamic-entries - list, get, create, update, delete, publish, unpublish
statamic-terms - taxonomy term operations
statamic-globals - global sets with multi-site support
statamic-structures - collections, taxonomies, navigations, sites
statamic-assets - containers, files, uploads, move, copy
statamic-users - CRUD with role and group management
statamic-system - info, health, cache operations, config
statamic-content-facade - content audits and cross-referencing
statamic-system-discover - intent-based tool discovery
statamic-system-schema - tool schema inspection
All tools declare behavior annotations (#[IsReadOnly], #[IsIdempotent]) and return standardized JSON with success, data, and meta keys. LLMs pick the right domain router almost every time now, and tool selection accuracy jumped from 78% to 96% in my testing.
OAuth 2.1
This is the feature that unlocked ChatGPT support. Browser-based MCP clients need OAuth, and v2 ships a complete OAuth 2.1 authorization server with PKCE (S256). No external packages required.
The flow: dynamic client registration (RFC 7591), authorization with a consent screen in the Statamic CP, token exchange with PKCE verification, and refresh token rotation. Discovery endpoints at /.well-known/oauth-authorization-server and /.well-known/oauth-protected-resource follow the specs.
OAuth tokens are regular MCP tokens with additional metadata. They show up in the CP dashboard with an "OAuth" badge. Configurable TTLs for codes (10 min), tokens (7 days), and refresh tokens (30 days).
If you already use Passport or another OAuth provider, the OAuthDriver interface lets you swap the built-in implementation.
Storage drivers
v1 was file-only. v2 introduces a driver system for both tokens and audit logs:
'stores' => [
'tokens' => FileTokenStore::class, // or DatabaseTokenStore::class
'audit' => FileAuditStore::class, // or DatabaseAuditStore::class
],File drivers store tokens as YAML in storage/statamic-mcp/tokens/ and audit entries as JSONL append-only logs. No database required. This follows Statamic's own flat-file philosophy.
Database drivers use Eloquent models backed by migration-created tables. Better for high-traffic sites and multi-server deployments where file-based storage doesn't scale.
Mix and match: file tokens with database audit, or vice versa. The mcp:migrate-store command handles data migration between drivers.
Third-party developers can implement the TokenStore or AuditStore contracts for custom backends (Redis, S3, whatever you need).
CP dashboard
A full Vue 3 dashboard at Tools > MCP with four tabs:
Connect - endpoint URL and one-click copy-paste configuration for Claude Desktop, Claude Code, Cursor, ChatGPT, and Windsurf. Pick your client, copy the JSON, paste it into your config.
Tokens - create, list, edit, regenerate, and revoke API tokens. Each token gets a name, scoped permissions, and optional expiry. Scope presets (Read Only, Content Editor, Full Access) make the common cases fast.
Activity - real-time audit log of all MCP tool calls. Filter by tool, status, and date range. Every call is logged with correlation ID, user, token, tool, action, result, duration, and IP.
Settings - system stats, endpoint status, rate limiting info, and quick config overview.
Statamic permissions control who sees what. Admins with manage all mcp tokens see everything. Regular users see only their own tokens.
21 scoped permissions
Tokens use 21 granular scopes in domain:permission format:
*for full accesscontent:readandcontent:writeas cross-router shortcutsPer-domain:
blueprints:read,entries:write,assets:read, etc.
Tokens are prefixed smc_ + 40 random characters, stored as SHA-256 hashes. The plaintext is shown once at creation and can't be retrieved later. Configurable max lifetime (default 365 days) and max tokens per user.
Security
Rate limiting per token with sliding window strategy (default 60/min)
HTTPS enforcement in production (skipped in local/testing)
CORS support for browser-based clients
Tool timeout (default 30s) prevents runaway operations
Audit logging with sensitive field redaction
Path traversal protection on all file operations
PHPStan Level 8 strict typing across the entire codebase
Legacy auth methods (Basic Auth and base64 Bearer tokens from v1) still work but log deprecation warnings. They will be removed in v3.
Breaking changes from v1
Statamic v5 support dropped entirely
Config file restructured (re-publish required)
All individual tool names changed to router format
typeparameter renamed toresource_typein some tools
The install command detects v1 config and offers migration. See the upgrade guide for details.
What is next
The immediate priorities are expanding test coverage (772 tests and counting), improving the content-facade router for complex cross-collection workflows, and shipping a proper Grafana dashboard for the Prometheus metrics that the audit system can feed.
Install it, try it, file issues if something breaks.