Everything you'd want to know before you install.
A detailed look at how DataFirefly MCP Commerce — PrestaShop MCP Server / Agentic Commerce works, why we built it the way we did, and the thinking behind the features above.
Agentic commerce, in practice
AI agents no longer just answer: they act. ChatGPT and Claude can now connect to MCP servers to query a service and run actions. DataFirefly MCP Commerce turns your PrestaShop store into an MCP server: an agent can search a product, view its details, build a cart and prepare an order, all through a standard protocol, with no bespoke integration.
A compliant, up-to-date MCP server
The module implements the Streamable HTTP transport over JSON-RPC 2.0 on a single endpoint, in the latest protocol revision (2025-11-25), with version negotiation and fallback to earlier versions. Agents auto-discover capabilities via initialize then tools/list, and invoke tools via tools/call.
Dual authentication: web and API
The Claude.ai and ChatGPT web connectors only accept OAuth, so the module ships a full OAuth 2.1 authorization server (authorization code + PKCE S256, Protected Resource Metadata and Dynamic Client Registration). The agent registers itself and opens a consent screen where the shopper logs in and approves access. For the Anthropic API, Claude Desktop, Claude Code or n8n, static Bearer tokens are created in one click from the back office.
Preparing the order without touching payment
By default the module runs in handoff mode: the agent assembles the cart then returns a secure checkout URL. Following it, the shopper finds that exact cart in their session and completes payment on the usual PrestaShop flow. No payment data flows through the agent: zero PCI exposure. An optional order mode directly creates an awaiting-payment order, designed for B2B, cash on delivery or quotes.
Scopes, quotas and logging: full control
Each of the nine tools is toggled independently and every access is bounded by scopes (catalog:read, cart:write, order:write). Per-IP rate limiting protects the endpoint, and a detailed activity log traces every request. You decide exactly what an agent can see and do.
Secure by design
All tokens are stored hashed with SHA-256, never in clear text. PKCE S256 is mandatory, redirect_uris are validated, authorization codes are single-use and refresh tokens are rotated. Discovery works via .well-known and via the WWW-Authenticate header, even without friendly URLs. The whole thing is natively multistore compatible.
There are no reviews yet.