Shopify-Storefront-Private-Token and Storefront MCP

Hello again!

Following up on a previous question where it was confirmed that the Shopify-Storefront-Buyer-IP header is not required for the Storefront MCP endpoint (/api/mcp) and is specific to the Storefront GraphQL API.

We are currently making server-side calls from our AI Agent backend to the Storefront MCP server. When building traditional server-side headless storefronts, we would authenticate using a delegated access token or the Shopify-Storefront-Private-Token header (as per the documentation for server-side requests).

Given that the MCP endpoint seems to operate publicly and doesn’t explicitly document token requirements, my question is: Do we need to (or should we) include the Shopify-Storefront-Private-Token (or a delegated access token) when calling the Storefront MCP server from our backend?

Or is the MCP endpoint entirely public, making token-based headers redundant just like the Buyer-IP header?

Thanks for your help!
Ferenc

The Storefront MCP endpoint is entirely public, no authentication needed. The docs state it explicitly: “Storefront MCP servers don’t require authentication” (Storefront MCP server) The only header you need is Content-Type: application/json for your POST requests.

So the Private-Token and delegated access tokens are both redundant here, same as the Buyer-IP header you already confirmed. Where authentication does come into play is if you need the Customer Accounts MCP server, that one requires OAuth 2.0 with PKCE ( Customer Accounts MCP server ) But for the storefront endpoint itself you’re good to call it directly from your backend without any token headers.

Hi @ferenc

Just wanted to confirm what @Ruben_Stacksync said above, tokens are not required as it’s a publicly accessible MCP.