1. Home
  2. Docs
  3. Atlas AI Connector
  4. Usage & Setup
  5. Connect Claude to WordPress with OAuth 2.1 (MCP)

Connect Claude to WordPress with OAuth 2.1 (MCP)

This guide shows you how to connect Claude to WordPress using the built-in OAuth 2.1 system — the same steps also work for ChatGPT, Cursor and Claude Desktop. Atlas AI Connector turns your site into a secure Model Context Protocol (MCP) server; below you’ll set up authentication, authorize a client, compare free vs Pro, find your tools, and customize everything.

Table of Contents


1. Before you start (requirements)

  • The free Atlas AI Connector plugin installed and active (WordPress 6.8+, PHP 7.4+).
  • Your site served over HTTPS. Remote clients such as Claude.ai will only connect to a secure (https) URL.
  • A WordPress user account with permission to use the abilities you want the AI to access (each connection is limited to what that user is allowed to do).
  • Optional: Atlas AI Connector Pro for per-role authorization policies, per-token scope enforcement and Tool/Resource/Prompt access modes.

2. Your MCP server endpoint

Once the plugin is active, your MCP server is live at:

https://your-site.com/wp-json/awfah_mcp/mcp

This single URL is what you paste into any MCP client. The client automatically discovers how to authenticate using the standard OAuth 2.1 metadata documents your site publishes:

  • /.well-known/oauth-authorization-server — authorization server metadata (RFC 8414)
  • /.well-known/oauth-protected-resource — protected resource metadata (RFC 9728)

You can find and copy your exact endpoint, plus ready-made connection snippets (HTTP, WP-CLI/STDIO and remote-proxy), under Atlas AI Connector → MCP Adapter.

3. Authentication methods at a glance

Atlas AI Connector supports several ways to authenticate, so you can pick what fits your client:

  • OAuth 2.1 (recommended) — one-click connect for Claude, ChatGPT and Cursor. The client registers itself, you log in and approve, and a secure token is issued automatically. Mandatory PKCE (S256), short-lived access tokens and refresh tokens.
  • JWT tokens — token-based access for programmatic/custom integrations, sent as an Authorization: Bearer header.
  • Application Passwords — WordPress’ built-in per-application credentials work out of the box.
  • Static bearer token — an optional single shared token you set on the MCP Adapter page for simple, locked-down setups.

4. Enabling OAuth 2.1

  1. In the WordPress admin, go to Atlas AI Connector → MCP Auth.
  2. Tick Enable OAuth 2.1 and save. Your site immediately begins publishing the OAuth discovery documents and accepting client registrations.
  3. That’s it — there are no client IDs or secrets to copy by hand. Connected clients will appear in the Connected clients table on the same page.

5. How to connect Claude

Claude.ai & Claude Desktop

  1. Make sure OAuth 2.1 is enabled (step 4) and your site is on HTTPS.
  2. Copy your MCP endpoint URL from MCP Adapter: https://your-site.com/wp-json/awfah_mcp/mcp
  3. In Claude, open Settings → Connectors and choose Add custom connector.
  4. Paste the endpoint URL and confirm. Claude discovers the authentication automatically.
  5. Claude opens your site’s authorization page. Log in to WordPress if asked, review the requested permissions and click Authorize.
  6. You’re connected. Your enabled abilities now appear inside Claude as tools you can call by chatting.

Claude Code (CLI)

claude mcp add --transport http atlas https://your-site.com/wp-json/awfah_mcp/mcp

Then run /mcp inside Claude Code and choose to authenticate — your browser opens the same consent screen. Once approved, the tools are available in your session.

Other clients (ChatGPT, Cursor, Windsurf)

Add the same endpoint URL as a custom / remote MCP server in the client’s connector settings. The OAuth flow is identical: paste the URL, log in, approve.

When a client connects, your site shows an “Authorize MCP Connection” consent screen that clearly lists what the client is asking for. Permissions are grouped into three scopes:

  • mcp:read — read site content, settings and data.
  • mcp:write — create and update posts, pages, media and users.
  • mcp:woocommerce — manage your WooCommerce store.

Access tokens are short-lived (about one hour) and are refreshed silently; refresh tokens last around 30 days. A connection can never do more than the WordPress user who approved it is allowed to do.

7. JWT, Application Passwords & static tokens

If you are building a custom integration instead of using a chat client, you have alternatives to the interactive OAuth flow:

  • JWT: request a token with POST /wp-json/wp-rest/jwt-auth/v1/token (as a logged-in user, or with username + password), then send it as Authorization: Bearer <token>. Tokens default to a 1-hour lifetime and can be revoked.
  • Application Passwords: create one under Users → Profile → Application Passwords in WordPress and use it with HTTP Basic auth — no extra configuration needed.
  • Static bearer token: set a single shared token on the MCP Adapter page; every request must then send it as a Bearer header. Best for a single trusted automation.

8. Free vs Pro

The entire OAuth 2.1 server — discovery, dynamic client registration, PKCE, the consent screen and the token endpoint — is included in the free plugin. Pro adds finer-grained control over who may authorize and what each token is allowed to do.

CapabilityFreePro
OAuth 2.1 one-click connect (Claude, ChatGPT, Cursor)YesYes
Dynamic client registration & PKCE (S256)YesYes
Consent screen, scopes, token refresh & revokeYesYes
JWT & Application Password authYesYes
Per-ability role-based access (which tools a role sees)YesYes
Per-role OAuth policy (who may authorize, which scopes)Yes
Per-token scope enforcement (stricter than the role)Yes
Tool / Resource / Prompt (T/R/P) access modes per roleYes

Get the plugin: Download the free Atlas AI Connector from WordPress.org, or upgrade to Atlas AI Connector Pro to unlock per-role OAuth policy, per-token scope enforcement and Tool/Resource/Prompt access modes.

9. Where to find & choose your tools

“Tools” are the abilities your site exposes to the AI. Two places control them:

  • Atlas AI Connector → Dashboard — turn whole modules on or off.
  • Atlas AI Connector → MCP Adapter → Expose abilities — a grid where you tick exactly which individual abilities are published to MCP clients.

The available modules (and their ability counts) are:

  • AI Content Steward (8)
  • Posts Manager (13)
  • Pages Manager (5)
  • Media Manager (7)
  • Users Manager (7)
  • Custom Post Types Manager (6)
  • REST API Tools (3)
  • Site Info & Diagnostics (4)
  • Settings Manager (3)
  • AI Store Manager — WooCommerce (24; 26 with Pro, adding order create & update)
  • Error Debugger (Pro adds AI fix & scan)
  • External Abilities (Pro — auto-discovered from WordPress core and other plugins)

Abilities are exposed to AI in three forms: Tools (actions the AI can run), Resources (data it can read) and Prompts (guided workflows).

10. Customization

  • Rename your endpoint: change the namespace and route on the MCP Adapter page (for example to obscure the default path).
  • Pick exposed abilities: publish only the tools you need from the Expose abilities grid.
  • Role-based access (free): assign which abilities each WordPress role may use, so different users grant different tools.
  • Per-role OAuth policy (Pro): decide which roles may authorize an MCP client at all, and cap the scopes they can grant.
  • Per-token scope enforcement (Pro): restrict an individual connection below what its user could otherwise do.
  • T/R/P access modes (Pro): expose an ability as a Tool, a Resource, a Prompt, or any combination, per role.

11. Managing & revoking access

  • Every connected client is listed on the MCP Auth page with its granted scopes and connection date.
  • Click Revoke next to a client to instantly delete it and all of its tokens — the AI assistant loses access immediately.
  • JWT tokens can be listed and revoked through their own endpoints if you issued any.

12. Troubleshooting

  • Client won’t connect / no login prompt: confirm OAuth 2.1 is enabled and your site is on HTTPS. Remote clients reject http URLs.
  • “Connection failed”: open https://your-site.com/.well-known/oauth-authorization-server in a browser — it should return JSON. If not, re-save permalinks (Settings → Permalinks) so the rewrite rules register.
  • The AI can’t see a tool: make sure the module is enabled and the ability is ticked under Expose abilities, and that the connecting user’s role is allowed to use it.
  • WooCommerce tools missing: the Store Manager module only loads when WooCommerce is active.

13. Security best practices

  • Always serve your site over HTTPS — it is required for remote clients and protects tokens in transit.
  • Connect using a WordPress user whose role only has the abilities you actually want the AI to use; avoid authorizing as a full administrator unless necessary.
  • Expose only the abilities you need, and review the Connected clients list periodically — revoke anything you don’t recognize.
  • On Pro, use per-role OAuth policy and scope enforcement to keep each connection least-privileged.

Need a hand? Reach the team at atlasaidev.com.

How can we help?