Cheddar MCP Server (legacy API)

Model Context Protocol server that calls the legacy Cheddar merchant API documented at https://docs.getcheddar.com/ using HTTP Basic authentication (Authorization: Basic …).

This package does not use https://api.* OAuth2 / Bearer REST.

Package: @getcheddar/cheddar-mcp
Version: 2.1.3

Remote MCP Server (HTTP)

A public MCP HTTP server is available at https://mcp.getcheddar.com/mcp. This endpoint is useful for AI assistants and cloud platforms that support remote MCP connections over HTTPS (e.g. Cursor with remote MCP enabled). Health check: GET https://mcp.getcheddar.com/health.

For self-hosted deployments, see cheddar/iac/mcp-server-standalone.

Requirements

• Node.js 18+
• The origin that serves legacy /xml/… routes for your product (see CHEDDAR_BASE_URL below — it is not always the same host as hosted ChargeVault checkout pages).
• Product code (productCode in URLs)
• An authorized user email and password or the product API key (“secret key” from Configuration → Settings) as the Basic password (auth docs)

CHEDDAR_BASE_URL

The MCP calls paths such as /xml/plans/get/productCode/{productCode} on whatever origin you set.

• GetCheddar cloud products often serve the legacy XML API from https://getcheddar.com, while hosted signup / checkout may live on https://{subdomain}.chargevault.com. Using only the ChargeVault host can return 404 for /xml/… because that host is for hosted pages, not the full legacy app.
• Self-hosted Cheddar may use your own domain (the same origin you use in the browser for product admin and legacy XML).

How to verify: with your credentials, GET {CHEDDAR_BASE_URL}/xml/plans/get/productCode/{CHEDDAR_PRODUCT_CODE} should return 200 and XML (or JSON if supported), not an HTML error page. On startup the server runs this check unless CHEDDAR_SKIP_PREFLIGHT=1.

Environment variables

| Variable | Required | Description | |----------|----------|-------------| | CHEDDAR_BASE_URL | No | Origin where /xml/… is available, no trailing slash. Default: https://getcheddar.com (GetCheddar cloud). Only set this if you self-host Cheddar. | | CHEDDAR_PRODUCT_CODE | Yes | Your product's productCode segment in legacy URLs. | | CHEDDAR_USERNAME | Yes | Email of an API-enabled user on that product. | | CHEDDAR_PASSWORD | One of | That user's login password. | | CHEDDAR_PRODUCT_API_KEY | One of | Product secret key from admin settings; used as Basic password if CHEDDAR_PASSWORD is unset. | | CHEDDAR_SKIP_PREFLIGHT | No | If set to 1, skip startup GET /xml/plans/get/... check. |

For stdio (npm run start / Claude Desktop), CHEDDAR_PRODUCT_CODE, CHEDDAR_USERNAME, and password/API key are required in the environment. CHEDDAR_BASE_URL defaults to https://getcheddar.com; set it only if you use a self-hosted instance.

HTTP server (start:http) — per-client credentials

The Streamable HTTP entrypoint (node dist/http.js, Docker CMD) is built for hosted MCP behind a load balancer. Each MCP client uses their own product by sending Cheddar settings on every MCP HTTP request:

| Header | Required | Maps to | |--------|----------|---------| | X-Cheddar-Product-Code | Yes | Your product’s productCode in legacy URLs (/xml/.../productCode/{code}/...) — this is not the same as the hostname; you still need it even when the host is always getcheddar.com. | | X-Cheddar-Username | Yes | Authorized user email | | X-Cheddar-Product-Api-Key or X-Cheddar-Password | Yes | Basic password (product API key or user password) | | X-Cheddar-Base-Url | No | Legacy API origin (no trailing slash). Omitted → https://getcheddar.com (GetCheddar cloud). Override globally with CHEDDAR_DEFAULT_BASE_URL on the server, or per request with this header (e.g. self-hosted). |

Snake-case alternates are accepted (e.g. cheddar-product-code). Express matches headers case-insensitively.

Optional server defaults: if you also set CHEDDAR_* in the container environment, those values are used when a request omits all Cheddar headers (single-tenant convenience). If any Cheddar header is present on a request, product code + username + password/API key must come from headers (base URL may still be omitted and will use the default above); partial header sets return 400.

Security: use HTTPS so headers are not sent in clear text. Avoid ALB or proxy access logs that record custom headers in production.

Install & run

cd packages/cheddar-mcp
npm install
npm run build

export CHEDDAR_BASE_URL=https://getcheddar.com
export CHEDDAR_PRODUCT_CODE=YOUR_PRODUCT_CODE
export [email protected]
export CHEDDAR_PRODUCT_API_KEY=your_secret_key

npm run start
# or: node dist/index.js

Or with npx after publish:

npx -y @getcheddar/cheddar-mcp

Tools

| Tool | Legacy endpoint (conceptually) | |------|--------------------------------| | cheddar_customer_get | GET /xml/customers/get/productCode/.../code/… or /id/… | | cheddar_customers_search | GET /xml/customers/search/productCode/... (requests format=json when supported) | | cheddar_customer_create | POST /xml/customers/new/productCode/... (form body) | | cheddar_customer_update | POST /xml/customers/edit/productCode/.../code/... | | cheddar_plans_get | GET /xml/plans/get/productCode/... (optional planCode) |

Responses are returned as JSON text: XML from the API is parsed to a plain object where possible.

Claude Desktop example

Recommended: npx (no local build path). CHEDDAR_BASE_URL defaults to https://getcheddar.com; only set it if you self-host Cheddar.

{
  "mcpServers": {
    "cheddar": {
      "command": "npx",
      "args": ["-y", "@getcheddar/cheddar-mcp"],
      "env": {
        "CHEDDAR_PRODUCT_CODE": "YOUR_PRODUCT_CODE",
        "CHEDDAR_USERNAME": "[email protected]",
        "CHEDDAR_PRODUCT_API_KEY": "your_secret_key"
      }
    }
  }
}

Local dev: point command / args at node and ./dist/index.js (or bin/cheddar-mcp.mjs) under this package after npm run build.

Development

npm run build
npm test

License

MIT © Cheddar (chdr)

Support

• Documentation: https://docs.getcheddar.com
• Support: [email protected]
• Issues: https://github.com/chdr/cheddar-ai-tools/issues