play-console-mcp

An MCP server that lets AI agents (Claude, Cursor, …) manage Google Play Console — releases, store listings, monetization, reviews, and Android Vitals.

Once it's connected, just ask your assistant:

“List my Play Console apps.” “Show this week's crash rate for com.example.app.” “Reply to the latest 1‑star review and ask them to email support.” “Roll out ./app-release.aab to the internal track.”

Quick start

1. Add it to your AI client

It runs via npx — nothing to install. You just need a Google service-account key with access to your Play Console (2‑minute setup below).

Claude Code:

claude mcp add play-console \
  -e GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json \
  -e PLAY_READ_ONLY=true \
  -- npx -y @wiseappsai/play-console-mcp

Claude Desktop / Cursor — add to your client's MCP config:

{
  "mcpServers": {
    "play-console": {
      "command": "npx",
      "args": ["-y", "@wiseappsai/play-console-mcp"],
      "env": {
        "GOOGLE_APPLICATION_CREDENTIALS": "/path/to/service-account.json",
        "PLAY_READ_ONLY": "true"
      }
    }
  }
}

PLAY_READ_ONLY=true keeps it look-but-don't-touch. Remove it when you want the agent to make changes. Restart your client, and you're ready.

2. Try it

“Use play_reporting_apps to list my apps.” — needs no app id; confirms it's working. “List the latest reviews for com.example.app.”

That's it. The rest of this README is reference material.

Getting a service-account key (one time, ~2 min)

The server signs in as a Google Cloud service account that you grant access to your Play Console.

1. In the Google Cloud Console, pick/create a project and enable both APIs: Android Publisher and Play Developer Reporting.
2. Create a service account, open it → Keys → Add key → Create new key → JSON. Save the file somewhere private (not in a git repo).
3. In the Play Console → Users and permissions → Invite new users, add the service account's email (…@<project>.iam.gserviceaccount.com) and grant it permissions (account‑level “View app information” is enough to start; add more for publishing/replies).

Point GOOGLE_APPLICATION_CREDENTIALS at that JSON file (or paste its contents into PLAY_SERVICE_ACCOUNT_JSON). New grants can take a few minutes to take effect.

What it can do

34 tools, grouped into toolsets you can enable with PLAY_TOOLSETS (default: all). Each tool takes an action parameter selecting the operation — your agent reads the tool's description to know the options.

| Toolset | Tools | Covers | | --- | --- | --- | | releases | play_edit, play_tracks, play_artifacts, play_artifact_files | Edits, release tracks, AAB/APK uploads, expansion & mapping files | | store_listing | play_listings, play_images | Listings, app details, screenshots & graphics | | monetization | play_inappproducts, play_subscriptions, play_subscription_baseplans, play_subscription_offers, play_onetimeproducts, play_onetimeproduct_offers, play_pricing | In-app products, subscriptions, base plans, offers, one-time products, price conversion | | commerce | play_purchases_products, play_purchases_subscriptions, play_voided_purchases, play_orders | Purchase verification, subscription management, voided purchases, orders & refunds | | reviews | play_reviews, play_reviews_export | List/read/reply to recent reviews (last ~7 days); play_reviews_export reads the full historical reviews CSVs from the Cloud Storage reports bucket | | users | play_users | Console users & per-app permission grants | | devices | play_device_tier_configs | Device tier configs | | advanced | play_generated_apks, play_internal_app_sharing, play_app_recovery, play_external_transactions, play_data_safety | Generated/system APKs, internal sharing, app recovery, external transactions, data safety | | vitals | play_vitals_crash_anr, play_vitals_errors, play_vitals_performance, play_vitals_battery, play_vitals_anomalies, play_reporting_apps | Android Vitals: crashes, ANRs, errors, performance, battery, anomalies | | reports | play_stats_export | Historical statistics & acquisition CSV exports from the Cloud Storage reports bucket: installs, store performance (acquisitions), ratings, crashes, acquisition (retained installers, 7-day buyers) | | workflows | play_publish_release, play_promote_release | One-call “upload + roll out” and “promote between tracks” |

Configuration

All configuration is via environment variables. The common ones:

| Variable | Description | | --- | --- | | GOOGLE_APPLICATION_CREDENTIALS | Path to your service-account key file. (or PLAY_SERVICE_ACCOUNT_JSON for inline JSON) | | PLAY_READ_ONLY | true = expose only read actions. Default false. | | PLAY_TOOLSETS | Comma-separated toolsets to enable, or all (default). | | PLAY_DEVELOPER_ACCOUNT_ID | Numeric developer id — required for the users toolset. | | PLAY_REPORTS_BUCKET | Cloud Storage report-export bucket for play_reviews_export and play_stats_export — the value from Play Console → Download reports → "Copy Cloud Storage URI" (pubsite_prod_rev_…). | | PLAY_STORAGE_CREDENTIALS | Credentials JSON used only for the storage/reviews-export client (see Historical reviews export below). Optional. |

| Variable | Default | Description | | --- | --- | --- | | PLAY_SERVICE_ACCOUNT_JSON | — | Inline service-account key JSON (alternative to the file path). | | PLAY_OAUTH_CLIENT_ID / _SECRET / _REFRESH_TOKEN | — | OAuth 2.0 refresh-token auth (alternative to a service account). | | PLAY_AUTO_COMMIT_EDITS | true | When an edit-based action has no editId, open an edit, apply, and commit in one shot. | | PLAY_ENABLE_LEGACY_SUBSCRIPTIONS_V1 | false | Expose the deprecated purchases.subscriptions (v1) actions. | | PLAY_REGIONS_VERSION | 2022/02 | Default monetization regionsVersion for subscription/product writes. | | PLAY_LOG_LEVEL | info | error | warn | info | debug (logs go to stderr). |

• Edits. Most release/listing changes use Google's transactional edits (open → change → commit). Omit editId and it commits automatically; pass an editId (from play_edit → insert) to batch several changes and commit them yourself.
• Uploads. Upload actions take a media object with a filePath (on the machine running the server) or base64 contents.
• Vitals app id. Reporting tools take an appId — usually the package name; find it with play_reporting_apps → search.

See .env.example for a copy‑paste template.

play_reviews only returns the last ~7 days of reviews — that's a hard limit of the Android Publisher API. For older reviews and full per-month history, play_reviews_export reads the monthly CSVs Google writes to your private Cloud Storage reports bucket. Two things to set up:

1. The bucket id. Copy it from Play Console → Download reports → Reviews → "Copy Cloud Storage URI" (it looks like gs://pubsite_prod_rev_0123456789). Set it as PLAY_REPORTS_BUCKET. It is not your developer account id and can't be discovered via any API — so it must be configured (or passed as the bucket arg).

2. A credential that can read it. These buckets are owned by Google and grant only the Play account owner (a user identity) read access — a service account usually cannot be granted access (you'll see 403/getIamPolicy denied). So the storage client uses a credential separate from your Android Publisher service account:

• Local: run gcloud auth application-default login and sign in as the Play account owner. The MCP auto-detects these Application Default Credentials — no extra config.

• Docker / explicit: set PLAY_STORAGE_CREDENTIALS to a credentials JSON the container can read, e.g. mount your ADC file:

  -v "$HOME/.config/gcloud/application_default_credentials.json:/creds.json:ro" \
  -e PLAY_STORAGE_CREDENTIALS=/creds.json

Resolution order for the storage credential: PLAY_STORAGE_CREDENTIALS → gcloud ADC (when the main auth is a service account) → the main auth. If your main auth is already OAuth user credentials, storage just works.

Docker (image at ghcr.io/wiseappsai/play-console-mcp:latest). Pass credentials as inline JSON and run interactively (-i, it's a stdio server):

{
  "mcpServers": {
    "play-console": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "-e", "PLAY_SERVICE_ACCOUNT_JSON", "-e", "PLAY_READ_ONLY", "ghcr.io/wiseappsai/play-console-mcp:latest"],
      "env": { "PLAY_SERVICE_ACCOUNT_JSON": "{\"type\":\"service_account\", ...}", "PLAY_READ_ONLY": "true" }
    }
  }
}

From source:

git clone https://github.com/wiseappsai/play-console-mcp.git
cd play-console-mcp && npm install && npm run build
# then point your client at:  node /abs/path/play-console-mcp/dist/index.js

Troubleshooting

• 403 … API … is disabled — enable the named API (Android Publisher and/or Play Developer Reporting) for your project, then wait ~2 minutes.
• 403 … insufficient permissions — the service account isn't granted access in Play Console → Users and permissions yet (or the grant hasn't propagated).
• PLAY_DEVELOPER_ACCOUNT_ID is required — the users toolset needs your numeric developer id (from the Play Console Setup → API access URL).
• An action seems missing — you're in PLAY_READ_ONLY=true mode, or its toolset isn't in PLAY_TOOLSETS.
• play_reviews_export says it can't read the bucket (401/403) — the reports bucket can't be granted to a service account; run gcloud auth application-default login as the Play account owner, or set PLAY_STORAGE_CREDENTIALS. See Historical reviews export above.
• No reports bucket configured — set PLAY_REPORTS_BUCKET from Play Console → Download reports → "Copy Cloud Storage URI".

npm install
npm run build      # tsc -> dist/
npm test           # vitest (in-memory MCP client/server, no network)
npm run typecheck
npm run dev        # run from source with tsx

Each toolset is a module in src/tools/<toolset>.ts exporting buildTools(config), registered via src/lib/tool.ts; auth and the Google clients live in src/auth.ts / src/clients.ts. Please keep npm test and npm run typecheck green.

Releases are automated: push a vX.Y.Z tag (matching package.json) to publish to npm + the MCP registry (release.yml) and build + push the Docker image to GHCR (docker.yml).

Security

This server can change your Play Console (publish releases, edit prices, reply to reviews, manage users). Grant the service account only what it needs, use PLAY_READ_ONLY=true for read-mostly use, and never commit your key file. Credentials are read from env vars and never logged.

License

MIT © WiseApps AI