Plausible
FreeNot checkedMCP server for Plausible Analytics that enables querying traffic, conversions, and comparing time periods from any AI tool supporting MCP.
About
MCP server for Plausible Analytics that enables querying traffic, conversions, and comparing time periods from any AI tool supporting MCP.
README
MCP server for Plausible Analytics — query traffic, conversions, and compare time periods from any AI tool that supports Model Context Protocol.
Built for teams that want to ask questions like:
- "Did our deploy on Tuesday affect traffic to /pricing?"
- "What's the signup conversion rate on /blog this month?"
- "How does this week's bounce rate compare to last week?"
Tools
| Tool | Description |
|---|---|
get_timeseries |
Traffic and conversion metrics over time (daily/weekly/monthly) |
get_breakdown |
Break down by page, source, country, device, browser, OS, UTM params |
get_conversions |
Goal conversion rates, optionally per-page |
compare_periods |
Side-by-side comparison of two date ranges with absolute and % deltas |
All tools are read-only and annotated with readOnlyHint: true.
Quick Start
Remote (Hosted)
A hosted instance is available at https://plausible-mcp.sentry.dev.
With your own Plausible API key (any user):
claude mcp add --transport http plausible https://plausible-mcp.sentry.dev/mcp --header "Authorization: Bearer YOUR_PLAUSIBLE_API_KEY"
Keep the URL before
--header.--headeris variadic, so if it comes last it swallows the URL and the CLI fails witherror: missing required argument 'commandOrUrl'.
Or add manually to your MCP client config (Claude Desktop, Cursor, etc.):
{
"mcpServers": {
"plausible": {
"url": "https://plausible-mcp.sentry.dev/mcp",
"headers": {
"Authorization": "Bearer YOUR_PLAUSIBLE_API_KEY"
}
}
}
}
Sentry employees (via OAuth 2.1 + Cloudflare Access):
The /internal endpoint is an OAuth 2.1 server — no API key needed. Add it as a remote/custom connector in any OAuth-capable MCP client (Cowork, Claude.ai connectors, Claude Desktop):
https://plausible-mcp.sentry.dev/internal
The client discovers the OAuth endpoints automatically, sends you through Sentry SSO (Cloudflare Access), and only @sentry.io identities are granted access. Queries run against a shared, server-side Plausible API key — you never handle a key.
The hosted
/internalatplausible-mcp.sentry.devis Sentry-only and can't be used outside the org. To run/internalfor a different organization, self-host and setALLOWED_EMAIL_DOMAINto your own domain. (The public/mcpbring-your-own-key endpoint has no such restriction.)
Local (STDIO)
If you prefer to run it locally:
git clone https://github.com/getsentry/plausible-mcp.git
cd plausible-mcp
pnpm install
pnpm build
Add to Claude Code:
claude mcp add plausible -e PLAUSIBLE_API_KEY=your-key -- node /path/to/plausible-mcp/dist/index.js
Or Claude Desktop (claude_desktop_config.json):
{
"mcpServers": {
"plausible": {
"command": "node",
"args": ["/path/to/plausible-mcp/dist/index.js"],
"env": {
"PLAUSIBLE_API_KEY": "your-key"
}
}
}
}
Self-Hosting (Cloudflare Workers)
Deploy your own instance:
git clone https://github.com/getsentry/plausible-mcp.git
cd plausible-mcp
pnpm install
npx wrangler deploy
The worker exposes two endpoints:
/mcp— bring-your-own-key. Each user passes their own Plausible API key via theAuthorization: Bearerheader. No shared secrets needed on the server. Works with any header-capable MCP client (Claude Code, Cursor, MCP Inspector)./internal— Access-protected MCP endpoint for managed connectors (Cowork, Claude.ai). A Cloudflare Access application with Managed OAuth fronts the whole Worker hostname (see the constraint below): Access runs the OAuth 2.1 handshake with the client and forwards each request to the Worker with aCf-Access-Jwt-Assertionheader. The Worker verifies that header and queries a shared, server-side Plausible API key. Access is gated to the email domain(s) inALLOWED_EMAIL_DOMAIN(defaults tosentry.io) — not tied to Sentry when you self-host; set it to your own domain.
Because the Managed OAuth application must cover the bare hostname with no path (Cloudflare rejects a path when OAuth is enabled — domain can not have a path if oauth is configured), it also gates /mcp. To keep the bring-your-own-key /mcp endpoint public you add a second, more-specific Access application scoped to the /mcp path with a Bypass policy. Cloudflare matches the most specific hostname+path first, so /mcp requests bypass Access entirely while everything else goes through OAuth. Both apps live on one hostname; no separate subdomain is required.
Beta / client requirement. Cloudflare Access Managed OAuth is in Beta and requires an MCP client that supports RFC 8707 (resource indicators). Confirm your connector supports it before relying on this path.
Setting up the /internal endpoint (Cloudflare Access Managed OAuth)
The Worker runs no OAuth server — Cloudflare Access is the authorization server. There is no OAUTH_KV, no cookie key, and no OAuth client id/secret. You create two Access applications on the same hostname.
- Create the Managed OAuth application over the bare hostname (Zero Trust → Access → Applications): a self-hosted app or MCP server application whose domain is
plausible-mcp.sentry.devwith no path.- ⚠️ Do not scope it to
/internal. Once Managed OAuth is enabled, Cloudflare rejects any path withaccess.api.error.invalid_request: domain can not have a path if oauth is configured. The app must be the whole host; the Worker enforces the/internalroute itself. - Add an Access policy (Action
Allow) restricting to your email domain (e.g.@acme.com) and identity provider. - Enable Managed OAuth (Advanced settings → Managed OAuth) and set Allowed redirect URIs to your connector's actual callback — for Claude/Cowork that is
https://claude.ai/api/mcp/auth_callback. Public HTTPS callbacks must be listed or Dynamic Client Registration fails withinvalid_client_metadata: redirect_uri is not allowed by the account configuration; loopback (http://localhost:*) callbacks are allowed by default. - Copy the application's AUD tag → this becomes
CF_ACCESS_AUD.
- ⚠️ Do not scope it to
- Carve
/mcpback out with a second, path-scoped Bypass application. Because step 1 covers the whole host,/mcp(bring-your-own-key) is now gated too. Create another self-hosted app, domainplausible-mcp.sentry.devpathmcp, with Managed OAuth OFF, and a policy whose Action isBypasswith the selectorEveryone.Bypass≠Allow: anAllowpolicy still forces an interactive login (the client gets an HTML302to the login page and fails withUnexpected content type: text/html). OnlyBypasslets the request through with no authentication, so the Worker's own Bearer-key check applies.
- Set the worker secrets:
npx wrangler secret put CF_ACCESS_TEAM_DOMAIN # https://<team>.cloudflareaccess.com (no trailing slash) npx wrangler secret put CF_ACCESS_AUD # the Managed OAuth application's AUD tag (from step 1) npx wrangler secret put PLAUSIBLE_API_KEY # shared key for /internal queries - Set the
[vars]inwrangler.toml:ALLOWED_EMAIL_DOMAIN— the email domain(s) allowed to sign in, comma-separated,@optional (defaultsentry.io). Enforced in code in addition to the Access policy in step 1, so set it to your own domain — otherwise every login is rejected.
- Deploy (
npx wrangler deploy), then point an RFC 8707-capable MCP client athttps://<your-worker-host>/internal.
Troubleshooting. All of these are Cloudflare Access configuration, not the Worker — a request only reaches the Worker (and its Sentry spans) once Access forwards it:
| Symptom (in the connector) | Cause | Fix |
|---|---|---|
Couldn't register … / add an OAuth Client ID |
Connector callback isn't in Allowed redirect URIs | Add the exact callback (step 1); read the rejected redirect_uri from Zero Trust → Logs → Access |
domain can not have a path if oauth is configured |
Managed OAuth app scoped to a path | Rescope app 1 to the bare host (step 1) |
/mcp: Unexpected content type: text/html |
/mcp app policy is Allow, not Bypass |
Set the app-2 policy Action to Bypass (step 2) |
/mcp: OAuth 401 invalid_token |
No /mcp bypass app; the whole-host OAuth app is gating it |
Create app 2 (step 2) |
Configuration
| Environment Variable | Required | Default | Description |
|---|---|---|---|
PLAUSIBLE_API_KEY |
Yes (STDIO) | — | Your Plausible API key (get one here) |
PLAUSIBLE_BASE_URL |
No | https://plausible.io |
URL of your Plausible instance (for self-hosted) |
PLAUSIBLE_DEFAULT_SITE_ID |
No | — | Default site domain so you don't have to pass site_id every call |
CF_ACCESS_TEAM_DOMAIN |
Yes (Worker /internal) |
— | https://<team>.cloudflareaccess.com — verifies the Cf-Access-Jwt-Assertion JWKS + issuer. No trailing slash. |
CF_ACCESS_AUD |
Yes (Worker /internal) |
— | The Access application's Application Audience (AUD) tag — checked against the assertion's aud. |
ALLOWED_EMAIL_DOMAIN |
No (Worker /internal) |
sentry.io |
Comma-separated email domain(s) allowed to sign in to /internal. Set to your own domain when self-hosting. |
On the Worker, the /mcp endpoint needs no server-side key — each user passes their own via Authorization: Bearer. The /internal endpoint is fronted by Cloudflare Access Managed OAuth and uses a shared server-side PLAUSIBLE_API_KEY secret (see self-hosting).
Plausible API
This server wraps the Plausible Stats API v2 (POST /api/v2/query). It works with both Plausible Cloud and self-hosted instances.
Supported Metrics
visitors, visits, pageviews, views_per_visit, bounce_rate, visit_duration, events, scroll_depth, percentage, conversion_rate, group_conversion_rate, average_revenue, total_revenue, time_on_page
Supported Dimensions
event:page, event:goal, event:hostname, visit:entry_page, visit:exit_page, visit:source, visit:referrer, visit:channel, visit:utm_medium, visit:utm_source, visit:utm_campaign, visit:utm_content, visit:utm_term, visit:device, visit:browser, visit:browser_version, visit:os, visit:os_version, visit:country, visit:region, visit:city, visit:country_name, visit:region_name, visit:city_name
The *_name geography dimensions return human-readable names (e.g. "Canada"); the plain visit:country/region/city return ISO/Geoname codes.
Development
pnpm install
pnpm build # TypeScript compilation
pnpm test # Run unit + integration tests
pnpm test:watch # Watch mode
Testing with MCP Inspector
pnpm build
PLAUSIBLE_API_KEY=your-key npx @modelcontextprotocol/inspector node dist/index.js
LLM Evals
Verifies Claude picks the right tool for natural language analytics questions:
ANTHROPIC_API_KEY=sk-... pnpm eval
Architecture
src/
├── index.ts # STDIO entry point (local use)
├── worker.ts # Cloudflare Worker entry point (remote)
├── server.ts # Creates McpServer, registers all tools
├── plausible.ts # PlausibleClient — standalone API client
├── schemas.ts # Shared Zod schemas and filter helpers
└── tools/
├── get-timeseries.ts
├── get-breakdown.ts
├── get-conversions.ts
└── compare-periods.ts
PlausibleClient has zero MCP dependency and can be used standalone.
Observability & data collection
The Worker reports to Sentry with an endpoint-dependent privacy posture:
/mcp(bring-your-own-key) — fully anonymous. Tool inputs and outputs are not recorded (that data belongs to the caller and their own key), no identity is attached, and the ingest-inferred client IP is stripped (src/redaction.ts). Only operational telemetry remains: tool names, span timings, and failures./internal(SSO-gated) — attributed. Requests carry the authenticated@sentry.ioemail (Sentry.setUser), and tool inputs/outputs are recorded (recordToolIO) for attribution and abuse-tracing on the shared server-side key.
Authorization / Cookie / Cf-Access-Jwt-Assertion headers are stripped from spans on both paths. As a belt-and-suspenders backstop, enable Prevent Storing of IP Addresses in the Sentry project's Security & Privacy settings.
License
MIT — see LICENSE.
Install Plausible in Claude Desktop, Claude Code & Cursor
unyly install plausible-mcpInstalls into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.
First time? Get the CLI: curl -fsSL https://unyly.org/install | sh
Or configure manually
Run in your terminal:
claude mcp add plausible-mcp -- npx -y plausible-mcpFAQ
Is Plausible MCP free?
Yes, Plausible MCP is free — one-click install via Unyly at no cost.
Does Plausible need an API key?
No, Plausible runs without API keys or environment variables.
Is Plausible hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Plausible in Claude Desktop, Claude Code or Cursor?
Open Plausible on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
by modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
by xuzexin-hzCompare Plausible with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All ai MCPs
