AI / MCP Setup
Events Manager 7.3 onwards can be controlled by an AI assistant. You can ask Claude, ChatGPT, Cursor, VS Code, Codex, or any other AI client that supports the Model Context Protocol (MCP) to list your events, check booking availability, create or update an event, manage bookings, and more β all in plain language, while WordPress keeps its normal permissions in place.
This page walks you through it. The first half is written for site owners who just want to point an AI app at their site. The second half goes into the technical details for developers who want to script, embed, or customise the connection.
What is MCP, and why does Events Manager use it?β
MCP is an open protocol that lets AI assistants talk to other tools. Events Manager publishes a set of "abilities" (list events, create an event, list bookings, etc.) through the WordPress Abilities API. A small WordPress plugin called the MCP Adapter turns those abilities into MCP tools that any compatible AI client can discover and use.
A few things worth knowing up front:
- You stay in control. Every request the AI makes runs through WordPress's normal capability checks. If the connected WordPress user can't delete events, the AI can't either.
- No passwords in URLs. Modern AI clients connect through your browser using OAuth, the same way you'd "Sign in with Google". Older clients can still use a WordPress Application Password as a fallback.
- You can turn it off. The AI / MCP setup box is opt-in. Nothing is exposed until you install and activate the MCP Adapter plugin.
Before you startβ
You need:
- WordPress 7.0 or later. WordPress 6.9 included an early version of the Abilities API, but 7.0 is the supported target. The setup box checks this for you.
- Events Manager with its REST and Abilities API active (this is the default).
- The WordPress MCP Adapter plugin. The setup box can install and activate this for you, or you can download the latest release from github.com/WordPress/mcp-adapter/releases.
- An AI client that supports MCP β for example Claude Desktop, Claude Code, Cursor, VS Code (with the agent extension), or ChatGPT custom connectors.
The simple flow: one URL, browser approvalβ
If you're using a modern AI client like Claude Desktop, this is the easiest path.
- In WordPress, open Events > Settings > General and find the AI / MCP Setup box.
- Follow the three steps in the box:
- WordPress 7.0+ β ready as long as you're on WP 7.0 or newer.
- MCP Adapter β click Install MCP Adapter, then Activate MCP Adapter.
- MCP Server URL β once steps 1 and 2 are ready, a URL like this appears:
https://your-site.com/wp-json/mcp/mcp-adapter-default-server
- Copy that URL.
- In your AI client, add a new MCP server and paste the URL. The client will open a browser tab, send you to your WordPress site, and ask you to approve the connection while logged in as the WordPress user you want the AI to act as.
- Approve the connection. The AI client will now be able to call Events Manager.
That's it. There's no need to copy passwords or fiddle with JSON. You can revoke the connection at any time from WordPress by removing the OAuth grant.
Live sites need HTTPS. Most AI clients refuse to connect to plain
http://for anything other than a clearly local site (.lan,.local,.test, orlocalhost). If your live site doesn't have HTTPS, set that up first.
Choosing the right WordPress user for the AIβ
The AI acts as a specific WordPress user. We strongly recommend you create a dedicated user for each AI client instead of connecting your administrator account.
The setup box suggests several "recipes" depending on what you want the AI to do:
| What the AI should do | Capabilities to grant |
|---|---|
| Answer questions about public events, locations, categories, tags, and availability | read |
| Create and update events and locations | read, edit_events, edit_locations, publish_events |
| Approve, reject, or change bookings | read, manage_bookings, optionally manage_others_bookings |
| Delete or trash events and locations | read, plus the matching delete_* capabilities β only for trusted internal agents |
You can assign these with a role editor plugin, custom code, or WP-CLI. The smallest set of capabilities that lets the AI do its job is always the safest choice.
Connecting common AI clientsβ
The simple flow above works for any client that supports remote MCP server URLs and OAuth. The instructions below show what that looks like in each app.
Claude Desktop, Claude Code, Cursor, VS Codeβ
Open the app's MCP settings panel and add a new server. Choose "remote URL" (the exact label varies by app), paste the MCP Server URL from the Events Manager setup box, and approve the connection in your browser when prompted.
After it's connected, ask the assistant something like "List my upcoming events" or "What's the booking availability for the next workshop?". The client will discover the Events Manager abilities and use them as tools.
ChatGPT custom connectorsβ
ChatGPT needs a publicly reachable HTTPS URL β a local .lan site won't work. Use the same MCP Server URL from the setup box on a live HTTPS site. Workspace admins may need to enable custom apps/connectors before users can add them.
Older clients without OAuth supportβ
Some AI clients (and command-line tools) don't yet support browser OAuth. In that case, use the Advanced configuration below with a WordPress Application Password.
A note on local developmentβ
If you're running Events Manager on a .lan, .local, .test, or localhost site, two things are different:
- Application Passwords are normally HTTPS-only. To enable them on a local HTTP site, add this to
wp-config.php:define( 'WP_ENVIRONMENT_TYPE', 'local' ); - HTTPS tunnels. If you need a reachable HTTPS URL for an AI client that can't reach your machine, define
EM_OAUTH_TUNNELinwp-config.phpwith your tunnel URL (for example an ngrok URL). Events Manager will use that tunnel URL in the OAuth and MCP metadata it publishes.
For local CLI work, the WP-CLI STDIO transport documented below avoids HTTP entirely.
Advanced configuration
The rest of this page is aimed at developers, integrators, and anyone using an AI client that needs explicit MCP server JSON.
Application Passwords (fallback authentication)β
If your AI client doesn't support OAuth, create an Application Password for it.
- In WordPress admin, go to Users > Profile > Application Passwords.
- Add a new password named something like
MCP Agentand copy the generated value. - Use that password (along with the username) in the JSON examples below.
Treat Application Passwords like passwords. Copy them once into the AI client's secure credential store and revoke them when no longer needed.
Client configuration examplesβ
These examples use the Automattic MCP WordPress Remote bridge, which connects an AI client over STDIO to a remote WordPress MCP Adapter endpoint over HTTP.
Claude Desktopβ
{
"mcpServers": {
"events-manager-local": {
"command": "npx",
"args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
"env": {
"WP_API_URL": "http://wp.lan/wp-json/mcp/mcp-adapter-default-server",
"WP_API_USERNAME": "mcp-agent",
"WP_API_PASSWORD": "xxxx xxxx xxxx xxxx xxxx xxxx"
}
}
}
}
Restart Claude Desktop after editing the config. You can check connected tools from the connectors/tools UI.
Codex CLI and Codex IDEβ
Add this to ~/.codex/config.toml:
[mcp_servers.events-manager-local]
command = "npx"
args = ["-y", "@automattic/mcp-wordpress-remote@latest"]
env = { WP_API_URL = "http://wp.lan/wp-json/mcp/mcp-adapter-default-server", WP_API_USERNAME = "mcp-agent", WP_API_PASSWORD = "xxxx xxxx xxxx xxxx xxxx xxxx" }
Then verify:
codex mcp list
Cursorβ
Add this to ~/.cursor/mcp.json for a global server:
{
"mcpServers": {
"events-manager-local": {
"command": "npx",
"args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
"env": {
"WP_API_URL": "http://wp.lan/wp-json/mcp/mcp-adapter-default-server",
"WP_API_USERNAME": "mcp-agent",
"WP_API_PASSWORD": "xxxx xxxx xxxx xxxx xxxx xxxx"
}
}
}
}
Restart Cursor and confirm the server in the MCP tools view.
VS Codeβ
VS Code uses a top-level servers object. Add this to .vscode/mcp.json inside the project:
{
"servers": {
"events-manager-local": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
"env": {
"WP_API_URL": "http://wp.lan/wp-json/mcp/mcp-adapter-default-server",
"WP_API_USERNAME": "mcp-agent",
"WP_API_PASSWORD": "xxxx xxxx xxxx xxxx xxxx xxxx"
}
}
}
}
Enable the server in the tools picker when using agent mode.
Live site (HTTPS)β
The shape is the same as the localhost examples β just use an HTTPS URL:
{
"mcpServers": {
"events-manager": {
"command": "npx",
"args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
"env": {
"WP_API_URL": "https://example.com/wp-json/mcp/mcp-adapter-default-server",
"WP_API_USERNAME": "mcp-agent",
"WP_API_PASSWORD": "xxxx xxxx xxxx xxxx xxxx xxxx"
}
}
}
}
Application Passwords should be used only over HTTPS on live sites.
Local WP-CLI STDIO transportβ
For local development, the WP-CLI STDIO transport avoids Application Passwords and HTTP issues entirely:
{
"mcpServers": {
"events-manager-local": {
"command": "wp",
"args": [
"--path=/path/to/wordpress",
"mcp-adapter",
"serve",
"--server=mcp-adapter-default-server",
"--user=admin"
]
}
}
}
You can test discovery from the terminal:
echo '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"mcp-adapter-discover-abilities","arguments":{}}}' \
| wp --path=/path/to/wordpress mcp-adapter serve --user=admin --server=mcp-adapter-default-server
Ability referenceβ
Every ability is registered with meta.show_in_rest: true and meta.mcp.public: true. Each ability enforces the same WordPress capability checks as its corresponding REST endpoint.
Eventsβ
events-manager/list-eventsβ list eventsevents-manager/get-eventβ get one eventevents-manager/get-event-availabilityβ get booking availability for one eventevents-manager/create-eventβ create an eventevents-manager/update-eventβ update an eventevents-manager/delete-eventβ delete or trash an event
Locationsβ
events-manager/list-locationsβ list locationsevents-manager/get-locationβ get one locationevents-manager/create-locationβ create a locationevents-manager/update-locationβ update a locationevents-manager/delete-locationβ delete or trash a location
Bookings and taxonomyβ
events-manager/list-bookingsβ list visible bookingsevents-manager/get-bookingβ get one bookingevents-manager/create-bookingβ create a bookingevents-manager/update-bookingβ update a bookingevents-manager/set-booking-statusβ approve, reject, or cancel a bookingevents-manager/delete-bookingβ delete a bookingevents-manager/list-categoriesβ list event categoriesevents-manager/list-tagsβ list event tags
Built-in OAuth serverβ
Events Manager ships a reusable OAuth authorization server (classes/em-oauth/oauth-server.php) with an MCP-specific layer on top (classes/api/em-api-mcp-oauth.php). It provides:
- Dynamic public-client registration.
- Authorization Code + PKCE browser approval.
- Token exchange and bearer-token validation that maps tokens back to the approving WordPress user.
EM_OAUTH_TUNNELURL replacement for public metadata, authorization, token, and registration URLs.
The published endpoints are:
- Protected resource metadata:
/.well-known/oauth-protected-resource/wp-json/mcp/mcp-adapter-default-server - Authorization server metadata:
/.well-known/oauth-authorization-server - Dynamic public-client registration:
/wp-json/events-manager/v1/mcp/oauth/register - Authorization endpoint:
/em-mcp/oauth/authorize - Token endpoint:
/wp-json/events-manager/v1/mcp/oauth/token
To disable the MCP OAuth layer:
add_filter( 'em_mcp_oauth_server_enabled', '__return_false' );
Filtersβ
Site owners and developers can fine-tune what's exposed:
em_api_ability_mcp_publicβ disable MCP exposure for all Events Manager abilities, or filter destructive ones out:add_filter( 'em_api_ability_mcp_public', function( $public, $name, $annotations ) {return empty( $annotations['destructive'] );}, 10, 3 );em_mcp_oauth_available,em_mcp_oauth_provider,em_mcp_oauth_setup_url,em_mcp_oauth_stateβ supply or override OAuth detection from another integration.em_mcp_oauth_server_enabledβ disable the built-in OAuth server entirely.
Agent handoff profileβ
The setup box can copy or download an events-manager-mcp-profile.json handoff file for another AI agent or support technician. It includes:
- Site name, home URL, REST API base, MCP endpoint, and Abilities endpoint.
- WordPress, Events Manager, and MCP Adapter readiness state.
- OAuth readiness, fallback authentication type, and a username hint (but never the Application Password).
- Events Manager ability groups and safety guidance for destructive operations.
- Pro-specific feature metadata when Events Manager Pro is active.
Use this file when helping a customer set up Claude, Codex, Cursor, VS Code, ChatGPT custom connectors, or any other MCP-aware client. Provide Application Passwords separately through the target client's secure credential flow.
Readiness diagnosticsβ
To verify the setup by hand:
| Check | What it verifies |
|---|---|
| Abilities API | function_exists( 'wp_register_ability' ) β WordPress 7.0+ exposes the Abilities API. |
| MCP Adapter | The WordPress/mcp-adapter plugin is installed AND active. |
| OAuth connection | An OAuth-capable bridge is detected via em_mcp_oauth_available. |
| Application Passwords | wp_is_application_passwords_available() β gated by HTTPS or WP_ENVIRONMENT_TYPE=local. |
| Site transport | HTTPS or a local .lan / .local / .test host. Remote AI clients usually require HTTPS. |
| REST API base | rest_url() returns the site's REST root. |
Security checklistβ
- Use a dedicated MCP user, not a shared administrator account.
- Grant the smallest set of Events Manager capabilities needed for the workflow.
- Keep delete abilities enabled only for trusted clients and users.
- Revoke Application Passwords when access is no longer needed.
- Review server logs for MCP activity after enabling write operations.
Useful endpointsβ
- Abilities REST discovery:
/wp-json/wp-abilities/v1 - MCP Adapter default server:
/wp-json/mcp/mcp-adapter-default-server - Events Manager REST API:
/wp-json/events-manager/v1