โ๏ธ Settings Reference¶
Django Admin MCP configuration options and Django settings.
๐๏ธ Django Settings¶
๐ฆ Required Settings¶
Add django_admin_mcp to installed apps:
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'django_admin_mcp', # Add this
# Your apps
]
๐ URL Configuration¶
Include the MCP URLs:
from django.urls import path, include
urlpatterns = [
path('admin/', admin.site.urls),
path('mcp/', include('django_admin_mcp.urls')), # Add this
]
You can customize the URL path:
# Alternative paths
path('api/mcp/', include('django_admin_mcp.urls')),
path('admin-api/', include('django_admin_mcp.urls')),
๐ ๏ธ ModelAdmin Options¶
Configure each ModelAdmin with these options:
๐ mcp_expose¶
Enable full tool exposure:
| Value | Effect |
|---|---|
True |
Expose CRUD tools, actions, relationships |
False |
Only discoverable via find_models |
Default: False
๐ Standard Django Options¶
These Django admin options affect MCP behavior:
list_display¶
Fields included in list responses:
class ArticleAdmin(MCPAdminMixin, admin.ModelAdmin):
mcp_expose = True
list_display = ['title', 'author', 'published', 'created_at']
search_fields¶
Enables search in list_* and powers autocomplete_*:
class ArticleAdmin(MCPAdminMixin, admin.ModelAdmin):
mcp_expose = True
search_fields = ['title', 'content', 'author__name']
ordering¶
Default ordering for list results:
class ArticleAdmin(MCPAdminMixin, admin.ModelAdmin):
mcp_expose = True
ordering = ['-created_at'] # Newest first
readonly_fields¶
Attempts to update these fields return an error:
class ArticleAdmin(MCPAdminMixin, admin.ModelAdmin):
mcp_expose = True
readonly_fields = ['created_at', 'updated_at', 'view_count']
list_filter¶
Available filter options (informational in describe_*):
class ArticleAdmin(MCPAdminMixin, admin.ModelAdmin):
mcp_expose = True
list_filter = ['published', 'author', 'created_at']
actions¶
Admin actions exposed via actions_* and action_*:
@admin.action(description='Mark as published')
def publish(modeladmin, request, queryset):
queryset.update(published=True)
class ArticleAdmin(MCPAdminMixin, admin.ModelAdmin):
mcp_expose = True
actions = [publish]
inlines¶
Inline models included in get_* responses (when include_inlines: true):
class CommentInline(admin.TabularInline):
model = Comment
extra = 0
class ArticleAdmin(MCPAdminMixin, admin.ModelAdmin):
mcp_expose = True
inlines = [CommentInline]
๐ Token Settings¶
Token behavior is configured per-token in Django admin:
๐ Fields¶
| Field | Type | Default | Description |
|---|---|---|---|
name |
CharField | Required | Descriptive identifier |
token_key |
CharField | Auto-generated | Public key for O(1) lookup |
token_hash |
CharField | Auto-generated | SHA-256 hash of the secret |
salt |
CharField | Auto-generated | Per-token salt for hashing |
user |
ForeignKey | Required | Associated user for audit |
is_active |
Boolean | True |
Enable/disable token |
expires_at |
DateTime | 90 days | Expiration date |
groups |
M2M | Empty | Groups for permissions |
permissions |
M2M | Empty | Direct permissions |
Token format: mcp_<key>.<secret> โ the key is stored in plaintext for lookup, the secret is hashed with a per-token salt.
โฐ Token Expiration¶
Default expiration is 90 days from creation. Options:
- Set date โ Token expires at specified datetime
- Leave blank โ Token never expires
๐ Permission Sources¶
Tokens derive permissions from:
- Direct
permissionsM2M field - Permissions from assigned
groups
Note
User permissions are NOT inherited by tokens.
๐ Environment Configuration¶
๐งช Development¶
๐ Production¶
DEBUG = False
ALLOWED_HOSTS = ['api.example.com']
SECURE_SSL_REDIRECT = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
๐๏ธ Database Configuration¶
Django Admin MCP uses Django's database configuration:
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': 'myapp',
'USER': 'myuser',
'PASSWORD': 'mypassword',
'HOST': 'localhost',
'PORT': '5432',
}
}
The MCPToken model is created via migrations:
๐ Logging Configuration¶
Enable logging for debugging:
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'console': {
'class': 'logging.StreamHandler',
},
},
'loggers': {
'django_admin_mcp': {
'handlers': ['console'],
'level': 'DEBUG',
},
},
}
๐ Security Settings¶
๐ก๏ธ CSRF¶
The MCP endpoint is CSRF-exempt (uses token auth instead). This is automatically applied via @csrf_exempt on the view.
๐ CORS¶
For browser access, configure CORS:
INSTALLED_APPS = [
'corsheaders',
# ...
]
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
# ...
]
CORS_ALLOWED_ORIGINS = [
'http://localhost:3000',
]
# Or allow all (not recommended for production)
CORS_ALLOW_ALL_ORIGINS = True
๐ HTTPS¶
Always use HTTPS in production:
SECURE_SSL_REDIRECT = True
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
๐ฆ Middleware Order¶
Ensure proper middleware ordering:
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware', # First (if using CORS)
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
]