Skip to content

DKeken/funpay-mcp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
bun.lock
bun.lock
 
 
index.ts
index.ts
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

funpay-mcp

MCP server for FunPay.com. Bun + @modelcontextprotocol/sdk. Lets Claude Code (or any MCP client) read, create, update, and clone FunPay lots using a seller's golden_key cookie.

Companion to gitlab-mcp — same shape, same ergonomics.

What it can do

  • Auth via golden_key cookie. PHPSESSID + CSRF persisted in-memory across calls (FunPay rotates sessions on every cookie-less hit — jar is required).
  • Profile storage in the OS keychain via Bun.secrets (macOS Keychain / Linux libsecret / Windows Credential Manager). Falls back to config file if keychain is unavailable.
  • Multi-profile support + env-var override.
  • Read any lot you own.
  • Inspect a subcategory's form schema (select options like fields[type], fields[time], fields[method]) before posting — so the POST won't fail on an unknown value.
  • Create, update, and batch-clone lots across multiple subcategories in one call.

Install

git clone https://github.com/DKeken/funpay-mcp.git
cd funpay-mcp
bun install

Bun ≥ 1.3 required (uses Bun.secrets + Bun.file + native Response.headers.getSetCookie()).

Register in Claude Code

Edit ~/.claude.json:

{
  "mcpServers": {
    "funpay": {
      "type": "stdio",
      "command": "bun",
      "args": ["run", "/absolute/path/to/funpay-mcp/index.ts"],
      "env": {}
    }
  }
}

Restart the client. Then save your key — it goes straight to the OS keychain:

set_golden_key name="default" goldenKey="<paste golden_key>" makeActive=true
whoami

Expected whoami:

Profile: default
User ID: 258369
Locale: ru
CSRF: ...
golden_key: hnik***wzjg

Alternative: env var (CI / one-off)

FUNPAY_GOLDEN_KEY=... FUNPAY_PROFILE=ci bun run index.ts

FUNPAY_GOLDEN_KEY always overrides saved profiles.

Where to get golden_key

  1. Sign in at https://funpay.com/.
  2. DevTools → Application → Cookies → funpay.com.
  3. Copy golden_key value.

Expires on logout or when FunPay invalidates sessions. Re-run set_golden_key when it stops working.

Tools

Tool Purpose
set_golden_key Save/update a profile. Secret goes to OS keychain.
list_profiles List saved profiles — masked keys, storage backend, active flag.
use_profile Switch active profile.
delete_profile Remove a profile + its keychain entry.
whoami Verify key, return user ID / CSRF.
get_lot Compact view of a lot's offerEdit form.
get_lot_raw Full JSON dump (higher token cost).
get_node_schema List select-field options for a subcategory. Call before create_lot in game-ish nodes.
create_lot POST /lots/offerSave — new offer in a node.
update_lot Edit an existing offer (price, stock, text, images, flags).
clone_lot Copy one source lot into N target nodes with per-target overrides.

Example — clone one lot into 4 subcategories

clone_lot sourceOfferId=68907961 copyImages=true copySecrets=false targets='[
  {"nodeId": 4187},
  {"nodeId": 3734, "fields": {"fields[type]": "Pro"}},
  {"nodeId": 3735, "fields": {"fields[type]": "Pro", "fields[time]": "1 месяц", "fields[method]": "Без захода на аккаунт"}},
  {"nodeId": 3736}
]'

copySecrets=false by default — auto-delivery secrets don't get duplicated unless you opt in.

Gotchas

  • Restricted subcategories. Some nodes (e.g. 3173 "Подписка Claude") require a video interview with FunPay support before you can post. Server surfaces this as Access denied. Resolve via support.funpay.com, then retry.
  • CSRF is per-form. FunPay rotates csrf_token + form_created_at on every offerEdit fetch. Server grabs a fresh pair per create_lot/update_lot — don't cache them.
  • Two CSRF tokens. csrf_token in the POST body comes from the form; x-csrf-token header comes from the homepage data-app-data (csrf-token key). Both are sent on every save. Mixing them up → "Обновите страницу и повторите попытку."
  • Cookie jar is mandatory. FunPay hands out a new PHPSESSID every time you arrive without one. Server keeps a per-profile in-memory jar and feeds Set-Cookie back in. If you integrate manually, do the same.
  • Field-name brackets. Field keys like fields[summary][ru] contain literal [ and ]. Pass them verbatim in the fields object.

Config file

~/.config/funpay-mcp-server/config.json:

{
  "activeProfile": "default",
  "profiles": [
    { "name": "default", "userAgent": "..." }
  ]
}

Secrets are not stored here when Bun.secrets is available. Legacy configs with inline goldenKey still work; re-saving the profile migrates the secret into the keychain and wipes the inline copy.

Bun 1.3 features used

  • Bun.secrets — OS credential storage.
  • Bun.file / Bun.write — config I/O.
  • Native fetch + response.headers.getSetCookie() — cookie jar without tough-cookie.

License

MIT.

About

MCP server for FunPay.com — Claude Code integration. Bun + @modelcontextprotocol/sdk. Multi-profile golden_key (OS keychain), lot read / create / update / batch clone.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages