An MCP (Model Context Protocol) server that enables Large Language Model (LLM) clients to interact with any MediaWiki wiki.
Every tool that operates on a wiki accepts an optional wiki argument naming the wiki to act on (the wiki-management and OAuth tools do not) — pass a wiki key (e.g. en.wikipedia.org) or the full mcp://wikis/{wikiKey} URI. Omit it to use the configured default wiki (see Configuration). Each tool response reports the wiki the call ran against.
| Name | Description |
|---|---|
compare-pages |
Diff two versions of a wiki page by revision, title, or supplied wikitext. |
get-category-members |
List members of a category (up to 500 per call, paginated via continueFrom). |
get-file |
Fetch a file page. |
get-file-data |
Fetch a file's image bytes inline (base64) for visual analysis — for clients that can't reach the wiki host. Returns a scaled rendition (set width); non-renderable types (audio, video, binaries) error. For metadata or a download URL, use get-file. |
get-links-here |
List pages that reference a wiki page — pages that link to it, embed it as a template, or display it as a file (select via type), including pages that reach it through a redirect. Up to 500 per call, paginated via continueFrom. |
get-page |
Fetch a wiki page. |
get-page-history |
List recent revisions of a wiki page. |
get-pages |
Fetch multiple wiki pages in one call (up to 50). |
get-recent-changes |
List recent change events across the wiki, filterable by timestamp, namespace, user, tag, type, and hide flags (up to 50 per call, paginated via continue). |
get-revision |
Fetch a specific revision of a page. |
get-site-info |
Get a wiki's key settings: MediaWiki version, content language, title-case rules, namespaces, installed extensions, license, and (optionally) statistics. |
list-wikis |
List every configured wiki — its key, sitename, server, whether it is read-only or the default, whether it is reachable, which extension-gated tools work on it, and, for an OAuth-configured wiki, its authorization server. Disabled when fewer than two wikis are configured. |
parse-wikitext |
Render wikitext to HTML without saving. Returns parse warnings, wikilinks, templates, and external URLs. |
search-page |
Search wiki page titles and contents. |
search-page-by-prefix |
Search page titles by prefix. |
whoami |
Report the identity the current session is authenticated as on the targeted wiki — username, whether it is anonymous, and group memberships (optionally user rights). |
| Name | Description | Permissions |
|---|---|---|
create-page 🔐 |
Create a new wiki page. | Create, edit, and move pages |
delete-page 🔐 |
Delete a wiki page. | Delete pages, revisions, and log entries |
move-page 🔐 |
Move (rename) a wiki page. | Create, edit, and move pages |
undelete-page 🔐 |
Undelete a wiki page. | Delete pages, revisions, and log entries |
update-file 🔐 |
Upload a new revision of an existing file from local disk. | Upload, replace, and move files |
update-file-from-url 🔐 |
Upload a new revision of an existing file from a URL. | Upload, replace, and move files |
update-page 🔐 |
Update an existing wiki page. | Edit existing pages |
upload-file 🔐 |
Upload a file to the wiki from local disk. | Upload new files |
upload-file-from-url 🔐 |
Upload a file to the wiki from a URL. | Upload, replace, and move files |
| Name | Description |
|---|---|
add-wiki |
Add a wiki as an MCP resource from its URL. Disabled when allowWikiManagement is false. |
remove-wiki |
Remove a wiki resource. Disabled when allowWikiManagement is false or fewer than two wikis are configured. |
| Name | Description |
|---|---|
oauth-logout |
Remove stored OAuth tokens. Stdio only. |
oauth-status |
List stored OAuth tokens with scopes and expiry (no token values). Stdio only. |
Each pack's tools register only on wikis where its extension is installed.
| Name | Description |
|---|---|
smw-list-properties |
List Semantic MediaWiki properties with copy-paste templates for smw-query. |
smw-query |
Run a Semantic MediaWiki #ask query. |
| Name | Description |
|---|---|
neowiki-list-schemas |
List schemas (entity types) and their property counts. |
neowiki-get-schema |
Get one schema's property definitions, relations, and select options. |
neowiki-cypher-query |
Run a read-only Cypher query against the knowledge graph. |
neowiki-search-subjects |
Find subject IDs by label within a schema. |
neowiki-get-subject |
Fetch one subject's structured data by ID. |
neowiki-get-page-subjects |
List the subjects attached to a wiki page. |
neowiki-create-subject |
Create a subject (child or main) on a page. Requires the edit right. |
neowiki-update-subject |
Replace a subject's label and statements. Requires the edit right. |
neowiki-delete-subject |
Delete a subject by ID. Requires the edit right. |
neowiki-set-main-subject |
Set or clear a page's main subject. Requires the edit right. |
neowiki-validate-subject |
Dry-run validate a proposed subject and return violations. |
| Name | Description |
|---|---|
bucket-query |
Run a Bucket Lua query. |
| Name | Description |
|---|---|
cargo-list-tables |
List Cargo tables defined on the wiki. |
cargo-describe-table |
List a Cargo table's fields with their types and list-flags. |
cargo-query |
Run a Cargo SQL-style query. |
mcp://wikis/{wikiKey} — per-wiki resource exposing sitename, server (the wiki's public address), articlepath, scriptpath, and a private flag.
- Credentials (
token,username,password) are never exposed in resource content. - After
add-wikiorremove-wiki, the server sendsnotifications/resources/list_changedso clients refresh.
Example read result
{
"contents": [
{
"uri": "mcp://wikis/en.wikipedia.org",
"mimeType": "application/json",
"text": "{ \"sitename\":\"Wikipedia\",\"server\":\"https://en.wikipedia.org\",\"articlepath\":\"/wiki\",\"scriptpath\":\"/w\",\"private\":false }"
}
]
}| Name | Description | Default |
|---|---|---|
CONFIG |
Path to your configuration file | config.json |
MCP_ALLOW_STATIC_FALLBACK |
Set to true to allow HTTP startup when config.json has static credentials. See docs/deployment.md — Shape 2. |
unset |
MCP_CONTENT_MAX_BYTES |
Byte cap for content bodies (wikitext, rendered HTML, diffs). Tune to the target LLM client's tool-response budget. | 50000 |
MCP_FILE_DATA_MAX_BYTES |
Hard cap on the base64-encoded size of a get-file-data response. A transport/safety backstop; tune the actual size per call with the tool's width. Over-cap calls error rather than truncate. |
1000000 |
MCP_UPLOAD_MAX_BYTES |
Memory cap on the server-side fetch used by upload-file-from-url / update-file-from-url. Files larger than this are handed to the wiki's own copy-upload instead of being buffered by the server. Guards this server's memory, not the wiki's $wgMaxUploadSize. |
104857600 |
MCP_LOG_LEVEL |
Minimum severity for logger output. One of debug, info, notice, warning, error, critical, alert, emergency, or silent. |
debug |
MCP_OAUTH_CREDENTIALS_FILE |
Override the default credentials store path. Default: ~/.config/mediawiki-mcp/credentials.json (Linux/macOS) or %APPDATA%\mediawiki-mcp\credentials.json (Windows). |
unset |
MCP_OAUTH_NO_BROWSER |
Set to 1 to skip launching a browser during the OAuth flow; the auth URL is logged to stderr instead. Useful in headless environments. |
unset |
MCP_PUBLIC_URL |
Override the request-derived public URL used in OAuth protected-resource discovery. Useful for reverse-proxy setups that rewrite the Host header. |
unset |
MCP_MAX_REQUEST_BODY |
Maximum HTTP request body size (StreamableHTTP transport). Accepts size strings like 512kb or 1mb. Oversize requests get a JSON-RPC 413. |
1mb |
MCP_METRICS |
Set to true to expose Prometheus metrics at GET /metrics on the HTTP transport. |
unset |
MCP_SESSION_IDLE_TIMEOUT |
Seconds an HTTP session may sit idle before it is closed and removed (StreamableHTTP transport). Any request resets the timer. 0 disables expiry. |
1800 |
MCP_SHUTDOWN_GRACE_MS |
Maximum ms to wait for in-flight /mcp calls to drain on SIGTERM / SIGINT. See docs/operations.md — Graceful shutdown. |
10000 |
MCP_TRANSPORT |
Type of MCP server transport (stdio or http) |
stdio |
MCP_TRUSTED_HOSTS |
Comma-separated hosts exempt from the outbound SSRF guard's public-IP check — for deliberately pointing the server at an internal destination such as a Docker-network alias (mediawiki.svc). Distinct from the inbound MCP_ALLOWED_HOSTS; see Security. |
unset |
PORT |
Port used for StreamableHTTP transport | 3000 |
Note
Config is only required when interacting with a private wiki or using authenticated tools.
Create a config.json file to configure wiki connections. Use the config.example.json as a starting point.
{
"defaultWiki": "en.wikipedia.org",
"wikis": {
"en.wikipedia.org": {
"sitename": "Wikipedia",
"server": "https://en.wikipedia.org",
"articlepath": "/wiki",
"scriptpath": "/w"
}
}
}Internal vs public address. The server you configure is the address the MCP server uses to reach the wiki's API — it may be an internal hostname (e.g. http://mediawiki in Docker). URLs handed back to the AI (page links, the server field in list-wikis and mcp://wikis resources) are built from the wiki's own public address, so internal hostnames don't leak into links. If a wiki can't be reached, links fall back to the configured server.
For the full field reference, env-var substitution, secret sources, change tags, upload directories, and authentication options, see docs/configuration.md.
Tools marked 🔐 require authentication. Write tools (including extension-pack writes) are hidden from tools/list when the configured default wiki has readOnly: true — see Deployment.
- Browser-based OAuth (recommended). Sign in through a browser tab the first time a tool needs auth. Set
oauth2ClientIdandoauth2CallbackPortper wiki — see docs/configuration.md — OAuth (browser-based). - Per-request bearer token (HTTP). Each request carries
Authorization: Bearer <token>; the server forwards it to MediaWiki. See docs/deployment.md — per-request bearer token. - Manual OAuth2 access token. Paste a long-lived token into
config.json. See docs/configuration.md — manual OAuth2 access token. - Bot password. Fallback when Extension:OAuth isn't installed. See docs/configuration.md — bot password.
The Cargo tools (cargo-query, cargo-list-tables, cargo-describe-table) call API actions gated by the runcargoqueries user right. Most wikis grant this to all users by default; wikis that restrict it require the Create, query and delete data through the Cargo extension grant on the bot password or OAuth consumer. The Cargo extension is also detected on wiki.gg-hosted wikis (Helldivers, Terraria, Ark, etc.), where it ships under the rebranded name LIBRARIAN.
Install in Claude Desktop
Follow the guide, use following configuration:
{
"mcpServers": {
"mediawiki-mcp-server": {
"command": "npx",
"args": [
"@professional-wiki/mediawiki-mcp-server@latest"
],
"env": {
"CONFIG": "path/to/config.json"
}
}
}
}Install in VS Code
code --add-mcp '{"name":"mediawiki-mcp-server","command":"npx","args":["@professional-wiki/mediawiki-mcp-server@latest"]}'Install in Cursor
Go to Cursor Settings -> MCP -> Add new MCP Server. Name to your liking, use command type with the command npx @professional-wiki/mediawiki-mcp-server. You can also verify config or add command like arguments via clicking Edit.
{
"mcpServers": {
"mediawiki-mcp-server": {
"command": "npx",
"args": [
"@professional-wiki/mediawiki-mcp-server@latest"
],
"env": {
"CONFIG": "path/to/config.json"
}
}
}
}Install in Windsurf
Follow the guide, use following configuration:
{
"mcpServers": {
"mediawiki-mcp-server": {
"command": "npx",
"args": [
"@professional-wiki/mediawiki-mcp-server@latest"
],
"env": {
"CONFIG": "path/to/config.json"
}
}
}
}Install in Claude Code
Follow the Claude Code MCP docs.
Run the below command, optionally with -e flags to specify environment variables.
claude mcp add mediawiki-mcp-server npx @professional-wiki/mediawiki-mcp-server@latest
You should end up with something like the below in your .claude.json config:
"mcpServers": {
"mediawiki-mcp-server": {
"type": "stdio",
"command": "npx",
"args": [
"@professional-wiki/mediawiki-mcp-server@latest"
],
"env": {
"CONFIG": "path/to/config.json"
}
}
},Install in Gemini CLI
Run:
gemini extensions install https://github.com/ProfessionalWiki/MediaWiki-MCP-ServerThis installs the extension from the latest GitHub Release. To pin a specific version, append --ref=<tag> (for example --ref=v0.6.5).
See the Gemini CLI extensions documentation for how to update, list, or uninstall extensions.
Running the server as a remote HTTP endpoint for other users has its own configuration requirements — see docs/deployment.md. A pre-built image is published at ghcr.io/professionalwiki/mediawiki-mcp-server. For day-2 operations (logs, /health//ready, metrics, graceful shutdown), see docs/operations.md.
Defaults are safe for single-user use. Before exposing the HTTP transport to others, lock down three things:
- Trust the proxy, not the header. The server forwards any
Authorization: Bearerheader straight to MediaWiki — authentication is the reverse proxy's job. Terminate TLS there, and don't expose the MCP port directly on an untrusted network. See docs/deployment.md — reverse proxy requirements. - Pair
MCP_BINDwithMCP_ALLOWED_HOSTSandMCP_ALLOWED_ORIGINS. The HTTP transport binds to127.0.0.1by default. When you open it up withMCP_BIND=0.0.0.0, setMCP_ALLOWED_HOSTSto the hostnames your proxy forwards andMCP_ALLOWED_ORIGINSto the browser origins allowed to call the server — these block DNS-rebinding and cross-origin attacks respectively. - Uploads are opt-in.
upload-fileis disabled until you list allowed directories inuploadDirsorMCP_UPLOAD_DIRS. See docs/configuration.md — upload directories. - Internal destinations need
MCP_TRUSTED_HOSTS. Outbound fetches — the anonymous siteinfo probe, wiki discovery,*-file-from-url— are SSRF-guarded: a destination resolving to a private or loopback address is refused. To deliberately run against an internal host — e.g. a Docker-network alias likemediawiki.svcthat bypasses your public proxy — list it inMCP_TRUSTED_HOSTSto exempt it from the public-IP check. The host is still resolved and pinned, and the guard stays on for every other destination. This is the outbound counterpart to the inboundMCP_ALLOWED_HOSTS(Host-header) check — the two are unrelated despite the similar names.
Report a vulnerability via GitHub's security advisory form — full policy in SECURITY.md.
Contributions are welcome — pull requests and issues (bugs, feature requests, suggestions) both work.
- Working on tool code? Start from AGENTS.md for repo layout, commands, and testing patterns.
- Adding or modifying a tool? Read docs/tool-conventions.md — it covers description voice, parameter docs, annotation hints, and MediaWiki terminology conventions.
- Running a release? See docs/releasing.md.
This project is licensed under the MIT License. See the LICENSE file for details.