Most CMS platforms treat AI as an afterthought: a bolt-on chatbot or a plugin that generates text and pastes it into a field. EmDash, the TypeScript CMS Cloudflare launched in April 2026, ships with a native MCP (Model Context Protocol) server baked in. AI agents like Claude, GPT-4o, or Amazon's Kiro can talk directly to your content layer without custom middleware, without glue code, without a separate service to manage.
For hosting operators, this is a bigger deal than it might first appear. Here's the actual pitch to clients: AI content management is a deployable feature on day one, not a roadmap item.
What EmDash's MCP Server Actually Does
MCP, short for Model Context Protocol, is Anthropic's open standard for connecting AI assistants to external tools and data sources. Think of it as a handshake: the AI client asks the server what it can do, gets back a list of tools, and starts calling them. EmDash implements this as a remote HTTP endpoint rather than a local stdio process, so your AI agent connects over the network to your live instance.
The server exposes tools across four core categories:
- Content: Create, read, update, delete, and search across any collection
- Schemas: Define or modify content types, fields, and validation rules
- Media: Upload, organize, and attach assets
- Plugins: Install, configure, enable, or disable sandboxed extensions
What makes this different from a typical "CMS with an API" is the structured JSON content model. EmDash stores content as typed, portable text rather than raw HTML blobs. An AI agent reasoning about your content is working with data it can parse and manipulate. Not raw HTML it has to work around. Joost de Valk put it concisely: "I can point Claude at it and say 'build me a theme' — the MCP server makes it actually work."
The MCP surface area is still expanding. Issue #41 on GitHub proposes letting plugins expose their own first-class MCP tools, which would make third-party extensions AI-addressable without touching core code. It's open as of this writing.
Getting EmDash Running First
EmDash is MIT-licensed and available on GitHub with over 4,000 stars in its first week. It requires Node.js 22+ and pnpm 10+. The recommended path for most hosting operators is a Cloudflare Workers deployment, which gives you sandboxed plugin isolation and edge performance by design.
Cloudflare Workers deployment:
git clone https://github.com/emdash-cms/emdash.git
cd emdash
pnpm install
# Configure your wrangler.toml with your Cloudflare account
wrangler deploy
The templates repository includes a blog-cloudflare starter that seeds example content automatically. Use it if you want to demo the MCP integration before your own data is ready. Each template ships with its own .agents/skills directory, pre-loaded with the Block Kit skill (covered below).
Self-hosted Node.js deployment:
EmDash also runs as a standard Node.js process on your own infrastructure. The MCP server spins up automatically as part of the application. Your endpoint will be at https://your-domain.com/mcp once the instance is live.
Connecting Claude
Claude Desktop supports MCP servers natively through its config file. The setup takes about two minutes.
Step 1: Locate your config file.
On macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
On Windows: %APPDATA%\Claude\claude_desktop_config.json
Step 2: Add your EmDash instance as a remote MCP server.
{
"mcpServers": {
"emdash": {
"url": "https://your-emdash-instance.com/mcp",
"headers": {
"Authorization": "Bearer YOUR_API_TOKEN"
}
}
}
}
Step 3: Fully restart Claude Desktop. Changes to this file are not hot-reloaded.
Once connected, Claude discovers the available tools by querying the MCP endpoint. Verify it worked by opening a new conversation and asking: "What tools do you have available for EmDash?" Claude will list the content, schema, media, and plugin operations exposed by your instance.
From there, natural language commands work directly:
- "Create a new blog post titled 'Our Q2 Product Update' with a draft status and assign it to the News category"
- "List all posts tagged as 'ready' and publish them"
- "Show me the content schema for the Products collection"
Claude handles the invocation. Whether it prompts for confirmation depends on your trust settings.
Connecting ChatGPT
OpenAI's approach works through Custom Actions in ChatGPT, which consume an OpenAPI-compatible schema. EmDash's MCP endpoint exposes its tool definitions in a format compatible with this workflow.
Open ChatGPT, navigate to your GPTs settings, then create or edit a GPT and add a new Action. Point the Action at your EmDash MCP endpoint and ChatGPT will fetch the schema definition and surface the available operations. Configure authentication by selecting "API Key" as the auth type and providing your EmDash API token in the header.
The EmDash CLI is also usable as a tool for automation pipelines where you want to chain CMS operations without a conversational interface. CLI commands mirror admin panel actions and return structured JSON, making them easy to parse in multi-step workflows.
Connecting Kiro
Kiro uses the same MCP client standard. Point it at https://your-instance.com/mcp with your API token in the Authorization header. Kiro's agent loop handles tool discovery automatically, and you can integrate EmDash operations into larger Kiro workflows without writing connector code.
Authentication
EmDash's MCP server uses API token authentication over HTTPS. The token goes in the Authorization header as a Bearer token, as shown in the Claude config above.
For production, scope tokens to specific operations. Don't give your AI agent full admin access if it only needs to create and update posts. EmDash's permission model lets you define scopes like content:read and posts:write, so assign the minimum the agent actually needs.
Issue separate tokens per agent. If you're running Claude for editorial workflows and a separate automation agent for media management, issue separate tokens. That way you can revoke one without breaking the other, and you get cleaner audit trails. Rotate them on a schedule and store them in environment variables, not plaintext config files.
For Cloudflare Workers deployments, Cloudflare's MCP security guide recommends OAuth 2.1 for client-to-server authentication, which EmDash supports. If you're building a setup where users authenticate against your EmDash instance before an agent acts on their behalf, OAuth 2.1 with proper scope enforcement is the right model. The Cloudflare team has a detailed writeup on combining MCP with Durable Objects and auth flows if you want to go deeper on the architecture.
Performance Under Load
When the MCP server is handling real traffic, the deployment model matters more than most coverage acknowledges.
On Cloudflare Workers, EmDash's MCP endpoint runs as part of your Worker. Each request spins up in a Worker isolate, handles the MCP call, and terminates. There's no persistent server process to warm up or scale. Under bursty load (multiple agents making concurrent content queries), this scales horizontally without intervention. MCP requests to EmDash on Cloudflare Workers are stateless and fast. D1 handles content storage, R2 handles media, and both are designed for this traffic pattern.
For self-hosted Node.js deployments, the MCP server shares the Node.js process with the rest of the application. Under sustained load, put a reverse proxy in front (Nginx or Caddy) and configure rate limiting. Not because EmDash's MCP implementation is heavy, but because any HTTP endpoint without rate limiting is a resource consumption risk.
The Attack Surface Question
Adding an AI-addressable endpoint does expand the attack surface, so let's be specific about what's new.
Your /mcp endpoint is an additional authenticated route that accepts structured requests to modify content. Compared to your existing admin panel or REST API, it's the same threat model: an attacker with a valid token can perform operations. EmDash's plugin sandboxing is completely separate from the MCP layer. Plugins run in sandboxed Worker isolates with explicit capability manifests regardless of whether a request came from a human or an AI agent. An AI agent cannot use the MCP server to bypass plugin sandboxing.
The main new risk is token theft. If your Bearer token ends up in a leaked config file or a compromised client, an attacker can make MCP calls. Defense is the same as any token: environment variables, short expiration, scope limiting, rotation.
For Cloudflare deployments, the __Host- cookie prefix protects against subdomain attacks on *.workers.dev domains. Configure this if you're exposing your MCP endpoint on a workers.dev subdomain rather than a custom domain.
Multi-Tenant and Client-Facing Setups
If you're a hosting operator managing EmDash instances for multiple clients, per-instance isolation is the foundation. Each client gets their own EmDash deployment, their own D1 database, and their own set of API tokens. No shared state at the application layer.
For giving clients AI access to their own CMS, the approach depends on how technical they are.
The lowest-friction option for you as the operator: you manage the agent and the client gets results. You run Claude connected to the client's EmDash instance, and the client interacts through a UI you build on top. The client never touches MCP directly.
For technically confident clients, issue a scoped token (read and write to content, no access to plugins or schemas) and document the endpoint. The client configures their preferred AI tool themselves. This works well and generates minimal support requests.
For enterprise clients who need auditability, you can build an OAuth 2.1 consent flow using Cloudflare's auth tooling where clients explicitly authorize specific agent operations. The added complexity is worth it when clients need per-operation consent and full audit trails.
Scopes are what actually control the exposure across all of these models. Define them narrowly, enforce them at the MCP server level, and log every invocation. EmDash's structured content model makes logging meaningful: you can see exactly what the agent created or modified, not just that an API call occurred.
The Block Kit Agent Skill
EmDash ships with an Agent Skills system following the open Agent Skills standard. Skills are reusable SKILL.md files that give AI agents structured instructions for specific workflows. They live in .agents/skills/ and are automatically picked up by supported agents: Claude Code, Cursor, Codex, Gemini CLI, Roo Code, and others.
The Block Kit Agent Skill provides AI agents with step-by-step guidance for working with EmDash's block-based content model: creating content types, building component structures, and managing the structured JSON that EmDash uses instead of raw HTML. The blog-cloudflare template includes this skill pre-installed.
Here's what a working agent interaction looks like once you've connected Claude to an EmDash instance with the Block Kit skill active:
You: "Create a new feature article with a hero image block, a rich text body block, and a call-to-action block at the bottom. Title it 'Introducing Our New Pricing' and set it to draft status."
Claude: Reads the Block Kit skill instructions, introspects the available content schema via MCP, constructs the correct structured JSON for each block type, creates the post via the content:create MCP tool, and confirms the draft was saved.
Without the skill, Claude would have to infer the schema from first principles on every request. With it, the agent already knows the patterns and works confidently without extra prompting.
To install the Block Kit skill manually in an existing project:
mkdir -p .agents/skills
curl -o .agents/skills/block-kit.md \
https://raw.githubusercontent.com/emdash-cms/templates/main/blog-cloudflare/.agents/skills/block-kit.md
Point your AI client at the project directory and the skill is available automatically. For client demos, open Claude, issue a natural language content request, and watch it create a properly structured post in the live CMS. No scripted flow, no pre-loaded data. The agent does it live.
Where Things Stand
Deploy a test instance with the blog-cloudflare template, connect Claude with a scoped token, and run through the Block Kit demo. By end of day, you have something to show a client.
The v0.1 label is real. Plugin-defined MCP tools are the main gap that isn't closed yet, and the ecosystem is still thin. But the content and schema tools work, which is enough to build real workflows right now. When the plugin MCP expansion lands, agents will be able to address third-party extensions directly. That's when the gap between EmDash and legacy CMS platforms becomes hard to close from the other side.