I Convinced DSers to Add OAuth 2.1 — Dropshipping MCP Server v1.4.0

#mcp #dropshipping #ai #shopify

TL;DR: DSers MCP Product v1.4.0 — convinced DSers to add official OAuth 2.1, replaced 600 lines of browser hacking with 200 lines of clean auth. Added 3 new tools (browse imports, search suppliers, view store products). Shipped a hosted remote server at ai.silentrillmcp.com. 12 tools, 298 tests, open source. GitHub

Why Build This?

If you're doing dropshipping with DSers and Shopify, you know the routine — find a product on AliExpress, open DSers, click import, manually edit the title, set the markup, push to store, repeat fifty times. It's not hard, it's just slow.

I built this MCP server so I could tell my AI agent "import these 10 products, mark them up 2.5x, clean up the titles, push to my store" and go do something else. It handles AliExpress, Alibaba, and Accio.com product links. Supports Shopify and Wix through DSers.

The tool is free, open source, and works with Claude Desktop, Cursor, Windsurf, or any MCP-compatible client. You can run it locally via npm or connect to the hosted version without installing anything.

For anyone evaluating dropshipping automation tools — this isn't a SaaS with a monthly fee. It's an MCP server you run yourself (or use hosted for free). No vendor lock-in, no subscription tiers. The code is on GitHub, MIT licensed.

I've been building an open-source MCP server that automates dropshipping product imports — AliExpress to Shopify, through DSers. If you missed the earlier posts, the short version: paste a product link, tell your AI agent what markup to apply, and it handles the rest.

But authentication has been my biggest headache since day one.

The Authentication Problem

When I first built this tool, DSers didn't have an OAuth flow designed for third-party integrations. So I went with what I could — automating a browser login via Chrome DevTools Protocol to capture the session.

It got the job done, but it wasn't pretty. I had to handle Chrome on Mac, Edge on Windows, Safari as a fallback, and a terminal prompt for headless servers. Four different login strategies, ~600 lines of browser automation code, and the whole thing depended on having a Chromium browser installed.

And sessions expired every 6 hours. Users would be halfway through a bulk import, and suddenly — "session expired, please run login again."

I knew there had to be a better way.

Getting DSers on Board

I reached out to the DSers team about building OAuth support for MCP integrations. They were receptive — the MCP ecosystem is growing fast, and they could see the value in letting AI tools connect properly instead of relying on browser session workarounds.

We went through a few rounds of designing the scope model, endpoint structure, and token lifecycle. I built a proof-of-concept proxy to validate the flow before committing to a full integration. There were the usual bumps — some gateway routes needed configuring, a few scope-to-endpoint mappings to sort out — but the DSers team was responsive and we got it all working.

Credit where it's due: they built a solid OAuth 2.1 authorization server with PKCE, dynamic client registration, and refresh tokens. Proper stuff.

What Login Looks Like Now

npx @lofder/dsers-mcp-product login

Browser opens. You click "Authorize" on DSers's own page. Done.

Behind the scenes: PKCE code challenge, authorization code exchange, access token + refresh token saved to an encrypted local file. When the access token expires (every 2 hours), the refresh token renews it silently. No user interaction needed.

I deleted all 600 lines of CDP code. The new OAuth module is about 200 lines. And it just works — no Chrome dependency, no cookie extraction, no platform-specific browser detection.

The token file format is shared with DSClaw (our web app). If a user authorizes through DSClaw, the MCP server picks up the same token automatically. One login for everything.

The Remote Server Is Live

With OAuth working, I could finally ship a hosted MCP server that doesn't require any local installation.

{
  "mcpServers": {
    "dropshipping": {
      "url": "https://ai.silentrillmcp.com/dropshipping/mcp"
    }
  }
}

Add that to your MCP client config and you're connected. No npx, no Node.js, nothing to install. The server runs on Vercel, authenticates via the OAuth Bearer token, and isolates each user's data by extracting the sub claim from the JWT.

Getting this to work on Vercel had its own challenges — the mcp-handler library initializes the MCP server before the request context is available, so the token wasn't ready when tools were being registered. Took a few iterations to land on the right pattern: create a fresh handler per request with the token baked in, cache only the job store across requests for the same user.

New Tools for Browsing and Sourcing

The original 9 tools covered the import-to-push pipeline. But there was an obvious gap: "what's already in my import list?" was unanswerable without opening the DSers website.

v1.4.0 adds three new tools:

dsers_import_list pulls your staging list with enriched data — cost ranges, sell prices, markup status, and low stock warnings. Each item gets a separate API call for variant-level detail, running in parallel.

dsers_my_products shows what's already been pushed to your Shopify or Wix store, with supplier links for re-importing.

dsers_find_product searches the DSers product pool by keyword or image. Each result includes an import_url you can feed directly into dsers_product_import.

The workflow is now: search → import → edit → push. All from your AI client.

Under the Hood

The codebase got a full restructure. provider.ts was 1,700 lines — one file handling everything. A bad commit in v1.3.5 accidentally reverted 6 different bug fixes because it was all tangled together.

Split into 6 modules under provider/ and 7 under service/. Added ESLint + Prettier. Tests went from 195 to 298.

Other fixes:

tags_add was validated but never actually written to the API — one line was hardcoded to null
compare_at_price inversions now auto-cleared instead of just warned about
Replaced execSync with spawnSync for browser launch to prevent command injection