{"slug": "payload-v4-the-mcp-plugin-exposes-your-collections-to-llms-and-it-s-opt-out", "title": "Payload v4: the MCP plugin exposes your collections to LLMs — and it's opt-out", "summary": "Payload CMS v4's plugin now exposes every collection as an MCP tool with full CRUD by default, requiring opt-out for sensitive operations. Developers must review collections after upgrading to prevent accidental exposure of endpoints like user deletion.", "body_md": "`@payloadcms/plugin-mcp`\n\nturns your Payload CMS into an MCP server, exposing your collections as tools for LLMs.\n\nHeads up for v4: after a refactor, every collection is now exposed with full CRUD **by default**. It's opt-out — you disable individual tools rather than enabling them:\n\n```\nmcpPlugin({\n  collections: {\n    // posts is exposed automatically — no entry needed\n    users: { tools: { create: false, update: false, delete: false } }, // find only\n  },\n})\n```\n\nCustom tools are defined with the `defineTool`\n\nbuilder, taking input via `zod`\n\nv4:\n\n```\ntools: {\n  getPostScores: defineTool({\n    description: 'Score recent posts',\n    input: z.object({ since: z.string() }),\n  }).handler(async ({ input, req }) => ({ content: [/* ... */] })),\n}\n```\n\n⚠️ The thing to actually do after upgrading: collections you never listed are suddenly reachable through MCP. Review them and disable anything sensitive — an exposed `users`\n\ncollection with `delete`\n\nis not a great default to inherit by accident.", "url": "https://wpnews.pro/news/payload-v4-the-mcp-plugin-exposes-your-collections-to-llms-and-it-s-opt-out", "canonical_source": "https://dev.to/zawoj/payload-v4-the-mcp-plugin-exposes-your-collections-to-llms-and-its-opt-out-2nlg", "published_at": "2026-06-26 09:00:10+00:00", "updated_at": "2026-06-26 09:33:49.369358+00:00", "lang": "en", "topics": ["developer-tools", "large-language-models", "ai-agents"], "entities": ["Payload CMS", "MCP", "LLMs"], "alternates": {"html": "https://wpnews.pro/news/payload-v4-the-mcp-plugin-exposes-your-collections-to-llms-and-it-s-opt-out", "markdown": "https://wpnews.pro/news/payload-v4-the-mcp-plugin-exposes-your-collections-to-llms-and-it-s-opt-out.md", "text": "https://wpnews.pro/news/payload-v4-the-mcp-plugin-exposes-your-collections-to-llms-and-it-s-opt-out.txt", "jsonld": "https://wpnews.pro/news/payload-v4-the-mcp-plugin-exposes-your-collections-to-llms-and-it-s-opt-out.jsonld"}}