Payload v4: the MCP plugin exposes your collections to LLMs — and it's opt-out

Payload CMS v4's plugin now exposes every collection as an MCP tool with full CRUD by default, requiring opt-out for sensitive operations. Developers must review collections after upgrading to prevent accidental exposure of endpoints like user deletion.

@payloadcms/plugin-mcp turns your Payload CMS into an MCP server, exposing your collections as tools for LLMs. Heads up for v4: after a refactor, every collection is now exposed with full CRUD by default . It's opt-out — you disable individual tools rather than enabling them: mcpPlugin { collections: { // posts is exposed automatically — no entry needed users: { tools: { create: false, update: false, delete: false } }, // find only }, } Custom tools are defined with the defineTool builder, taking input via zod v4: tools: { getPostScores: defineTool { description: 'Score recent posts', input: z.object { since: z.string } , } .handler async { input, req } = { content: / ... / } , } ⚠️ The thing to actually do after upgrading: collections you never listed are suddenly reachable through MCP. Review them and disable anything sensitive — an exposed users collection with delete is not a great default to inherit by accident.