Lovable MCP Server

Build, iterate, inspect, and deploy full-stack web apps through Lovable's MCP server — without ever opening the Lovable UI.

Lovable's agent handles the heavy lifting: you describe what you want in plain language, and it builds a working app (React + Vite + Tailwind + shadcn/ui + Supabase when needed). The MCP server exposes this capability programmatically, so you can drive the entire workflow from any agent that supports skills.

What is Lovable MCP?

Lovable provides a Model Context Protocol (MCP) server at https://mcp.lovable.dev that gives AI agents direct access to:

• Create, read, update, and delete Lovable projects
• Send prompts to Lovable's AI agent for building/iterating on apps
• Deploy projects to production
• Read source code and review diffs
• Manage workspace-level governance
• Query analytics

Authentication is OAuth 2.1+PKCE. The MCP server supports the standard MCP OAuth flow:

1. Contact the server → receive WWW-Authenticate: Bearer challenge
2. Fetch OAuth metadata from https://lovable.dev/oauth/.well-known/oauth-authorization-server
3. Redirect user to the authorization endpoint with PKCE
4. Exchange the authorization code for tokens at the token endpoint
5. Use the access token as Authorization: Bearer in all subsequent calls

Prerequisites

• A Lovable account (Pro or Business plan recommended — needed for API access)
• A CLIENT_ID from Lovable support (email [email protected] and ask for MCP OAuth client credentials)
• curl (should be available on any system)
• python3 (for scripts, should be available on any system)

Setup

Step 1: Get credentials from Lovable

Contact Lovable support ([email protected]) and request MCP OAuth client credentials. They will provide a CLIENT_ID (a hex string like 0123456789abcdef0123456789abcdef).

This CLIENT_ID is registered with a specific redirect URI. The skill scripts use this redirect URI during the OAuth flow.

Step 2: Run the OAuth setup

# Make the scripts executable
chmod +x scripts/*.sh

# Run the OAuth setup — this will generate a PKCE authorization URL for you
bash scripts/lovable-oauth-setup.sh

The script will:

1. Generate a cryptographically random PKCE code_verifier + code_challenge
2. Print an authorization URL for you to open in your browser
3. Wait for you to paste back the redirect URL containing the ?code= parameter
4. Exchange the code for access + refresh tokens
5. Save the tokens to config/lovable-tokens.json

Step 3: Test the connection

# Get the access token (auto-refreshes if expired)
TOKEN=$(bash scripts/lovable-get-token.sh)

# Test: list your profile and workspaces
curl -s -X POST https://mcp.lovable.dev/ \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"get_me","arguments":{}},"id":1}'

Step 4: Configure your MCP server in OpenClaw

Add the Lovable MCP server to your openclaw.json:

{
  "mcp": {
    "servers": {
      "lovable": {
        "url": "https://mcp.lovable.dev",
        "type": "http",
        "auth": {
          "CLIENT_ID": "\x3Cyour-client-id>"
        }
      }
    }
  }
}

Then restart the gateway:

openclaw gateway restart

OAuth Details

The OAuth flow uses PKCE (Proof Key for Code Exchange) as required by the MCP OAuth 2.1 specification.

Authorization URL parameters

Token endpoint

Exchange the authorization code at https://lovable.dev/oauth/token:

Refresh token

When the access token expires (after 8 hours), use the refresh token:

curl -s -X POST https://lovable.dev/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token" \
  -d "refresh_token=\x3Cyour-refresh-token>" \
  -d "client_id=\x3Cyour-client-id>" \
  -d "redirect_uri=\x3Cyour-registered-redirect-uri>"

How to Use

1. Find your workspace ID

TOKEN=$(bash scripts/lovable-get-token.sh)
curl -s -X POST https://mcp.lovable.dev/ \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"list_workspaces","arguments":{}},"id":1}'

2. List all projects

TOKEN=$(bash scripts/lovable-get-token.sh)
WORKSPACE_ID="\x3Cyour-workspace-id>"

curl -s -X POST https://mcp.lovable.dev/ \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -H "Authorization: Bearer $TOKEN" \
  -d "{\"jsonrpc\":\"2.0\",\"method\":\"tools/call\",\"params\":{\"name\":\"list_projects\",\"arguments\":{\"workspace_id\":\"$WORKSPACE_ID\"}},\"id\":1}"

3. Deploy a project

TOKEN=$(bash scripts/lovable-get-token.sh)
PROJECT_ID="\x3Cyour-project-id>"

curl -s -X POST https://mcp.lovable.dev/ \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -H "Authorization: Bearer $TOKEN" \
  -d "{\"jsonrpc\":\"2.0\",\"method\":\"tools/call\",\"params\":{\"name\":\"deploy_project\",\"arguments\":{\"project_id\":\"$PROJECT_ID\"}},\"id\":1}"

4. Send a prompt to the Lovable agent

TOKEN=$(bash scripts/lovable-get-token.sh)
PROJECT_ID="\x3Cyour-project-id>"

curl -s -X POST https://mcp.lovable.dev/ \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -H "Authorization: Bearer $TOKEN" \
  -d "{\"jsonrpc\":\"2.0\",\"method\":\"tools/call\",\"params\":{\"name\":\"send_message\",\"arguments\":{\"project_id\":\"$PROJECT_ID\",\"message\":\"Add a dark mode toggle to the header\"}},\"id\":1}"

Deploy Workflow

Combine this skill with a CI/CD or agent workflow:

1. Code is reviewed and merged to main in your git repo
2. An agent (or CI) checks if the project exists on Lovable using list_projects
3. Agent asks the user for deploy approval
4. On approval, agent calls deploy_project(project_id)
5. Agent reports the production URL

Tool Reference

Project Operations

Code & History

Workspace

Database (Lovable Cloud)

Analytics

Governance

Connectors

Common Patterns

Build and deploy in one flow

1. list_workspaces() → get workspace_id
2. create_project(workspace_id, description, initial_message) → get project_id
3. get_project(project_id) → confirm it's built, get preview_url
4. send_message(project_id, message) → iterate if needed
5. get_diff(project_id, message_id) → review changes
6. deploy_project(project_id) → ship it

Audit a workspace

1. list_workspaces() → get workspace_id
2. list_projects(workspace_id) → see all projects
3. For each project: list_edits(), read_file(), get_database_status()

Troubleshooting

Token expired

Run the token refresh script:

bash scripts/lovable-refresh-token.sh

Refresh token also expired

If the refresh token no longer works, run the OAuth setup again:

bash scripts/lovable-oauth-setup.sh

"Invalid API key" error

The Lovable MCP server uses OAuth 2.0 Bearer tokens, NOT the Lovable-API-Key header. The API key from Lovable support only works for tools/list (discovery). For tools/call you MUST use an OAuth Bearer token obtained through the PKCE flow.

Connection refused / timeout

Verify the MCP server is reachable:

curl -s -o /dev/null -w "%{http_code}" https://mcp.lovable.dev/.well-known/oauth-protected-resource

Should return HTTP 200.

Security Notes

• Never commit tokens or credentials to git. The config/lovable-tokens.json file should be in your .gitignore.
• The access token is a JWT that expires after 8 hours. The refresh token is a long-lived secret.
• If you suspect a token leak, revoke it by emailing Lovable support.
• The OAuth flow should be initiated interactively by a human — never automate the consent step.