PayPay MCP · Marsel Bait

Terminal

# One command to install

$ claude mcp add -s user paypay -- npx paypay-mcp

Added paypay (env: sandbox · destructive ops: blocked)

# Then just ask Claude

> Create a 500 yen QR for a coffee, sandbox

Tool call: create_qr_code({ amount: 500, codeType: "ORDER_QR" })

merchantPaymentId: order_4f7c2a91

url: https://stg-www.sandbox.paypay.ne.jp/...

qr: data:image/png;base64,iVBORw0KGgo... (1.2 KB)

status: CREATED · expires in 5 min

# Try a refund

> Refund that order

refund_payment is disabled by default.

Set ALLOW_DESTRUCTIVE=1 to enable.

PayPay MCP · Sandbox-first install, destructive ops blocked by default

Context

PayPay is the most ubiquitous QR wallet in Japan. Tens of millions of users, accepted almost everywhere. When AI agents start doing real commerce on behalf of real people, they need a typed interface to move real money through real payment rails. No one had shipped an MCP for PayPay yet, so I built one.

The consumer is an agent, not a person. Tool names, parameter descriptions, defaults, and the README are the entire UI. There is nothing else to fall back on. An agent reads the contract and acts on it literally.

Decisions

The API surface is the UI

Tool names are buttons. Parameter descriptions are tooltips. Defaults are first-screen state. I named the six tools for intent, not endpoint paths. create_qr_code returns a payment URL and PNG. wait_for_payment polls until the transaction reaches a terminal state. Descriptions are written for the LLM reading them, specifying expected use and common mistakes. The agent reads the contract and acts.

Safe by default, dangerous by opt-in

Payment APIs move real money. I shipped refund_payment and cancel_payment disabled by default. They activate only when a developer explicitly flips a config flag. The default install cannot accidentally move funds. Dangerous capabilities are a deliberate opt-in, not a footnote in the docs. The first-run experience is safe to test, safe to break.

Sandbox-first

Every example in the README, every default in the code, every quick start points at PayPay's sandbox environment. Production credentials are an explicit second step. Safety was the main point I had in mind when building this.

Ship

Open source on GitHub. Published on npm. Built on PayPay's official Open Payment API. About 247 monthly downloads as of April 2026. Scaffolded with Claude Code. Tool design, iteration, and every ship decision are mine.

npm · paypay-mcp GitHub

Reflection

Designing for agents is a whole different playground. Agents take defaults literally. They don't hesitate and don't notice warnings. So the first design decision for a payment tool is what happens when nothing is configured. Default to sandbox and keep the dangerous tools behind an explicit flag. Safety first, all the time.

Disclaimer

Unofficial, community-built. Not affiliated with, endorsed by, or sponsored by PayPay Corporation. PayPay is a registered trademark of its respective owners. Built on the public PayPay Open Payment API.

Next Rakuten MCP