lunchmoney-mcp
A comprehensive MCP server that enables AI assistants to manage Lunch Money finances through 37 tools for transactions, budgets, and accounts. It supports both local stdio and remote HTTP transport modes with secure, encrypted credential storage.
README
lunchmoney-mcp
The definitive MCP server for Lunch Money -- manage your finances through any AI assistant that supports the Model Context Protocol.
37 tools covering every Lunch Money API endpoint. Runs locally via stdio or remotely over HTTP with OAuth 2.1. Credentials never touch disk in plain text.
Quick Start
npx lunchmoney-mcp setup # Store your API token in the OS keychain
npx lunchmoney-mcp # Start the MCP server (stdio)
Then add it to your MCP client. For Claude Desktop, add this to your config:
{
"mcpServers": {
"lunchmoney": {
"command": "npx",
"args": ["lunchmoney-mcp"]
}
}
}
That's it. Ask your AI assistant to "show my recent transactions" and you're off.
Features
- 37 tools -- full CRUD for transactions, categories, tags, budgets, recurring items, assets, and Plaid accounts
- Two transport modes -- stdio for local AI clients (Claude Desktop, Cursor) or HTTP for remote/multi-user deployments
- Secure credential storage -- API tokens in the OS keychain (macOS Keychain, GNOME Keyring, Windows Credential Manager); OAuth session tokens encrypted with AES-256-GCM
- 4 OAuth providers -- Google, GitHub, CyberArk Identity, or any custom OAuth 2.1 provider
- Deploy anywhere -- Docker, systemd, Railway, Render, Fly.io with one-click configs included
- 278 tests -- comprehensive test suite with >90% coverage
Setup
Local (stdio mode)
Best for single-user setups with Claude Desktop, Cursor, or other local MCP clients.
# Install globally (optional -- npx works too)
npm install -g lunchmoney-mcp
# Run the setup wizard to store your token securely
lunchmoney-mcp setup
# Start the server
lunchmoney-mcp
Your API token is stored in the OS keychain and never written to disk. Get a token at my.lunchmoney.app/developers.
Alternatively, you can configure the token from within your AI assistant using the configureLunchMoneyToken tool -- no terminal required.
Remote (HTTP mode)
Best for multi-user deployments, shared teams, or running on a server.
# Set required environment variables
export LUNCH_MONEY_API_TOKEN="your-token"
export AUTH_PROVIDER="google" # or github, cyberark, custom
export GOOGLE_CLIENT_ID="..."
export GOOGLE_CLIENT_SECRET="..."
export BASE_URL="https://your-domain.com"
# Start the server
lunchmoney-mcp --http --port 8080
HTTP mode requires OAuth 2.1 for authentication. See Authentication below.
Environment Variable Fallback
For containers and CI where no OS keychain is available:
export LUNCH_MONEY_API_TOKEN="your-token"
lunchmoney-mcp
Authentication
HTTP mode supports four OAuth providers. Set AUTH_PROVIDER and the corresponding credentials:
AUTH_PROVIDER=google
GOOGLE_CLIENT_ID=your-client-id
GOOGLE_CLIENT_SECRET=your-client-secret
GitHub
AUTH_PROVIDER=github
GITHUB_CLIENT_ID=your-client-id
GITHUB_CLIENT_SECRET=your-client-secret
CyberArk Identity
AUTH_PROVIDER=cyberark
CYBERARK_TENANT_URL=https://abc1234.id.cyberark.cloud
CYBERARK_CLIENT_ID=your-client-id # or OAUTH_CLIENT_ID
CYBERARK_CLIENT_SECRET=your-secret # or OAUTH_CLIENT_SECRET
Custom OAuth
AUTH_PROVIDER=custom
OAUTH_CLIENT_ID=your-client-id
OAUTH_CLIENT_SECRET=your-client-secret
OAUTH_AUTH_URL=https://provider.com/authorize
OAUTH_TOKEN_URL=https://provider.com/token
OAUTH_SCOPES=openid,email # optional, defaults to openid,email
Deployment
Pre-built deployment configs are included in the repository.
Docker
docker build -t lunchmoney-mcp .
docker run -p 8080:8080 \
-e LUNCH_MONEY_API_TOKEN="your-token" \
-e AUTH_PROVIDER=google \
-e GOOGLE_CLIENT_ID="..." \
-e GOOGLE_CLIENT_SECRET="..." \
-e BASE_URL="https://your-domain.com" \
lunchmoney-mcp
Or with Docker Compose:
docker compose up
systemd
A systemd service file is included at deploy/lunchmoney-mcp.service. Copy it to /etc/systemd/system/ and configure the environment variables.
Railway
The included railway.json configures the build and start commands automatically. Set your environment variables in the Railway dashboard.
Render
The included render.yaml defines the service as a private worker. Set your environment variables in the Render dashboard.
Fly.io
fly launch
fly secrets set LUNCH_MONEY_API_TOKEN="your-token"
fly secrets set AUTH_PROVIDER=google GOOGLE_CLIENT_ID="..." GOOGLE_CLIENT_SECRET="..."
fly deploy
Tools Reference
Setup (1 tool)
| Tool | Description |
|---|---|
configureLunchMoneyToken |
Configure and validate your Lunch Money API token |
User (1 tool)
| Tool | Description |
|---|---|
getUser |
Get account details including email, name, and currency preferences |
Categories (7 tools)
| Tool | Description |
|---|---|
getCategories |
List all categories including groups and parent categories |
getCategory |
Get a single category by ID |
createCategory |
Create a new spending or income category |
updateCategory |
Update an existing category's properties |
deleteCategory |
Delete a category by ID |
createCategoryGroup |
Create a new category group with optional category IDs |
addToGroup |
Add existing categories to a category group |
Tags (4 tools)
| Tool | Description |
|---|---|
getTags |
List all transaction tags |
createTag |
Create a new tag for categorizing transactions |
updateTag |
Update an existing tag's name |
deleteTag |
Delete a tag by ID |
Transactions (10 tools)
| Tool | Description |
|---|---|
getTransactions |
List transactions with filtering (date range, category, tags, status) |
getTransaction |
Get a single transaction by ID |
createTransaction |
Create a new transaction (expense, income, or transfer) |
updateTransaction |
Update an existing transaction's properties |
deleteTransaction |
Delete a transaction by ID |
bulkUpdateTransactions |
Bulk update multiple transactions with the same changes |
getTransactionGroup |
Retrieve a transaction group with all child transactions |
createTransactionGroup |
Group multiple transactions under a single parent |
deleteTransactionGroup |
Delete a group, restoring individual transactions |
unsplitTransactions |
Reverse a split, merging child transactions back into parent |
Recurring Items (4 tools)
| Tool | Description |
|---|---|
getRecurringItems |
List all recurring expense and income items |
createRecurringItem |
Create a new recurring expense or income item |
updateRecurringItem |
Update an existing recurring item's properties |
deleteRecurringItem |
Delete a recurring item by ID |
Budgets (4 tools)
| Tool | Description |
|---|---|
getBudgets |
List all budgets with category assignments and date ranges |
createBudget |
Create a new budget for a category with amount and date range |
updateBudget |
Update an existing budget's amount, category, or date range |
deleteBudget |
Delete a budget by ID |
Assets (4 tools)
| Tool | Description |
|---|---|
getAssets |
List all manually-managed assets |
createAsset |
Create a new manually-managed asset |
updateAsset |
Update an existing asset's properties including balance |
deleteAsset |
Delete an asset by ID |
Plaid Accounts (2 tools)
| Tool | Description |
|---|---|
getPlaidAccounts |
List all Plaid-connected accounts with balances |
fetchPlaidAccounts |
Trigger a Plaid sync to update account balances |
CLI Reference
lunchmoney-mcp # Start in stdio mode (default)
lunchmoney-mcp --http # Start in HTTP mode with OAuth
lunchmoney-mcp --http --port 3000 # HTTP mode on custom port
lunchmoney-mcp setup # Run the interactive setup wizard
lunchmoney-mcp --version # Print version
The server also reads the PORT environment variable when --port is not specified.
Security
Credentials are stored in your OS keychain and never written to disk in plain text. OAuth session tokens are encrypted with AES-256-GCM, with the encryption key stored in the keychain.
For full details on the two-tier credential architecture, threat model, and deployment security, see SECURITY.md.
Contributing
See CONTRIBUTING.md for development setup, testing guidelines, and pull request requirements.
License
MIT -- Copyright (c) 2026 Joe Garcia
Based on lunch-money-mcp by Gilbert Pellegrom, MIT License.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.