Release 1.24.3 - OAuth Discovery, OTel Observability, Registration Deduplication
May 2026
Upgrading from 1.24.2
This section covers everything you need to know to upgrade from 1.24.2 to 1.24.3.
Breaking Changes
-
Keycloak upgraded from 23 to 25 (Docker Compose and ECS surfaces). Keycloak 25 deprecates
KC_PROXY=edge,KC_HOSTNAME_URL,KC_HOSTNAME_ADMIN_URL, andKC_HOSTNAME_STRICT_HTTPS. These are replaced byKC_PROXY_HEADERS=xforwarded,KC_HOSTNAME(full URL), andKC_HTTP_ENABLED=true. The Helm chart was already on Keycloak 25 and is unaffected. (#1132) -
Custom metrics renamed to
mcpgw_registry_prefix. All custom Prometheus metrics now use themcpgw_registry_namespace prefix for consistency. If you have Grafana dashboards or alerting rules referencing the old names, update them. (#1142) -
Auth-server internal port changed to 18888 on ECS. The uvicorn listen port moved from 8888 to 18888 to avoid conflict with Service Connect Envoy's outbound interceptor. External-facing ports (ALB listener, Service Connect client_alias, AUTH_SERVER_URL) remain 8888. No action needed for Docker Compose or Helm deployments. (#1137)
New Environment Variables
| Variable | Default | Description |
|---|---|---|
DEDUP_REGISTRATION_HINT_ENABLED
| true
| Enable advisory duplicate check before registration |
DEDUP_SCORE_THRESHOLD
| 0.7
| Minimum similarity score for advisory match (0.0-1.0) |
DEDUP_MAX_SUGGESTIONS
| 3
| Cap on number of advisory suggestions per request |
METRICS_LEGACY_HTTP_POST
| false
| When true, also POST metrics to legacy metrics-service |
OTEL_METRIC_EXPORT_INTERVAL_MS
| 15000
| OTel SDK metric export interval in milliseconds |
OTEL_EXPORTER_PROMETHEUS_HOST
| 127.0.0.1
| Bind address for Prometheus exporter |
OTEL_EXPORTER_PROMETHEUS_PORT
| 9464
| Port for Prometheus /metrics endpoint |
OTEL_EXPORTER_OTLP_ENDPOINT
| (empty) | OTLP push endpoint (activates push export when set) |
OTEL_EXPORTER_OTLP_PROTOCOL
| grpc
| OTLP protocol (grpc or http/protobuf) |
MCP_CLOUD_PROVIDER
| (empty) | Override cloud auto-detection: aws, azure, gcp, on_premises, other |
BATCH_WORKER_ENABLED
| true
| Enable in-process agent batch worker loop |
BATCH_MAX_OPERATIONS_PER_JOB
| 1000
| Max items per batch submission |
BATCH_MAX_CONCURRENT_JOBS_PER_USER
| 3
| Max active batch jobs per submitter |
BATCH_JOB_RETENTION_DAYS
| 7
| TTL (days) for completed batch jobs in MongoDB |
BATCH_WORKER_POLL_INTERVAL_SECONDS
| 1.0
| Worker queue poll cadence |
BATCH_WORKER_LEASE_TTL_SECONDS
| 60.0
| Lease expiry for claimed batch jobs |
BATCH_WORKER_LEASE_HEARTBEAT_SECONDS
| 15.0
| Worker lease renewal interval |
BATCH_MAX_REQUEST_BYTES
| 4194304
| Max request body size for batch endpoint (4 MiB) |
Upgrade Instructions
Docker Compose
cd mcp-gateway-registry
git pull origin main
git checkout 1.24.3
# Review new env vars in .env.example and update your .env if needed
# Then rebuild and restart:
./build_and_run.shKubernetes / Helm (EKS)
cd mcp-gateway-registry
git pull origin main
git checkout 1.24.3
# REQUIRED: Rebuild dependencies (subchart templates changed)
cd charts/mcp-gateway-registry-stack
helm dependency build
helm dependency update
# Update values.yaml if needed, then upgrade:
helm upgrade mcp-gateway . -f your-values.yamlTerraform / ECS
cd mcp-gateway-registry
git pull origin main
git checkout 1.24.3
# Update your .tfvars with any new variables
cd terraform/aws-ecs
terraform plan
terraform applyDockerHub Images
Pre-built images are available:
docker pull mcpgateway/registry:1.24.3
docker pull mcpgateway/auth-server:1.24.3
docker pull mcpgateway/currenttime-server:1.24.3
docker pull mcpgateway/realserverfaketools-server:1.24.3
docker pull mcpgateway/mcpgw-server:1.24.3
docker pull mcpgateway/fininfo-server:1.24.3
docker pull mcpgateway/metrics-service:1.24.3Major Features
MCP OAuth 2.1 Discovery (RFC 9728 / RFC 8414)
Full implementation of Protected Resource Metadata (PRM) and Authorization Server metadata discovery endpoints. MCP clients can now discover the authorization server via standard .well-known URLs, and the gateway emits WWW-Authenticate headers on 401 responses per the MCP 2025-06-18 spec. Supports Keycloak, Cognito, Auth0, Okta, and Entra ID.
Native OpenTelemetry Observability
All three services (registry, auth-server, mcpgw) now emit metrics in-process via the OpenTelemetry SDK. Sub-microsecond counter updates replace the legacy HTTP POST path to a separate metrics-service container. Each service exposes a Prometheus-compatible /metrics endpoint on port 9464 (always on) and optionally pushes OTLP to any compatible backend (Amazon Managed Prometheus via ADOT sidecar on ECS, Datadog, Grafana Cloud, New Relic, Honeycomb).
Advisory Registration Deduplication
When a user registers a new MCP server, A2A agent, or skill, the registry surfaces likely-duplicate existing entities across all three entity types so the user can pick the existing one, edit their entry, or proceed anyway. Includes exact-URL collision detection, semantic similarity matching, cross-entity search, and a React modal in the registration flow. The check never blocks registration; it is purely advisory.
Keycloak Dynamic Client Registration (DCR)
Complete DCR support for Keycloak-based deployments. AI coding assistants (Claude Code, Kiro CLI, Claude.ai Custom Connectors) can register themselves as OAuth clients via the standard DCR endpoint. Includes Keycloak 23-to-25 upgrade, audience mapper on basic scope, stale-client cleanup script, and comprehensive 100/200/300/400-level documentation.
GitHub Enterprise Skill Discovery
Skills can now be fetched from private GitHub Enterprise Server repositories using the GitHub Trees API for resource discovery. Companion assets (README, examples, configs) are surfaced in the UI with per-file links and folder zip download.
MCP Registry Schema Import
Support for registering servers using the upstream MCP Registry server.json schema format. The UI provides a JSON editor with schema validation and a "Full JSON" details button for viewing the complete server document.
Async Agent Batch Registration API
POST /api/agents/batch accepts up to 1000 register/patch/replace/delete operations per job, processed asynchronously by an in-process worker with MongoDB lease-based ownership. Each item is independently authorized and run, so one failing item never aborts the job. Poll GET /api/agents/batch/{job_id} for progress. Also adds PATCH /api/agents/{path} (RFC 7396 merge-patch) and weak ETags (RFC 7232) on agent GET/PATCH for optimistic concurrency.
- Lease-based worker supports multi-replica operation (any number of replicas drain the queue cooperatively)
- Idempotency key prevents duplicate job creation on network retries
- Configurable limits: max ops/job, concurrent jobs/user, body size, retention, poll interval, lease TTL
Terraform Out-of-the-Box Public Image Deployment
The Terraform/ECS stack now defaults to pre-built public ECR images for all core services (registry, auth-server, mcpgw) and Keycloak (quay.io/keycloak/keycloak:25.0). No build step required for a standard deploy. Demo servers are opt-in via enable_demo_servers. DocumentDB is the default storage backend. Grafana uses the stock public image with runtime-provisioned AMP datasource.
Cloud Provider Detection Banner
Admin UI banner that prompts operators to confirm their hosting environment when automatic detection fails. Five detection methods (IMDS probe, DMI, ECS metadata, K8s node-name heuristic, env vars) with an operator-facing banner for manual confirmation. Selection is persisted and reported in telemetry heartbeats.
What's New
Deployment and Infrastructure
- Terraform/ECS defaults to pre-built public ECR images; no build step required (#1153)
- Terraform/ECS: Keycloak uses public quay.io image, DocumentDB default backend (#1153)
- Terraform/ECS: demo servers disabled by default via
enable_demo_servers(#1153) - Terraform/ECS: MCP DCR realm setup applied in init-keycloak.sh (#1153)
- Auth-server migrated to port 18888 on ECS with ADOT sidecar for OTel-native metrics (#1136)
- Docker Compose: pinned otel-collector (0.153.0) and prometheus (v3.11.3) images (#1133)
- Docker Compose: added security hardening to observability containers (#1133)
- Keycloak upgraded from 23 to 25 on Docker Compose and ECS surfaces (#1132)
- IPv4 precedence fix for ECS Service Connect dual-stack resolution (#1125)
- Async federation sync with timeout to prevent startup crash-loops (#1125)
- Nginx reload retry runs in thread pool to avoid blocking event loop (#1133)
- Keycloak ECS health check upgraded from no-op to real management endpoint (#1133)
Helm Chart Improvements
- Agent batch API: new
registry-batch-configConfigMap with all 8 BATCH_* variables (#1148) - DCR support for Keycloak-based deployments with corrected env var wiring (#1143)
- Added containerPort 9464 for metrics scrape discoverability (#1133)
- NetworkPolicy templates for metrics scraping (#1125)
- Reserved-env-names updated for dedup, cloud provider, and batch variables (#1092, #1146, #1148)
- Helm chart image tags updated to 1.24.3 (#1149)
Security
- MCP proxy response-header allowlist: only forwards Mcp-Session-Id, X-Mcp-Session-Id, WWW-Authenticate, Retry-After; drops Set-Cookie, Location, HSTS, CSP, ACAO (#1126)
- SSRF allowlist for GitHub Enterprise hosts derived from configuration (#1112)
- Skill duplicate-check endpoint now requires publish_skill permission (#1092)
Frontend
- Migrated from react-scripts to Vite 8 with plugin-react v5 (#1130)
- Registration deduplication modal with cross-entity matching (#1092)
- Skill companion assets with per-file links and zip download (#1114)
- MCP Registry schema JSON editor and full details button (#1139)
- Cloud provider confirmation banner (#1146, #1147)
- Green checkmark on Copy JSON button after click (#1139)
Documentation
- OAuth PRM + AS-metadata operator guide (#1115)
- Keycloak DCR 100/200/300/400-level documentation (#1115)
- AI coding assistant registry integration guide (#1115)
- AgentCore bulk registration step-by-step FAQ (#1138)
- Metrics architecture documentation rewrite for OTel-native path (#1133)
- OpenAPI spec for v1.24.3 added to api/openapi.json
Bug Fixes
- Fix MCP proxy dropping Mcp-Session-Id header, breaking streamable-http sessions (#1126)
- Fix federation sync crash-looping registry when Anthropic endpoint is slow (#1129)
- Fix nginx reload rate-limiting returning stale config (#1133)
- Fix
int(os.getenv(...))crash on invalid prometheus port value (#1133) - Fix cloud-provider-hint POST returning 422 due to misplaced route decorator (#1147)
- Fix build_and_run.sh auth health check using wrong port (#1136)
- Fix nginx_service.py hardcoded auth-server:8888 replaced with settings.auth_server_url (#1136)
- Fix frontend: derive path from name for MCP Registry schema uploads (#1139)
- Fix frontend: fetch full server document from API for details modal (#1139)
- Fix CLI: include metadata, visibility, auth fields in server-get output (#1139)
- Fix keycloak: honor .env config in setup-agent-service-account.sh (#902)
- Fix keycloak: trusted-hosts now allows claude.ai + 127.0.0.1 (#1115)
- Fix auth: return 401 not 500 when token validation fails (#1115)
- Fix oauth: route virtual-server 401s through @auth_error (#1115)
Closed Issues
| Issue | Title | Closed By |
|---|---|---|
| #1152 | terraform/aws-ecs: gaps deploying 1.24.3 in CloudFront-only/public-image mode | PR #1153 |
| #1145 | Stale embeddings remain in vector index after server/agent/skill deletion | manual |
| #1135 | feat(terraform): Default to pre-built public ECR images | PR #1153 |
| #1141 | refactor(metrics): rename all custom metrics to mcpgw_registry_ namespace prefix | PR #1142 |
| #1140 | feat: support upstream MCP Registry server.json schema format for registration | PR #1139 |
| #1137 | Migrate auth-server to port 18888 on ECS with ADOT sidecar | PR #1136 |
| #1134 | Migrate sensitive ECS environment variables to Secrets Manager | manual |
| #1132 | Upgrade Keycloak from 23 to 25 (Docker Compose and ECS surfaces) | PR #1125 |
| #1129 | Anthropic federation: blocking startup sync crash-loops registry | PR #1125 |
| #1123 | Populate mcpgw service with actual OTel meter instruments | PR #1125 |
| #1122 | Emit application metrics natively via OpenTelemetry | PR #1125 |
| #1120 | feat(telemetry): admin-UI banner to confirm cloud provider | PR #1146 |
| #1119 | Keycloak: cleanup of accumulated DCR'd clients | PR #1115 |
| #1118 | Keycloak: clean up leftover blanket scope grants | PR #1115 |
| #1117 | Keycloak: add audience mapper to remove aud-claim fallback | PR #1115 |
| #1116 | Keycloak DCR endpoint should be rate-limited at nginx | PR #1115 |
| #1111 | feat: surface skill companion assets in UI | PR #1114 |
| #1096 | bug(mcp-proxy): auth_server drops Mcp-Session-Id | PR #1126 |
| #989 | Publish PRM + AS metadata + WWW-Authenticate on 401 (MCP 2025-06-18) | PR #1115 |
| #938 | feat: Support SKILLS from Github Enterprise | PR #1113 |
| #913 | MCP Registration Deduplication | PR #1092 |
| #867 | feat: expose /metrics endpoint on registry for in-process Prometheus counters | PR #1125 |
| #956 | feat(agent-api): add PATCH endpoint and async batch endpoint for agent cards | PR #1148 |
| #614 | Implement MCP OAuth 2.1 Authorization Spec | PR #1115 |
Pull Requests Included
| PR | Title |
|---|---|
| #1153 | terraform/aws-ecs: out-of-the-box public-image deployment |
| #1150 | chore: update image tags to 1.24.3 |
| #1149 | chore: update Helm chart image tags to 1.24.3 |
| #1148 | feat(agents): async batch registration API with lease-based worker |
| #1147 | fix(cloud-banner): allow cloud provider selection and fix decorator bug |
| #1146 | feat(registry): cloud provider confirmation banner for admin UI (#1120) |
| #1143 | Fix MCP Dynamic Client Registration end-to-end + harden Helm chart correctness |
| #1142 | refactor(metrics): rename all custom metrics to mcpgw_registry_ prefix |
| #1139 | feat: support upstream MCP Registry server.json schema for registration |
| #1138 | feat(agentcore): add Auth column to dry-run and bulk registration FAQ |
| #1136 | fix(auth-server): configurable listen port and nginx_service hardcode removal |
| #1133 | fix: PR #1122 follow-up review fixes and docs update |
| #1131 | chore(deps-dev): bump tmp from 0.2.5 to 0.2.7 in /frontend |
| #1130 | Feat: migrate react-scripts to vite |
| #1126 | MCP proxy response-header allowlist for upstream headers |
| #1125 | feat(observability): native OpenTelemetry metric emission (#1122) |
| #1121 | skill(usage-report): adopt Tufte visualization style across all charts |
| #1115 | feat(oauth): publish PRM + AS metadata + WWW-Authenticate on 401 (#989) |
| #1114 | feat(frontend): surface skill companion assets with per-file links and zip download (#1111) |
| #1113 | feat(skills): implement GitHub Trees API resource discovery (#938) |
| #1112 | fix(skills): derive SSRF allowlist from github_extra_hosts for GHES (#938) |
| #1110 | chore(deps): bump qs from 6.15.1 to 6.15.2 in /frontend |
| #1144 | chore(deps): bump axios from 1.15.2 to 1.16.0 in /frontend |
| #1108 | chore: update Helm chart image tags to 1.24.2 |
| #1092 | Feat/mcp registration deduplication checks |
| #902 | fix(keycloak): honor .env config in setup-agent-service-account.sh |
Security Dependency Updates
| Package | Previous | Updated | Scope |
|---|---|---|---|
| axios | 1.15.2 | 1.16.0 | frontend |
| qs | 6.15.1 | 6.15.2 | frontend |
| tmp | 0.2.5 | 0.2.7 | frontend (dev) |
Contributors
Thank you to all contributors for this release:
- Amit Arora (@aarora79)
- Shivendra Dayal (@omrishiv)
- Md Zahangir Alam (@zahangirbu)
- NandiniKodali988 (@NandiniKodali988)
Support
Full Changelog: 1.24.2...1.24.3
What's Changed
- fix(skills): derive SSRF allowlist from github_extra_hosts for GHES (#938) by @aarora79 in #1112
- feat(skills): implement GitHub Trees API resource discovery (#938) by @aarora79 in #1113
- feat(frontend): surface skill companion assets with per-file links and zip download (closes #1111) by @aarora79 in #1114
- feat(oauth): publish PRM + AS metadata + WWW-Authenticate on 401 (#989) by @aarora79 in #1115
- skill(usage-report): adopt Tufte visualization style across all charts by @aarora79 in #1121
- chore(deps): bump qs from 6.15.1 to 6.15.2 in /frontend by @dependabot[bot] in #1110
- fix(keycloak): honor .env config in setup-agent-service-account.sh by @sdayal in #902
- feat(observability): native OpenTelemetry metric emission, retire metrics-service POST path (#1122) by @aarora79 in #1125
- chore(deps-dev): bump tmp from 0.2.5 to 0.2.7 in /frontend by @dependabot[bot] in #1131
- fix: PR #1122 follow-up review fixes and docs update by @aarora79 in #1133
- Feat: migrate react scripts to vite by @omrishiv in #1130
- feedback on review #1097 has been addressed by using response header allowlist so that upstream MCP response headers are safe to forward back to the client by @zahangirbu in #1126
- fix(auth-server): configurable listen port and nginx_service hardcode removal by @aarora79 in #1136
- feat(agentcore): add Auth column to dry-run and bulk registration FAQ by @aarora79 in #1138
- feat: support upstream MCP Registry server.json schema for registration by @aarora79 in #1139
- refactor(metrics): rename all custom metrics to mcpgw_registry_ prefix by @aarora79 in #1142
- Fix MCP Dynamic Client Registration end-to-end + harden Helm chart correctness by @omrishiv in #1143
- Feat/mcp registration deduplication checks by @omrishiv in #1092
- feat(registry): cloud provider confirmation banner for admin UI (#1120) by @NandiniKodali988 in #1146
- fix(cloud-banner): allow cloud provider selection and fix decorator bug by @aarora79 in #1147
- chore: update image tags to 1.24.3 by @github-actions[bot] in #1150
- terraform/aws-ecs: out-of-the-box public-image deployment (Keycloak/Grafana public images, DocumentDB default, 1.24.3, MCP DCR) by @aarora79 in #1153
- chore: update Helm chart image tags to 1.24.3 by @github-actions[bot] in #1149
- chore(deps): bump axios from 1.15.2 to 1.16.0 in /frontend by @dependabot[bot] in #1144
- feat(agents): async batch registration API with lease-based worker by @omrishiv in #1148
New Contributors
- @sdayal made their first contribution in #902
- @zahangirbu made their first contribution in #1126
Full Changelog: 1.24.2...1.24.3