agentic-community/mcp-gateway-registry v1.0.15

v1.0.15 - Virtual MCP Servers, IAM Settings, Skill Security Scanning & Internal JWT Auth

on GitHub

February 2026

Upgrading from v1.0.13

This section covers everything you need to know to upgrade from v1.0.13 to v1.0.15.

Breaking Changes

Helm Chart Dependency Removal (EKS/Helm users only)

The bitnami/common chart dependency has been removed from both the registry and auth-server sub-charts. If you are upgrading Helm charts from v1.0.13, you must rebuild dependencies before upgrading:

# Required before helm upgrade
cd charts/mcp-gateway-registry-stack
helm dependency build
helm dependency update

Without this step, helm upgrade will fail because the old Chart.lock references a dependency that no longer exists.

Internal Service-to-Service Auth Changed to JWT (#533)

Internal communication between the registry and auth-server now uses self-signed JWTs instead of Basic Auth. This change is transparent -- no configuration is needed -- but the SECRET_KEY environment variable is now used for both JWT token signing and internal service authentication. Ensure your SECRET_KEY is set consistently across registry and auth-server containers.

New Environment Variables

Upgrade Instructions

Docker Compose

cd mcp-gateway-registry
git pull origin main
git checkout v1.0.15

# Review new env vars in .env.example and update your .env if needed
# Then rebuild and restart:
./build_and_run.sh

Kubernetes / Helm (EKS)

cd mcp-gateway-registry
git pull origin main
git checkout v1.0.15

# REQUIRED: Rebuild dependencies (bitnami/common was removed)
cd charts/mcp-gateway-registry-stack
helm dependency build
helm dependency update

# Update values.yaml if needed for new features (deployment mode, node selectors, etc.)
# Then upgrade:
helm upgrade mcp-gateway . -f your-values.yaml

Terraform / ECS

cd mcp-gateway-registry
git pull origin main
git checkout v1.0.15

# Update your .tfvars with any new variables you want to configure
# New Terraform variables available: deployment_mode, registry_mode, oauth_store_tokens_in_session
cd terraform/aws-ecs
terraform plan
terraform apply

DockerHub Images

Pre-built images are available:

docker pull mcpgateway/registry:v1.0.15
docker pull mcpgateway/auth-server:v1.0.15
docker pull mcpgateway/currenttime-server:v1.0.15
docker pull mcpgateway/realserverfaketools-server:v1.0.15
docker pull mcpgateway/mcpgw-server:v1.0.15
docker pull mcpgateway/fininfo-server:v1.0.15
docker pull mcpgateway/metrics-service:v1.0.15

Major Features

Virtual MCP Servers

Aggregate tools from multiple backend MCP servers into a single virtual endpoint:

• Virtual Server Management: Create virtual servers that combine tools from multiple real backend servers into one unified endpoint
• Lua-Based Router: High-performance nginx Lua router handles MCP protocol routing to backend servers
• Streamable HTTP Compliance: Full MCP Streamable HTTP protocol support for virtual server endpoints
• Semantic Search Integration: Virtual server tools are indexed and searchable via semantic search
• Scope-Based Access Control: Virtual servers integrate with the existing IAM/scopes system
• Rating Support: Virtual servers support the same 5-star rating system as regular servers
• CLI Commands: Register, list, and manage virtual servers from the command line
• E2E Test Coverage: Playwright E2E tests, MCP protocol compliance tests, and stress tests included

PR #501

IAM Settings UI

Full IAM management interface in the Settings page:

• Groups Management: Create, edit, and delete IAM groups with server/tool/agent access dropdowns
• Users Management: View and manage user accounts and group assignments
• M2M Client Management: Manage machine-to-machine OAuth clients
• Searchable Selectors: Scalable searchable dropdowns for servers and agents (handles large lists)
• Virtual Server Permissions: Auto-populate list_virtual_server permission for virtual servers
• Agent Access Control: Full CRUD operations for IAM groups with agent access

PR #494

Skill Security Scanning

Integrate Cisco AI Defense Skill Scanner for automated skill security analysis:

• Automated Scanning: Skills are scanned on registration using configurable analyzers (YARA, spec, heuristic, LLM, endpoint)
• Security Scan API: New /api/skills/{path}/security-scan endpoints for triggering and viewing scan results
• Frontend Integration: Security scan results displayed on SkillCard component
• CLI Commands: skill-scan and skill-scan-result CLI commands for scripting
• Property-Based Tests: Comprehensive test coverage including property-based tests for schemas and repository layer

PR #510 | Issue #495

System Configuration Viewer

Admin configuration viewer in the Settings page:

• Configuration Groups: 11 groups covering deployment, storage, auth, embeddings, health checks, websockets, security scanning, audit, federation, and discovery
• Export Formats: Export configuration as .env, JSON, Terraform .tfvars, or YAML
• Sensitive Value Masking: Passwords, tokens, and API keys are automatically masked
• Search and Filter: Search across all configuration parameters
• Rate Limited: 10 requests per minute per user

PR #508 | Issue #492

Internal JWT Authentication (#533)

Service-to-service communication now uses self-signed JWTs instead of Basic Auth:

• JWT-Based Auth: Registry signs JWTs with SECRET_KEY when calling auth-server internal endpoints
• Configurable Auth Server URL: AUTH_SERVER_URL setting replaces hardcoded http://auth-server:8888 for EKS compatibility
• Single Source of Truth: JWT issuer and audience constants defined once in registry/auth/internal.py

PR #533 | Issue #515

What's New

Deployment Modes

• Registry-only deployment mode without nginx integration (#485, #486)
• Skills-only registry mode for lightweight deployment (#493)
• Deployment and registry mode added to Helm stack chart (#497)
• Auto-correction for invalid mode combinations (e.g., with-gateway + skills-only)

Helm Chart Improvements

• Node selector support for all pods including Keycloak, Postgres, and MongoDB (#514)
• Option to disable Keycloak ingress patch for service-mesh environments (#516)
• Keycloak auth for registry API endpoints in Helm (#517)
• Federation environment variables added to charts (#474)
• Disable Keycloak when using Entra ID (#482)
• Git hash/tag pushed to images for version tracking (#480, #481)
• Removed unneeded bitnami/common chart dependency (#483)
• Helm install examples added to README (#484)

Security Fixes

• Strip newlines from X-Body header to prevent scope validation bypass (#529)
• Normalize leading slashes in scope server name matching (#529)
• Recognize registry-admins group in can_modify_servers check
• Move security-scan routes before catch-all path route

Audit Logging Fixes

• Audit composite key index fix for concurrent MCPServerAccessRecord and RegistryApiAccessRecord events (#530)
• Handle duplicate audit event inserts gracefully (#513)
• Case-insensitive regex for username filtering in audit logs
• Stream-aware filters for audit queries

OAuth and Authentication

• Default OAUTH_STORE_TOKENS_IN_SESSION to false to prevent cookie size issues with Entra ID (#528)
• OAuth token storage control surfaced in system config panel (#528)
• Terraform support for OAUTH_STORE_TOKENS_IN_SESSION variable (#528)

Infrastructure

• Docker build optimizations for faster image builds (#473)
• Preserve client IP address in logs/audit (#476)
• REGISTRY_ROOT_PATH support for path-based API hosting (#472)
• ECR-based container image references (#479)
• Consistent Keycloak fallback behavior (#482)
• CI parallel test execution with -n auto (#501)

Frontend Improvements

• Roo Code IDE option with streamable-http format and copy feedback
• Auto-populate JWT token in MCP configuration modal
• Virtual MCP Servers tab with rating support
• Searchable select component for IAM server/agent dropdowns
• Skill security scan display on SkillCard component

Documentation

• Virtual MCP server design document and operations guide
• IAM Settings UI documentation
• Registry deployment modes documentation
• System Configuration Viewer documentation
• Claude Code skills for development workflow

Bug Fixes

• Nginx config failed to load on startup due to excessive variables in the file (#512)
• Audit composite key allowing only one event type per request (#530)
• Duplicate audit event insert errors on concurrent writes (#513)
• X-Body header newline injection in scope validation (#529)
• Leading slash normalization in scope server name matching (#529)
• registry-admins group not recognized in can_modify_servers check
• Skill toggle sending query parameter instead of JSON body
• Path mismatch in skill toggle causing UI not to update
• Disabled skills excluded from API requests
• Dashboard sections not rendering when feature enabled
• Admin toggle for servers/agents/skills requiring explicit UI permission
• Semantic search results not filtered by registry mode
• MongoDB nodeSelector config not wrapping statefulset spec correctly (#514)
• Security-scan routes shadowed by catch-all path route
• Virtual server search returning incorrect tool results
• JWT token extraction from API response

Pull Requests Included

Security Dependency Updates

Contributors

Thank you to all contributors for this release:

• Amit Arora (@aarora79)
• Omri Shiv (@omrishiv)
• Geoffrey Norman (@gknorman)
• Dheeraj Oruganty (@dheerajoruganty)
• snorlaX-sleeps (@snorlaX-sleeps)
• Abhishek Singh (@abkrsinh)
• Andreas Feldmann (@ndrsfel)

Support

• GitHub Issues
• GitHub Discussions
• Documentation

Full Changelog: v1.0.13...v1.0.15

What's Changed

• Fix 1.0.13 chart image tags by @omrishiv in #471
• add federation envvars to charts by @omrishiv in #474
• chore(deps): bump jsonpath from 1.2.0 to 1.2.1 in /frontend by @dependabot[bot] in #477
• chore(deps): bump langchain-core from 1.2.5 to 1.2.11 by @dependabot[bot] in #468
• chore(deps): bump cryptography from 46.0.3 to 46.0.5 by @dependabot[bot] in #467
• chore(deps): bump cryptography from 46.0.3 to 46.0.5 in /agents/a2a by @dependabot[bot] in #466
• chore(deps): bump axios from 1.13.2 to 1.13.5 in /frontend by @dependabot[bot] in #462
• add helm install examples by @omrishiv in #484
• remove unneeded chart dependency by @omrishiv in #483
• Disable keycloak if entraid by @omrishiv in #482
• Add git hash to helm deployment by @omrishiv in #481
• set git hash/tag to BUILD_VERSION in images by @omrishiv in #480
• Update images to use ecr by @omrishiv in #479
• Preserve client ip in logs by @omrishiv in #476
• add REGISTRY_ROOT_PATH to fix hosting out of paths for api by @omrishiv in #472
• update dockerfile to speed up builds by @omrishiv in #473
• feat: Add Registry-Only Deployment Mode (#478) by @abkrsinh in #485
• fix: Registry-only mode nginx config and terraform updates by @aarora79 in #486
• feat: Add skills-only registry mode for lightweight deployment by @aarora79 in #493
• feat: Virtual MCP Server - Aggregate tools from multiple backend servers by @aarora79 in #501
• Add registry/deployment modes to mcp gateway registry stack chart by @omrishiv in #497
• docs: Use more precise language in documentation by @aarora79 in #505
• docs: Remove remaining production-grade instances by @aarora79 in #506
• chore(deps): bump ajv from 8.14.0 to 8.18.0 in /frontend by @dependabot[bot] in #503
• Add Claude Code skills for development workflow by @aarora79 in #507
• feat: Add System Configuration Viewer with documentation by @aarora79 in #508
• feat(settings): IAM Settings UI with Groups, Users, and M2M Management by @gknorman in #494
• Feat/issue 495 skill scanner integration by @gknorman in #510
• chore(deps): bump fast-xml-parser and @aws-sdk/xml-builder in /cli by @dependabot[bot] in #509
• fix: Nginx config would not load on startup due to the amount of variables in the file by @snorlaX-sleeps in #512
• feat: OAuth token session storage control with Terraform and config panel support by @aarora79 in #528
• fix: strip newlines from X-Body header to prevent scope validation bypass by @aarora79 in #529
• bug: Handle duplicate inserts into the audit events DB by @snorlaX-sleeps in #513
• Feature: Allow Helm Chart to not deploy the keycloak-ingress-patch by @snorlaX-sleeps in #516
• fix: audit composite key index and stream-aware filters by @aarora79 in #530
• Bug: Keycloak auth required for Registry API endpoints missing from Helm Chart by @snorlaX-sleeps in #517
• Sign SECRET_KEY as JWT for internal communication by @omrishiv in #533
• Feature: Allow setting the nodeSelector for applications deployed from the mcp-gateway-registry-stack Helm Chart by @snorlaX-sleeps in #514

New Contributors

• @abkrsinh made their first contribution in #485
• @gknorman made their first contribution in #494
• @snorlaX-sleeps made their first contribution in #512

Full Changelog: v1.0.13...v1.0.15