doobidoo/mcp-memory-service v10.20.0

v10.20.0 — Streamable HTTP transport with OAuth 2.1 + PKCE

on GitHub

What's New

Streamable HTTP transport with OAuth 2.1 + PKCE (#518) — Enable Claude.ai remote MCP server connectivity by adding Streamable HTTP as a new transport mode alongside the existing SSE transport.

Added

• --streamable-http CLI flag and run_streamable_http() method. Configure via MCP_STREAMABLE_HTTP_HOST (default 0.0.0.0) / MCP_STREAMABLE_HTTP_PORT (default 9000)
• Bearer token / API key auth middleware on /mcp endpoint (HTTP 401 for unauthenticated requests)
• API key-gated HTML authorization page — /authorize now requires MCP_API_KEY instead of auto-approving
• JavaScript redirect for Claude.ai OAuth popup compatibility
• PKCE (S256) support across all OAuth storage backends (memory + SQLite) with automatic schema migration
• RFC 9728 OAuth Protected Resource Metadata endpoint (/.well-known/oauth-protected-resource)
• refresh_token grant type accepted in DCR for Claude.ai compatibility
• streamable-http mode in Docker unified entrypoint

Key Design Decisions

1. Separate method, not modified run_sse — SSE users are completely unaffected
2. Auth at the transport boundary — ASGI app validates Bearer tokens before MCP protocol handling
3. API key gate on /authorize — prevents unauthorized OAuth token issuance
4. JS redirect after authorize — Claude.ai's popup doesn't reliably follow HTTP 302 from form POST

Upgrade

pip install --upgrade mcp-memory-service
# or
uvx --upgrade mcp-memory-service

Full Changelog: https://github.com/doobidoo/mcp-memory-service/blob/main/CHANGELOG.md