github doobidoo/mcp-memory-service v10.41.0
v10.41.0 — OAuth 2.1 refresh_token grant with rotation (MCP SEP-2207)
on GitHub

5 hours ago

Special Thanks

Huge thanks to @netizen1119 for implementing the OAuth 2.1 refresh token grant (PR #766) — a high-quality contribution with atomic rotation, replay detection, chain revocation, and full test coverage across both storage backends. Zero breaking changes.

What's New

feat(oauth): OAuth 2.1 refresh_token grant with rotation — PR #766 (@netizen1119)

Clients that include the offline_access scope in their authorization request now receive a refresh token alongside the access token (RFC 6749 §6, OAuth 2.1 §4.3.1, MCP SEP-2207):

  • Atomic rotation: every successful refresh issues a new access token AND a new refresh token, while atomically revoking the presented one — preventing replay attacks
  • Chain revocation: replay detection walks the full parent_token chain to the root and bulk-revokes all descendant tokens in a single UPDATE, so a stolen token cannot be reused even after the legitimate client has already rotated
  • Discovery updated: /.well-known/oauth-authorization-server now advertises refresh_token in grant_types_supported and offline_access in scopes_supported
  • Dual backend support: both Memory and SQLite OAuth backends implement the new contract; SQLite uses additive schema (no destructive ALTER TABLE)
  • New env var: MCP_OAUTH_REFRESH_TOKEN_EXPIRE_DAYS (default 30, range 1–365)
  • Zero breaking changes: clients that don't request offline_access receive the same response shape as before
  • 17 new unit tests in tests/unit/test_oauth_refresh.py; storage parity tests extended in tests/unit/test_oauth_storage_backends.py
  • Documentation updated: docs/oauth-setup.md, README.md

feat(mcp_server): memory_graph on streamable-http — PR #759 (@henry201605)

Knowledge graph operations (find_connected, shortest path, subgraph extraction) are now available in the FastMCP streamable-http transport, matching the capabilities already present in stdio mode. A shared GraphService layer under src/mcp_memory_service/services/graph_service.py is reused by both server variants.

Configuration

# Refresh token expiry (default 30 days)
MCP_OAUTH_REFRESH_TOKEN_EXPIRE_DAYS=30

# Enable OAuth (required for refresh tokens)
MCP_OAUTH_ENABLED=true

Clients request offline_access in scope to receive refresh tokens: 

scope=openid offline_access

Test Count

1,692 Python tests passing.

Installation

pip install mcp-memory-service==10.41.0
# or
uv add mcp-memory-service==10.41.0

Full changelog: https://github.com/doobidoo/mcp-memory-service/blob/main/CHANGELOG.md#10410---2026-04-28

Check out latest releases or
releases around doobidoo/mcp-memory-service v10.41.0

Don't miss a new mcp-memory-service release

NewReleases is sending notifications on new releases.

Get notifications