🎉 Major Release: OAuth 2.1 Dynamic Client Registration
This major release introduces comprehensive OAuth 2.1 Dynamic Client Registration, enabling Claude Code HTTP transport and enterprise-grade authentication while maintaining full backward compatibility.
🚀 Key Highlights
🔐 OAuth 2.1 Implementation
- Complete RFC 7591 & RFC 8414 compliance for Dynamic Client Registration
- Auto-discovery endpoints ()
- JWT authentication with RS256 signing and scope-based authorization
- Production security features with comprehensive validation
🎯 Claude Code Integration
- HTTP transport support enabling team collaboration features
- Automatic OAuth setup - zero configuration required
- Seamless authentication with transparent token management
🛡️ Enhanced Security
- Multi-method authentication: OAuth Bearer tokens + API key fallback + optional anonymous
- Thread-safe operations with async/await and proper locking
- Background token cleanup and lifecycle management
- Production security warnings and configuration validation
✨ New Features
OAuth Endpoints
/.well-known/oauth-authorization-server/mcp- Server metadata discovery/oauth/register- Dynamic client registration/oauth/authorize- Authorization code flow/oauth/token- Token exchange (authorization_code + client_credentials flows)
Authentication Middleware
- Unified authentication protecting all API endpoints
- Scope validation (read/write/admin permissions)
- Graceful fallback with enhanced error messages
Configuration Options
MCP_OAUTH_ENABLED=true # Enable OAuth (default)
MCP_OAUTH_SECRET_KEY=<key> # JWT signing key
MCP_OAUTH_ISSUER=<url> # OAuth issuer URL
MCP_OAUTH_ACCESS_TOKEN_EXPIRE_MINUTES=60 # Token expiration
MCP_ALLOW_ANONYMOUS_ACCESS=false # Anonymous access🔄 Backward Compatibility
✅ Zero Breaking Changes
- All existing API key workflows continue unchanged
- OAuth can be disabled with
MCP_OAUTH_ENABLED=false - Gradual migration path available
📈 Migration Guide
- Existing Users: No action required - continue using API keys
- Claude Code Users: Enable HTTP transport for automatic OAuth
- Enterprise Users: OAuth provides standards-compliant team authentication
📊 Development Quality
Comprehensive Review Process
- 17 review cycles with Gemini Code Assist
- All security vulnerabilities resolved (critical/high/medium)
- Extensive testing suite with OAuth integration tests
- Production readiness validation
🎯 Use Cases Enabled
Team Collaboration
- Claude Code team features via HTTP transport
- Shared memory service across team members
- Enterprise authentication standards
Enterprise Deployment
- OAuth 2.1 compliance for security audits
- Foundation for identity provider integration
- Centralized authentication management
Development Flexibility
- Choose between API keys (simple) or OAuth (enterprise)
- Smooth transition between authentication methods
- Future-proof architecture
📚 Documentation
- 📖 Complete Setup Guide:
docs/oauth-setup.md - 🔧 API Reference: All endpoints documented with examples
- 🛡️ Security Guide: Production deployment best practices
- 🔄 Migration Guide: Smooth transition instructions
🔗 Related Issues
- Closes #116 (OAuth 2.1 Dynamic Client Registration)
- Addresses #119 (Minor documentation cleanup - follow-up)
🙏 Acknowledgments
Special thanks to the comprehensive review process with Gemini Code Assist, which helped identify and resolve security issues, ensuring this release meets enterprise standards while maintaining simplicity.
This release transforms the MCP Memory Service from a simple memory tool into an enterprise-ready service with standards-compliant authentication, enabling new use cases while preserving the reliability that makes it valuable.
🚀 Ready for production use with Claude Code team collaboration!