We’re excited to announce the v0.15.0 release of the Obot MCP Platform. This is a major release that introduces a significant architectural refactor of the MCP gateway, improved HA support, a UX navigation overhaul, and a broad set of reliability, security, bug fixes, and UX improvements.
Big Updates
Major Gateway Re-Architecture
Obot v0.15.0 completes a large internal refactor of the MCP gateway, transitioning it from an intercepting MCP server into a lightweight reverse-proxy with composable infrastructure.
In this new architecture, the gateway is responsible only for authentication, ensuring MCP servers are available, and proxying requests. Protocol-aware behavior such as authorization checks, audit logging, webhook execution, and OAuth token exchange now runs alongside each MCP server in a dedicated shim container built on Nanobot.
This change dramatically simplifies the gateway core, improves standards alignment, and provides a much more extensible foundation for future features, all without breaking existing MCP server deployments.
You can read the full design story here.
UI and Admin Experience Improvements
This release includes a large UI and UX overhaul that consolidates and simplifies areas of the app related to deploying and using MCP servers:
- “My Connectors”, “Admin Dashboard”, and “MCP Publisher” have been unified. For admins and owners, the experience is largely similar, but for all other roles, the navigation experience will feel similar to an admin's.
- Navigation and configuration flows are clearer and more consistent and adapts based on the users' role
- Many small usability issues around tables, dialogs, filters, and forms have been resolved
Improved High Availability and Scalability
In addition to the scalability improvements from the above re-architecture, we improved the HA posture of the control plane. These changes reduce operational risk and make Obot easier to run reliably in production environments. See the docs for more details.
Branding customizations
Brand customization has also been expanded, allowing admins to configure logos and theme colors for their instance of Obot.
Composite MCP Server Improvements
Composite MCP servers received several important enhancements and fixes:
- Tool previews are now supported for composite servers
- Tool override UX has been significantly improved
- Overrides are preserved correctly during composite upgrades
- Invalid or nested composite configurations are now prevented
- Clearer warnings and UI feedback when composites are blocked or misconfigured
These changes make composites more reliable and easier to reason about, especially in multi-user environments.
Expanded Audit Log Capabilities
Audit logging continues to improve in v0.15.0 with:
- Better export workflows and scheduling UX
- Clearer permission checks and warnings for auditors
- Improved filtering, state handling, and table behavior
These updates make it easier to integrate audit data into external systems and to manage exports at scale.
Upgrade Notes and Known Issues
⚠️ Please read these upgrade notes carefully as several areas have been affected by refactoring and need attention during upgrade.
The environment variable controlling update notifications has changed:
If you previously customized update checks, update your configuration accordingly.
Due to architectural changes in v0.15.0, Obot no longer supports using GitHub organization or team membership to control access to MCP servers.
Before upgrading to Obot v0.15.0, you need to add two new application permissions to your app registration in Microsoft Entra:
Note that these are NOT delegated permissions, like the existing ones, but application permissions, to give Obot itself permission to query for users and groups.
These permissions must be added BEFORE upgrading to v0.15.0.
AFTER upgrading, you may remove the delegated permission for See the docs for more details about configuring Microsoft Entra for Obot.
We recommend watching our video tutorial on migrating your Okta configuration from Obot v0.14.0 to v0.15.0.
Obot v0.15.0 introduces breaking changes to Okta that cannot be addressed until after upgrading. There will be some downtime after upgrading where no users can log in.
When you upgrade, you need to set the environment variable After you have logged in as the bootstrap user, go to the Auth Provider configuration page and modify your configuration for Okta.
You will need to go to your Okta admin panel and configure a new app integration of type Once you have made all of these changes in Okta, and configured these new parameters for Okta in Obot, you can log out of the bootstrap account and sign back in with your normal account. If login succeeds, you can restart Obot with See the docs for more details about configuring Okta for Obot.
Update check configuration change
OBOT_SERVER_UPDATE_CHECK_INTERVAL_MINS
OBOT_SERVER_DISABLE_UPDATE_CHECK (boolean)
Upgrading from v0.14.0 or earlier with GitHub auth provider
Microsoft Entra upgrade notes
GroupMember.Read.All
User.Read.All
GroupMember.Read.All, as it is no longer needed. Do NOT remove the application permission for GroupMember.Read.All.
Okta upgrade notes
OBOT_SERVER_FORCE_ENABLE_BOOTSTRAP=true. This will allow you to log in as the bootstrap admin user and fix the Okta configuration after upgrading. The token for the bootstrap user can be found in the server logs, or you can override it by setting OBOT_BOOTSTRAP_TOKEN=<value>.
API Services. Public/private key must be the authentication method. Provide the Client ID and the Private Key in PEM format to Obot, in the new configuration fields. Grant the okta.groups.read and okta.users.read scopes to this app integration. Also assign an admin role to the application that, at a minimum, contains those two scopes.
OBOT_SERVER_FORCE_ENABLE_BOOTSTRAP=false (or without that environment variable set at all) to disable bootstrap login.
Getting Started
docker run -d --name obot -p 8080:8080 -v /var/run/docker.sock:/var/run/docker.sock \
ghcr.io/obot-platform/obot:latestFor more details, see the documentation:
Changelog
- fix: don't gc component servers when the parent catalog entry is deleted by @njhale in #4966
- chore: add X-Content-Type-Options: nosniff header to API responses by @g-linville in #4973
- chore: use exact match for suggested model name by @tybalex in #4963
- fix: remove update check interval config by @thedadams in #4962
- fix: enhance audit log export form and calendar with view mode by @ryu-man in #4980
- fix: update export entry with running state automatically by @ryu-man in #4978
- fix: disabled Identifiers field & allowing user published mcp server selection in Filters by @ivyjeong13 in #4938
- chore: remove cached cookies for groups; delete GitHub groups by @g-linville in #4905
- Small typo fix by @mikesir87 in #4534
- fix: improve serveHTTP function by @ryu-man in #4994
- Chore: Bump nanobot to fix sse connection issue by @StrongMonkey in #5001
- chore: add engine to /api/version by @g-linville in #5003
- feat: add versioning to docs by @g-linville in #4996
- Chore: delete package-lock.json that contains old packages by @StrongMonkey in #5005
- fix: actually delete tokens for deleted MCP servers by @thedadams in #5013
- feat: add group role assignments by @g-linville in #4778
- fix: disable save button when composite has no mcp servers by @njhale in #5026
- fix: prevent users from creating "nested" composite MCP servers by @njhale in #5025
- fix: add auditor permissions check and warning message in export form by @ryu-man in #4995
- fix: configure multi-user component tools without acr and component search by @njhale in #5050
- enhance: detect docker network for MCP servers by @thedadams in #5051
- fix: block deletion of multi-user servers with dependent composites by @njhale in #5053
- fix: update table fields and filtering for export state by @ryu-man in #5029
- fix: show server schedule in k8s engine-based environment only by @ryu-man in #5004
- fix: update input text color in view mode for better ux by @ryu-man in #4998
- Chore: Update copyright to Obot by @cjellick in #5063
- fix: don't show upgrade icons or btns for component servers by @njhale in #5060
- enhance: deployment backends: use new deployServer function to deploy without waiting by @g-linville in #5032
- fix: add composite deletion block dialog to ui by @njhale in #5058
- fix: add warning message for users without auditor permissions in scheduled export form by @ryu-man in #5052
- fix: reset eror on storage provider change by @ryu-man in #5015
- fix: use multi values select component in create audit log export form by @ryu-man in #4990
- fix: improve update storage provider ux by @ryu-man in #5002
- chore: refactor MCP gateway to be a reverse proxy by @thedadams in #5069
- fix: use correct image for HTTP webhook converter by @thedadams in #5085
- chore: remove unneeded CreatedAt field from the Group type by @g-linville in #5066
- fix: return a 500 when failing to fetch a user's groups by @g-linville in #5076
- fix: add missing import by @g-linville in #5101
- fix: trim prefix to parse client credentials by @thedadams in #5099
- fix: catch not found error so auth doesn't fail by @thedadams in #5103
- fix: dont show config params for multi-user components by @njhale in #5102
- fix: ensure tool overrides are properly applied by @thedadams in #5104
- fix: stop redeploying multi-user for other users by @thedadams in #5106
- fix: multi-user and disabled in composite servers by @thedadams in #5105
- fix: ui: make the k8s settings less confusing by @g-linville in #5107
- fix: stop storing OAuth client name on MCP server by @thedadams in #5109
- Fix: don't use in-memory when fetching for configured providers by @StrongMonkey in #5040
- Fix: Use persistent token to generate for runs by @StrongMonkey in #5081
- enhance: enable tool previews for composites by @njhale in #5062
- Chore: Add API for accepting EULA by @cjellick in #5113
- fix: improve cross tab filtering in mcp servers page by @ryu-man in #5077
- fix: allow k8s backend to deploy remote servers by @njhale in #5119
- fix: handle container creation/deletion conflicts by @thedadams in #5112
- enhance: add eula agreement to setup dialog by @ivyjeong13 in #5128
- fix: quick eula text update by @ivyjeong13 in #5129
- fix: allow MCP server access when authentication is disabled by @thedadams in #5134
- enhance: port over chat messages call frames for debugging by @ivyjeong13 in #5114
- fix: address race when restarting containers by @thedadams in #5131
- chore: dont convert uploaded images to webp by @njhale in #5133
- fix: adjust secret input in storage form by @ryu-man in #5009
- fix: if only eula, set up dialog should not redirect by @ivyjeong13 in #5137
- fix: ensure jwk is always loaded before creating tokens by @thedadams in #5140
- fix: allow users to edit only selected storage credentials by @ryu-man in #5136
- enhance: allow logo & theme colors customization by @ivyjeong13 in #5056
- fix: delete the cookie when the session is invalid by @g-linville in #5132
- fix: add table selection actions snippet to prevent filter dropdown misalignment by @ryu-man in #5143
- fix: cleanup nobody user when enabling auth by @thedadams in #5141
- fix: ensure jwks is set before starting MCP containers by @thedadams in #5145
- fix: reduce delay in retrieval of profile/version data by @ivyjeong13 in #5146
- fix: prevent table columns overlap when data is empty by @ryu-man in #5142
- fix: pass proxy headers to MCP servers by @thedadams in #5155
- fix: make Kubernetes backend work on localhost by @thedadams in #5157
- fix: correctly determine MCP server ID for users that have yet to login by @thedadams in #5162
- fix: stop failing if component server catalog entry is deleted by @thedadams in #5159
- enhance: dont clear tool overrides on composite upgrade by @njhale in #5122
- fix: use http for service FQDN by @thedadams in #5164
- fix: delete unauthorized servers for user when they lose group membership by @g-linville in #5165
- fix: use catalog ID instead of entry name by @thedadams in #5171
- feat: add MCP registry API support by @g-linville in #5100
- enhance: revamp composite tool override ux by @njhale in #5149
- fix: allow localhost URLs for remote MCP servers in Docker mode by @thedadams in #5188
- fix: registry API: return an empty, rather than null, list by @g-linville in #5192
- enhance: registry API: show readme in VSCode by @g-linville in #5190
- enhance: registry API: cache fetched mime types by @g-linville in #5189
- enhance: add support for shortDescriptions by @g-linville in #5191
- enhance: registry API: add configuration notice to the readme when needed by @g-linville in #5195
- docs: v0.14.0 by @g-linville in #5196
- fix: auth providers: return correct error when sessions are missing from db by @g-linville in #5199
- feat: add audit log endpoints by @thedadams in #5198
- feat: add support for creating tokens that don't expire by @thedadams in #5204
- chore: update filter method helper text by @thedadams in #5209
- fix: don't store picture in token if it is a base64 encoded image by @thedadams in #5210
- chore: remove admin-ui by @ivyjeong13 in #5206
- fix: detect internal port in docker mode by @thedadams in #5203
- fix: use http port when using host.docker.internal by @thedadams in #5218
- chore: update filter identifier placeholder text by @thedadams in #5217
- fix: dont strip nanobot meta env from real deployment by @njhale in #5213
- fix: ensure new composite configuration is used on upgrades by @thedadams in #5216
- enhance: add internal flag to detect local IP by @thedadams in #5221
- fix: ensure all webhook definitions are used in the backend by @thedadams in #5207
- fix: bump nanobot to pickup hook direction fixes by @thedadams in #5227
- fix: translate mcp ID to server or server instance ID by @thedadams in #5219
- fix: retry composite server update after configuring components by @njhale in #5228
- Chhore: README rewrite by @cjellick in #5236
- chore: update docs dependencies by @drpebcak in #5229
- fix: prevent dialog from closing accidently by @ryu-man in #5223
- feat: add system MCP server API by @g-linville in #5225
- fix: minor bugfixes for table column, click outside composite edit dialog, & deployment views sort by @ivyjeong13 in #5238
- fix: ensure button type is explicitly set in CopyButton component by @ryu-man in #5240
- fix: auth: catch another invalid session error by @g-linville in #5246
- fix: auth: return invalid session when there is no configured provider by @g-linville in #5245
- fix: enable error logging for MCP server OAuth URL retrieval by @ryu-man in #5243
- fix: improve popovers display by @ryu-man in #5239
- fix: give auditors access to storage credentials by @thedadams in #5251
- chore: update package.json based on dependabot security alerts by @ivyjeong13 in #5242
- fix: use MCP catalog ID for audience if the client is using it by @thedadams in #5259
- fix: remove resolve for external URLs & temp silence referenced_locally warning by @ivyjeong13 in #5261
- fix: stop changing port for container URLs in docker backend by @thedadams in #5267
- chore: bump nanobot image to pickup 401 enhancements by @thedadams in #5268
- fix: use correct port for containerized runtime shims by @thedadams in #5269
- fix: component tool previews and overrides by @njhale in #5265
- chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 in the go_modules group across 1 directory by @dependabot[bot] in #5233
- fix: composite tool override oauth dialog by @njhale in #5277
- enhance: ui/ux overhaul "my connectors" "admin dashboard" & "mcp-publisher" into 1 by @ivyjeong13 in #5180
- fix: svelte-check warnings by @ivyjeong13 in #5274
- fix: ui/ux overhaul related bugfixes by @ivyjeong13 in #5297
- fix: do not navigate after MCP is updated & show success toast by @ryu-man in #5254
- fix: move redirect back to +page.ts by @ivyjeong13 in #5302
- fix: skip owner setup if an owner user does exist by @ryu-man in #5252
- chore: give admins and owners access to all MCP servers by @g-linville in #5301
- Docs - Adding a note about redirect URL to OKTA auth provider setup guide by @sangee2004 in #5281
- fix: update version of crypto library by @drpebcak in #5308
- enhance: ui/ux overhaul adjustments by @ivyjeong13 in #5309
- chore: give basic and PU users access to only user IDs and display names by @g-linville in #5313
- chore: add clarification on ha and how to configure by @drpebcak in #5266
- chore: bump gptscript and go-gptscript to v0.9.8 by @thedadams in #5320
- Fix: Drop tools/list from audit log default by @cjellick in #5318
- overview and install overview by @cjellick in #5321
- fix: ignore not found errors when cleaning up old MCP deployments by @thedadams in #5322
- fix: more ui/ux refactor bugfixes by @ivyjeong13 in #5324
- fix: enhance MCP connect dialog when there is no header to configure by @ryu-man in #5257
- fix: improve textarea resize logic to handle height changes correctly by @ryu-man in #5307
- fix: update scheduled exports refresh method after actions by @ryu-man in #5305
- fix: auto-reload for deployments after upgrade confirmation by @ryu-man in #5311
- fix: remove % for finding users by hashes by @thedadams in #5330
- fix: dont show populate tools option for configured server by @ivyjeong13 in #5331
- chore: bump nanobot to pickup openid configuration fix by @thedadams in #5325
- fix: user registry pill for basic/pup viewing a registry entry by @ivyjeong13 in #5327
- fix: ensure MCPServerName is set on project MCP server for listing tools by @thedadams in #5329
- docs updates by @cjellick in #5326
- Update README.md by @sheng-liang in #5337
- docs updates by @cjellick in #5338
- fix: k8s controller: use correct label on deployments by @g-linville in #5339
- docs: Restructure docs around platform concepts by @cjellick in #5340
- docs: v0.15.0 versioned docs by @cjellick in #5345
New Contributors
- @mikesir87 made their first contribution in #4534
- @sangee2004 made their first contribution in #5281
- @sheng-liang made their first contribution in #5337
Full Changelog: v0.14.0...v0.15.0