github obot-platform/obot v0.23.0
on GitHub

4 hours ago

We're excited to announce the v0.23.0 release of the Obot Platform. This release reworks the entire UI to cleanly separate administration from end-user consumption, introduces enterprise licensing, and lets external coding agents like Claude Code and Codex use Obot's LLM Gateway as their model endpoint. It also brings multi-user MCP servers into the Git-backed catalog workflow.

Big Updates

Reworked UI: Administration vs. Consumption

The UI has been reorganized from the ground up to clearly separate administrative management from end-user consumption. Administrators get dedicated areas for managing catalog entries and deployments, while end users get a focused experience for discovering and connecting to the servers available to them, instead of both audiences sharing one set of screens. As part of this rework, single-user and multi-user servers are now unified as "Hosted" catalog entries.

LLM Gateway for External Clients

Obot's LLM Gateway can now act as an OpenAI- and Anthropic-compatible model endpoint for external clients. A user can point a tool like Claude Code or Codex at the gateway, authenticate with their Obot token, and call models by their native provider names (for example gpt-5.5 or claude-sonnet-4-6). Obot forwards the request to the vendor while enforcing per-user model access policy, and the model list a client sees is scoped to only the models that user is allowed to call.

A new Models page shows users which OpenAI and Anthropic models they can access, the gateway base URL, and a copy-paste example to get started. The gateway pages (Tokens, Model Providers, Model Access Policies, and Models) are now grouped under a dedicated "LLM Gateway" section in the sidebar.

This lays the groundwork for future features including guardrails and token cost optimization.

Multi-User MCP Server Templates

Multi-user MCP servers can now be defined as catalog entries, which brings them into the same Git-backed MCP catalog workflow used for the rest of your servers. Instead of configuring shared servers by hand, you declare them as templates in a git-managed catalog and get version control, code review, and automated validation for them like any other server configuration.

Because these are catalog entries, a multi-user template can also reference externally managed secrets, so the credentials a shared server needs are pulled from your existing secret store rather than entered into Obot. Multiple servers can be deployed from a single template, and users connect by creating instances on a deployed server.

MCP Server Discovery from the CLI

The new obot mcp search command lists and searches the MCP servers and catalog entries available to you directly from the terminal, so you can find a server without opening the UI.

It also serves as a building block for local coding agents, giving an agent a way to discover the MCP servers a user has access to and wire them up on the user's behalf.

Enterprise License Key

Enterprise features are now gated by a license key instead of being distributed as a separate private image. A key can be supplied through configuration (the OBOT_SERVER_LICENSE_KEY environment variable) or entered in the UI, and the enterprise features turn on once a valid key is present. Prior to v0.23.0, enterprise was distributed as a private Docker image and access was granted by sharing that image. Now you can start with OSS and upgrade to the enterprise version without starting over.

Improvements

  • API tokens now replace auth tokens: a single API-key model covers everything from connecting to MCP servers to calling the Obot API, with selectable capabilities (LLM, skills, device scan, artifact, and API access) creatable from the UI and CLI. See the Upgrade Notes below.
  • MCP OAuth flows now show a consent screen, which also signals when a server requires second-level OAuth and that the user will be redirected to complete it.
  • Model Access Policies now accept wildcard suffix patterns (for example claude-haiku-4-5*), which grant access to every model whose ID starts with the given prefix and automatically cover new matching models as providers add them.
  • Per-entry CPU and memory requests and limits can now be configured in the UI for hosted MCP server catalog entries when the Kubernetes engine is enabled.
  • The ability to block private and link-local IPs has been added, and blocking of loopback IPs is now on by default.
  • A 402 error is now presented before authorization, and health check errors are surfaced when launching an MCP server fails.

Upgrade Notes

This release contains several behavior changes. Review carefully before upgrading.

Enterprise is now licensed. Prior to v0.23.0, enterprise was distributed as a private Docker image and access was granted by sharing that image. Starting with v0.23.0, enterprise users need a license key, set via the OBOT_SERVER_LICENSE_KEY environment variable or in the UI, and access is still requested through the Discord server. If a valid license becomes invalid or is removed, Obot keeps functioning as long as no enterprise features are configured; if an enterprise feature is in use, the UI remains available to deconfigure it but the MCP Gateway and agent chat are disabled until it is. See #6798 for details.

Auth tokens are deprecated. The auth tokens previously created by obot login are deprecated and replaced by API tokens. API tokens can now be granted a range of capabilities, including full Obot API access, so they cover what auth tokens used to do. You can no longer create auth tokens in v0.23.0, but existing ones keep working until they expire or are removed in a future release. See #6915 for details.

Obot Agent features are disabled by default. Obot Agent functionality is now off by default and must be explicitly enabled. See #6835 for details.

What's Changed

  • fix: hide scan identifiers by @njhale in #6742
  • feat: Multi-User catalog templates by @calvinmclean in #6627
  • docs: cut v0.22.0 by @cjellick in #6743
  • chore: gitignore goreleaser build artifacts by @njhale in #6755
  • fix: basic users usage graph fixes by @ivyjeong13 in #6756
  • Migrate away from using GPTScript for credentials by @thedadams in #6677
  • fix: show multi-user server names in instances table by @calvinmclean in #6774
  • enhance: request & limits configuration in ui for mcp server entry by @ivyjeong13 in #6726
  • fix: show alias input for no-config multi-user entry by @calvinmclean in #6781
  • fix: don't auto-connect admins when deploying multi-user catalog entries and rename to "Create Server" by @calvinmclean in #6780
  • fix: show Connect to Server button for Multi-User Catalog Entry when an MCPServer already exists by @calvinmclean in #6782
  • chore: update axios for docs ui & overrides for docs and ui by @ivyjeong13 in #6783
  • docs: document MCP hosting trust model and harden deployment guidance by @cjellick in #6790
  • fix: mcp registry: return 401 to unauth'd users when registry auth is on by @g-linville in #6793
  • docs: clarify NetworkPolicy scope and Obot server egress hardening by @cjellick in #6792
  • fix: allow users to get their own scans by @njhale in #6718
  • chore: add Claude Code skills for drafting releases by @cjellick in #6748
  • docs: explain OAuth resource parameter fix in FAQ by @cjellick in #6800
  • fix: enable sharable connect urls for composite servers by @njhale in #6761
  • feat: add licensing for enterprise features by @thedadams in #6625
  • feat: cli: add obot mcp search command by @g-linville in #6767
  • fix: licensing page check for invalid license by @ivyjeong13 in #6804
  • fix: reject multi-user catalog entries in composites by @calvinmclean in #6770
  • fix: trigger needsUpdate on deployments when entry resources change by @ivyjeong13 in #6784
  • fix: aggregate multi-user catalog entry user counts by @calvinmclean in #6775
  • enhance: bootstrap skills: explain obot mcp search command by @g-linville in #6802
  • enhance: run model and auth providers in containers by @thedadams in #6803
  • fix: include encryption provider binaries again by @thedadams in #6811
  • fix: process MCP healthz path properly by @thedadams in #6812
  • fix: allow provider pods to connect to private IP ranges by @thedadams in #6815
  • fix: return a proper OAuth error when client is not found by @thedadams in #6818
  • chore: remove PROVIDER_IMAGE and build encryption providers by @thedadams in #6817
  • feat: openai and anthropic passthroughs for external clients by @njhale in #6704
  • fix: allow MCP server containers to get jwks.json always by @thedadams in #6822
  • fix: only health check shim endpoint when necessary by @thedadams in #6825
  • fix: ensure system catalog entries have server user type by @thedadams in #6820
  • fix: set HealthzPath for composite MCP servers by @njhale in #6824
  • chore: bootstrap skills: nudge model about how to configure mcp servers by @g-linville in #6827
  • More fixes for GPTScript removal by @thedadams in #6828
  • fix: decrease the number of database and k8s calls for MCP servers by @thedadams in #6829
  • enhance: ensure 402 error is presented before authorization by @thedadams in #6842
  • fix: use provided credentials for model provider validation by @thedadams in #6837
  • chore: disable Obot Agent features by default by @njhale in #6840
  • fix: ui: audit logs: set correct filters for multi user catalog entry by @g-linville in #6839
  • enhance: show health check errors when launch MCP server fails by @thedadams in #6847
  • fix: hide unavailable agent entry points by @njhale in #6848
  • fix: use uncached k8s client for logs by @g-linville in #6850
  • fix: cleanup models when model provider is deconfigured by @thedadams in #6854
  • chore: revert back to model and auth providers as fork/exec by @thedadams in #6855
  • chore: bump nanobot to v0.0.84 to pick up fixes by @thedadams in #6860
  • fix: set composite shim container resources as remote by @thedadams in #6856
  • fix: allow MCP OAuth tokens to access a very specific subset of paths by @thedadams in #6859
  • fix: improve error messages when we fail deployment due to missing required config by @g-linville in #6849
  • fix: ui: prompt for new required config params after trigger-update for multi-user by @g-linville in #6846
  • feat: mcp pages ui/ux rework by @ivyjeong13 in #6851
  • fix: markdown input, reload function check by @ivyjeong13 in #6866
  • fix: configure static values fix and admin catalog entry route fetch fix by @ivyjeong13 in #6876
  • fix: show effective Kubernetes resource defaults in MCP forms by @njhale in #6871
  • fix: basic user dashboard recently connected server section & configured check by @ivyjeong13 in #6882
  • docs: add llm-gateway docs by @njhale in #6862
  • fix: licensing bugfixes by @ivyjeong13 in #6861
  • fix: mcp catalog multi catalog entry related fixes by @ivyjeong13 in #6895
  • chore(deps): bump shell-quote from 1.8.3 to 1.8.4 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #6904
  • enhance: mcp servers consumption/admin ui/ux updates 2 by @ivyjeong13 in #6900
  • fix: add type tag for catalog entry/server in search if duplicate name by @ivyjeong13 in #6903
  • fix: licensing downgrade verbiage and dialog ui/ux by @ivyjeong13 in #6905
  • chore: enable bootstrap when no auth providers are configured by @g-linville in #6914
  • fix: ensure proper shutdown on signals by @thedadams in #6916
  • refactor: depracate auth tokens and extend api tokens by @thedadams in #6913
  • fix: use x-api-key header if authorization header is not set by @thedadams in #6927
  • fix: friendlyName not being supplied in provider by @ivyjeong13 in #6920
  • fix: mcp-catalog page & entry page related fixes by @ivyjeong13 in #6919
  • chore: clean up old models that reference tool references by @thedadams in #6926
  • fix: ensure NeedsK8sUpdate is set properly by @thedadams in #6924
  • chore: bump depedencies to fix vulns by @njhale in #6929
  • fix: allow nanobot agent pods to exit by @thedadams in #6918
  • fix: delete button for entry shouldnt show client consumption side by @ivyjeong13 in #6931
  • chore: remove unused docker engine packages from the image by @njhale in #6941
  • enhance: allow wildcard suffixes in model access policies by @njhale in #6912
  • fix: allow bootstrap user to run through initial user setup on a new auth provider by @g-linville in #6930
  • fix: include OBOT_SERVER_VERSIONS details in /api/version by @thedadams in #6944
  • fix: validate audience on JWT tokens by @thedadams in #6940
  • fix: snackbar errors for skills w/ invalid license & verbiage fixes by @ivyjeong13 in #6932
  • enhance: add ability to block private and link-local IPs by @thedadams in #6935
  • chore: bump cmd to pickup default env var change by @thedadams in #6946
  • fix: env var name in auth required text by @njhale in #6951
  • feat: add a consent screen for MCP OAuth by @thedadams in #6934
  • fix: ignore oauth token not found errors by @thedadams in #6956
  • fix: ensure consent screen show third-party oauth box when needed by @thedadams in #6955
  • fix: llm gateway models navigation fix by @ivyjeong13 in #6958
  • chore: dependabot ui & docs bumps by @ivyjeong13 in #6961
  • fix: ensure token has requested scopes by @thedadams in #6960
  • fix: stop just-in-time CLI auth from hanging on stdin in agents by @njhale in #6963
  • fix: obot icon in navigation layout by @ivyjeong13 in #6965
  • fix: llm-gateway models page & navigation route only available when models available by @ivyjeong13 in #6968
  • chore: bump mcp base images to v0.20.6 by @njhale in #6969
  • enhance: add auth providers doc in configuring auth provider dialog by @ivyjeong13 in #6966
  • chore: bump nanobot images to v0.0.85 to pick up anthropic fix by @njhale in #6974
  • refactor: separate API scope from other API scopes by @thedadams in #6970
  • fix: allow admins to delete users by @thedadams in #6975
  • fix: ensure auth and model providers are available on upgrade by @thedadams in #6973
  • fix: ensure bootstrap user has proper groups by @thedadams in #6979
  • refactor: handle OAuth consent differently by @thedadams in #6977
  • refactor: remove keygen from types and config by @thedadams in #6980
  • docs update by @cjellick in #6972

Full Changelog: v0.22.1...v0.23.0

Check out latest releases or
releases around obot-platform/obot v0.23.0

Don't miss a new obot release

NewReleases is sending notifications on new releases.

Get notifications