v0.1.34

Maintenance release: a server-stability fix plus self-hosting and packaging improvements.

Fixed

• MCP server no longer 500s on duplicate tool names. A connector that produced two tools with the same name could take down the /mcp endpoint; tool names are now deduplicated. (#313)

Self-hosting

• Run multiple stacks on one host. docker-compose.yml now derives the project, network, volume and container names from COMPOSE_PROJECT_NAME (default amcp, so existing setups are unchanged). Set it to isolate a second instance without name collisions. (#316)
• Single source of truth for the Node version in the Dockerfile (ARG NODE_VERSION), and an explicit engines.node >=22 so the supported minimum is machine-readable. (#316)
• .env.example documents COMPOSE_PROJECT_NAME and the internal-PORT vs host-BACKEND_PORT distinction.

Packaging / license

• AnythingMCP is now licensed under AGPL-3.0 (OSI-approved open source), with operator-only cloud features kept under a separate commercial license in ee/ directories. Self-hosting is unaffected. (#314, #315)

Upgrade

docker compose pull && docker compose up -d

No configuration changes required.

v0.1.33

Fixes

• auth: membership-based tenant isolation for /mcp/:serverId — multi-org users can reach every workspace they belong to; cross-org access stays denied (#311)
• auth: resolve OAuth org by id OR email — fixes a production 403 lockout where legitimate owners were denied their own MCP servers after OAuth login (#309)
• dashboard: Claude Desktop connection config now uses type: "http" (was the invalid "url", which Claude Desktop silently skipped) (#310)
• weclapp: fix filter 400s via a general __rawquery engine passthrough — weclapp property-operator filters now work (#308)

Connectors

• 8 reverse-engineered read-only connectors live: Playtomic (+ public), OpenTable, Resy, Vinted, Untappd, Idealista, Trenitalia
• Etsy migrated to OAuth2 with automatic refresh-token rotation

Notes

No breaking changes. Tenant isolation remains fail-closed and was verified against production data.

v0.1.32 — Proxy / Web-Unblocker + Onboarding + Help Scout OAuth2

✨ Highlights

Proxy / Web-Unblocker (#280, #281, #282)

Route a tool's outbound request through a proxy or web-unblocker (e.g. Zyte API proxy mode) to reach anti-bot / geo / rate-limited APIs. Fixes the Deutsche Bahn connector that 403'd on Akamai-protected endpoints.

• Per-tool opt-in: mcp_tools.use_proxy (seeded from the adapter spec's useProxy), toggled via a per-tool UI checkbox shown only when CONNECTOR_PROXY_URL is set.
• Cloud rate limit: PROXY_RATE_LIMIT_DEFAULT (default 100) proxy calls/hour per workspace; over-cap returns an explicit error. Overridable only by a service admin via organizations.proxy_rate_limit (no API).
• Engine: REST + GraphQL attach an HttpsProxyAgent. SOAP/DB/MCP ignore it.
• Adapters shipped with useProxy: true: Deutsche Bahn, Playtomic (+ public), Sorare, OpenTable, Resy, Vinted, Untappd, idealista, Trenitalia, ImmobilienScout24, Etsy, Mercado Libre.
• Docs: docs/connectors/proxy.md.

Onboarding (#272, #273, #276)

• In-app /welcome wizard with a gate-aware redirect (respects LicenseWall + license-choice).
• Email drip cron for users who registered but never created a connector.

Connectors

• Help Scout → OAuth2 client-credentials with auto-refresh (#277).
• Clockify → expanded to 18 tools (#279).
• Sendcloud → to_country required to avoid 14s "all carriers" calls (#274).

Fixes

• Audit: resolve user_id from the JWT email so cloud analytics aren't always NULL (#275).
• License wall: hide on logout + auth routes, clear stale block state (#278).

Diff

v0.1.31...v0.1.32

v0.1.31 — Etsy OAuth2 + Deutsche Bahn rewrite + 7 reverse-engineered SaaS adapters

Adapters

• #250 — 7 reverse-engineered SaaS adapters: OpenTable, Resy, Vinted, Untappd, idealista, Trenitalia, Trainline
• #266 — Remove Trainline (TOS / instability — removed shortly after #250)
• #267 — Etsy → migrate to OAuth2 with refresh-token auto-rotation (long-lived auth, no more manual token rotation)
• #268 — Deutsche Bahn → rewrite adapter against bahn.de directly (drop the third-party v6.db.transport.rest proxy)

Fixes

• #249 — Playtomic logo: add fill style so the wordmark actually renders

Diff

v0.1.30...v0.1.31

v0.1.30 — DATEV + SAP + Playtomic + GA4 (9 PRs)

What's Changed

• Fix/dropdown option placement on touch by @ozer0602 in #235
• license: soft-warn cap policy + /usage endpoint + UsageBanner by @keysersoft in #239
• Update README to remove 'Fork' instruction by @CatWotan in #240
• connectors: render brand logos in the installed-connector list by @keysersoft in #241
• store: align Adapter Store cards with the marketing-site Marketplace by @keysersoft in #242
• connectors: add google-analytics-4 (Admin + Data + Realtime + Funnel) by @keysersoft in #243
• adapters: SAP Concur + Business One + S/4HANA Cloud + 2 engine extensions by @keysersoft in #245
• store: instructions panel + reveal-toggle in install modal + GA4 logo by @keysersoft in #244
• Playtomic: padel/tennis/futsal court search via MCP (full + public connectors + 15 SEO guides) by @keysersoft in #246
• datev: rewrite adapter against official OpenAPI specs by @keysersoft in #247
• Bump version to 0.1.30 by @keysersoft in #248

New Contributors

• @CatWotan made their first contribution in #240

Full Changelog: v0.1.29...v0.1.30

API Auth Update

What's Changed

• Fix Copy button on http by @D3nisty in #223
• docs(sorare): embed launch video on the 3 announcement landings (DSGVO 2-click) by @keysersoft in #224
• docs(sorare): YouTube video embed on every Sorare guide (DSGVO 2-click) by @keysersoft in #226
• auth: mandatory email verification in cloud mode by @keysersoft in #227
• feat(settings): redesign organization settings page by @mirkopoloni in #229
• fix(css): add custom chevron arrow for select elements and adjust pad… by @ozer0602 in #228
• whatsapp-business: add WhatsApp Business Cloud API connector + multilingual guides by @keysersoft in #230
• connectors: add WordPress + WooCommerce adapters by @keysersoft in #231
• connector-batch-1: foundation + 81 new SaaS connectors (in progress) by @keysersoft in #232
• fix(docker): copy scripts/regenerate-catalog.mjs into backend builder by @keysersoft in #233
• connectors: batch 2a — 15 greenfield SaaS adapters (data, monitoring, time-tracking, social, support) by @keysersoft in #236
• connectors: batch 2b — 33 more greenfield SaaS adapters + engine fixes (catalog 134→167) by @keysersoft in #237
• connectors: enforce VIEWER role restriction on connector/tool creation by @keysersoft in #238

New Contributors

• @D3nisty made their first contribution in #223
• @mirkopoloni made their first contribution in #229
• @ozer0602 made their first contribution in #228

Full Changelog: v0.1.28...v0.1.29

v0.1.28 — LicenseWall covers cloud no-license + MCP runtime check is org-scoped

Follow-ups to v0.1.27 — see #221. LicenseWall now blocks the cloud UI when an org has no license (was silently allowed through after the per-org isolation fix). dynamic-mcp-tools now passes organizationId through to checkLicenseActive so MCP tool calls work in cloud.

v0.1.27 — Tenant-scoped license lookup

Highlights

Security/billing fix: cross-tenant license entitlement leak in cloud mode.

Pre-fix, an org with zero licenses could see another org's key as "License verified successfully" because getCurrentLicense fell back to a single instance-wide pointer (site_settings.license_key), and the unscoped POST /api/license/verify read from the same place. After this release, every license lookup in cloud mode is scoped to the calling organizationId.

• getCurrentLicense: in cloud, returns null when the calling org has no license. No global pointer fallback, no auto-binding of orphan licenses.
• verifyLicense: scoped to organizationId in cloud.
• setLicenseKey / requestTrialLicense: stop writing the global pointer in cloud; persist organizationId on the trial record.
• verifyOnStartup: no-op in cloud.

Self-hosted single-tenant behavior is unchanged — the site_settings.license_key mechanism still works for self-hosted installs.

Companion PR

• anythingmcp#219 — the fix + 6 unit tests
• anythingmcp#220 — version bump

v0.1.26 — License activation handoff

Highlights

End-to-end license auto-activation between the cloud instance and anythingmcp.com/pricing:

• Activate License Key field is now always visible on /settings/license for admins — including during an active cloud trial. Previously hidden until the trial expired, which surprised customers who purchased a license mid-trial.
• Upgrade Plan / View Plans links carry a return_url pointing back to the originating cloud instance, driven by NEXT_PUBLIC_MARKETING_URL (default https://anythingmcp.com).
• New /settings/license/activate callback page: reads ?key=AMCP-..., validates the format, calls PUT /api/license/key if an admin is signed in, otherwise bounces through /login?redirect=... and resumes activation after sign-in.
• Companion change on the marketing site (anythingmcp-website#57): after a successful Stripe checkout, the marketing site redirects the customer back to ${return_url}?key=<licenseKey> (host allowlisted to prevent open-redirects), turning the email-and-paste loop into a one-click handoff.

Companion PRs

• anythingmcp#216 — cloud frontend
• anythingmcp-website#57 — marketing site
• anythingmcp#217 — version bump

v0.1.25 — Sorare adapter, LOGIN_TOKEN auth, GraphQL schema-slicing for every connector

First release that ships a full GraphQL story end-to-end. The Sorare Fantasy Football adapter lands, the new `LOGIN_TOKEN` AuthType lets adapters describe any bcrypt-style sign-in handshake declaratively, and every GraphQL connector — catalog or user-created — now gets a server-side schema-slicing proxy baked in so agents can drive APIs whose introspection is disabled or whose SDL is too large for the context window.

New: Sorare Fantasy Football adapter (18 tools)

Built-in adapter for Sorare's GraphQL API. Bcrypt-salted login, JWT cached for ~30 days, automatic re-issue 24 h before expiry and on any 401. Featured on the homepage with `priority: 100`.

Tools (live-audited against api.sorare.com with real credentials, 17/19 happy-path pass, the two remaining are deliberate NOT_FOUND probes against fake IDs):

• Identity & wallet: `sorare_current_user`, `sorare_wallet_balance`, `sorare_my_trophies_summary`, `sorare_user_by_slug`
• Cards & inventory: `sorare_list_my_cards`, `sorare_get_card_by_slug`, `sorare_list_player_cards`
• Players & form: `sorare_search_player`, `sorare_player_recent_scores`, `sorare_player_floor_price`
• Market & auctions: `sorare_live_sale_offers`, `sorare_token_prices`, `sorare_get_auction`, `sorare_get_lineup`
• Generic GraphQL escape hatch (auto-injected for every GraphQL connector): `sorare_graphql_schema_url`, `sorare_graphql_schema`, `sorare_graphql_query`, `sorare_graphql_mutation`, `sorare_graphql_subscription`

Five multilingual MDX guides for the marketing site (en/de/it × ChatGPT/Claude/OpenClaw/generic MCP) plus five SEO-targeted Markdown guides under `docs/guides/` so GitHub Search surfaces `sorare-to-mcp`, `connect-sorare-to-claude`, `connect-sorare-to-chatgpt`, `connect-sorare-to-openclaw`, `connect-sorare-to-cloud`.

New: `LOGIN_TOKEN` AuthType

A declarative spec for APIs that POST credentials → receive a long-lived bearer, optionally with client-side bcrypt against a salt fetched from the upstream. Adapter authors describe the entire flow in JSON; no per-provider code.

The shared `LoginTokenService` handles salt fetch → bcrypt → `signIn` → token cache (in-memory + AES-256-GCM-encrypted DB row in the new `connector_auth_cache` table) → proactive refresh ≥ 24 h before expiry → forced re-login on 401, all behind a per-key mutex.

Wired into both the REST and GraphQL engines (`injectAuth` + 401-retry path). Field-by-field reference: `docs/connectors/login-token-auth.md`.

New: GraphQL schema-slicing proxy — every GraphQL connector, automatically

Every connector of type `GRAPHQL` — both catalog adapters and user-created connectors — automatically receives five generic helper tools at creation time:

Tool	What it does
`_graphql_schema_url`	Returns the URL of the SDL.
`_graphql_schema`	Proxy + filter the SDL through the MCP server. Default = compact summary (~20–30 KB), `type: "X"` = one type's full definition (~1–5 KB), `search: "keyword"` = matching type blocks, `full: true` = entire SDL. Solves both "introspection is disabled in production" and "the SDL is 200 K tokens".
`_graphql_query` / `_mutation` / `_subscription`	Execute arbitrary GraphQL operations; the document and variables are tool params.

Catalog adapters get them via `adapters/catalog.ts.withGraphqlBuiltins`; user-created connectors get them via `connectors.controller.ts`, parallel to the existing DATABASE auto-tools logic.

The `GraphqlSchemaService` caches the SDL per URL for 24 h and parses block boundaries with a tiny line-based scanner — no full GraphQL parser dependency.

Engine improvements

• `GraphqlEngine` learns `method: "static"` (return `endpointMapping.path` verbatim, no HTTP call) and `method: "schema"` (delegate to `GraphqlSchemaService`).
• A new `path: "$paramName" + variablesFromParam` form lets generic tools take the GraphQL document and the variables map from tool params at runtime (used by the three op-builtins).
• `AdapterMeta` gains optional `featured?: boolean` and `priority?: number` so the marketing site can rank adapters in the home rail without a code change there.

Schema & migration

• Prisma schema: `AuthType` enum gains `LOGIN_TOKEN`; new `ConnectorAuthCache` model. Migration `20260518000000_add_login_token_auth` ships in this release.

Documentation

• New: `docs/guides/sorare-to-mcp.md`, `connect-sorare-to-claude.md`, `connect-sorare-to-chatgpt.md`, `connect-sorare-to-openclaw.md`, `connect-sorare-to-cloud.md`.
• New: `docs/connectors/login-token-auth.md`.
• `docs/tool-definition.md` gets a LOGIN_TOKEN authConfig section and a GraphQL section covering `method: "static"`, `method: "schema"`, and the `$param + variablesFromParam` pattern.
• README: new 🎮 Gaming & Web3 — featured rail putting Sorare in front, plus a Featured adapter walkthroughs sub-section under Connector guides linking the five Sorare guides for in-repo discoverability.

Fixes

• Sale-offer prices came back as zero because the query read `senderSide.amounts` — for a sale offer the sender is the seller, not the buyer. Switched `sorare_live_sale_offers` and `sorare_get_card_by_slug` to `receiverSide.amounts` so prices actually show up.
• Several Sorare query field names were wrong against the real schema (`football.players(search:…)`, `currentUser.football.myCards`, `Player.cards`, `So5AppearanceBonusInterface.name`). All rewritten against the production SDL.
• The cloud went down briefly after #199 because `McpServerModule` registers its own copy of `RestEngine` / `GraphqlEngine` and didn't have `LoginTokenService` as a provider — fixed in #201.

Tests

746 backend tests pass (up from 694 at v0.1.24). New coverage:

• `LoginTokenService` unit specs (login flow, cache hit, force-relogin, fallback TTL, missing token error).
• `GraphqlSchemaService` unit specs (full / type slice / search / summary / cache).
• `GraphqlEngine` specs for the new `static` / `schema` / `$param` paths.
• `graphql-builtins` unit specs (slugify edge cases + five-tool shape).
• Catalog parametrised tests now assert every GRAPHQL adapter exposes the five builtins.

Pull requests in this release

#199 #201 #204 #205 #206 #207 #208 #209 #210 #211