Skip to content

1.10.0 (2026-03-19)

Choose a tag to compare

View all tags
@github-actions github-actions released this 19 Mar 17:23
v1.10.0
babbf01
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Features

Add allow_anonymous_mcp_discovery setting to allow unauthenticated access to MCP discovery methods (e.g. tools/list) when oauth is enabled - @andrewmcgivery #685

Example:

transport:
  auth:
    allow_anonymous_mcp_discovery: true

Add discovery_headers option to auth config - @andrewmcgivery #697

Add discovery_headers option to auth config for attaching custom headers to OIDC discovery and JWKS requests. This is useful when upstream OAuth servers or WAFs require headers like User-Agent.

transport:
  type: streamable_http
  auth:
    servers:
      - https://auth.example.com
    resource: https://mcp.example.com
    scopes:
      - read
    discovery_headers:
      User-Agent: apollo-mcp-server

New Rhai-based extensibility - @andrewmcgivery #681

With this release, we're introducing our first extensibility to the MCP Server. This utilizes Rhai as the script engine and allows you to hook into the MCP Server lifecycle.

For this release, we've introduced a single lifecycle hook:

fn on_execute_graphql_operation(context){

}

From within this hook you can do a number of things including:

  • Logging with print/debug
  • Get/set the graphql endpoint with context.endpoint
  • Get info about the incoming request with context.incoming_request.headers["authorization"]
  • Get environment variables with Env::get("MY_VARIABLE")
  • Sha256 hashes using Sha256::digest("my string")
  • Get/set outgoing headers using context.headers["x-my-header"] = "hello"
  • End requests early like throw ${ code: ErrorCode::INVALID_REQUEST, message: "I ended!" }
  • JSON with JSON::stringify(obj) and JSON::parse(json_string)
  • Regex operations like Regex::is_match("hello world", "hello"); and Regex::replace("foo bar foo", "foo", "baz"); and Regex::matches("abc 123 def 456", "\\d+");

We've got more hooks and functions that we're looking at introducing (E.g. on_startup hook, Http::get() method) but we'd love to hear feedback on what you'd like to see made available!

Implement Step-up Authorization Flow - @DaleSeo #672

Implements the step-up authorization flow from the MCP specification: when a client presents a valid token that lacks the scopes required for a specific operation, the server responds with HTTP 403 and a WWW-Authenticate: Bearer error="insufficient_scope", scope="..." header. The client can use this signal to re-authorize with elevated scopes and retry the request.

Fixes

Fix OTLP HTTP exporter failing to connect to HTTPS endpoints - @ochoav #695

When the workspace upgraded from reqwest 0.12 to 0.13, Cargo feature unification stopped applying the workspace's TLS features to the reqwest 0.12 still used internally by opentelemetry-otlp. This left the OTLP HTTP exporter's reqwest client with no TLS backend, causing "invalid URL, scheme is not http" errors when exporting to any https:// telemetry endpoint (e.g. Langfuse, New Relic). Adding the reqwest-rustls feature to opentelemetry-otlp restores TLS support for the internal reqwest 0.12 client.

Contributors

andrewmcgivery, DaleSeo, and ochoav
Assets 11
Loading