Changelog
Notable changes to the Gummble API, MCP server, and platform.
We follow semver-ish: breaking changes ship at /v2 (not yet released)
and are announced 30 days in advance.
2026-05-23 · v1.4.0
- NEW
/oauth/sessionbrowser-bridge endpoint for cross-domain OAuth flows. - FIX
application_typeand other RFC 7591 standard fields are now accepted on DCR (previously rejected by whitelist validator). - FIX
/oauth/authorizewas returning 401 JSON for anonymous users; now correctly 302s to the FE login page withreturn_to. - FIX
oauth_csrfcookie check is now actually enforced (previously silent no-op due to missing cookie-parser).
2026-05-15 · v1.3.0
- NEW MCP server hosted at
mcp.gummble.comwith OAuth 2.1 RS. - NEW RFC 8414 + 7517 + 7591 + 9728 + 8707 metadata endpoints.
- NEW Per-user rate limiting on MCP via Cloudflare KV.
2026-04-30 · v1.2.0
- NEW Visual search endpoint with embedding cosine similarity.
- NEW Magic-byte image validation on uploads.
- CHG SSRF protection now scans request bodies recursively, not just hardcoded fields.
2026-04-10 · v1.1.0
- NEW Webhook signing with HMAC-SHA256 + replay protection.
- NEW Refresh token reuse detection with family-level revocation.
- CHG Rate limiter now keys per-user for authenticated traffic.
2026-03-20 · v1.0.0
- Initial public release. REST API, web app, billing via Polar.