Changelog

Notable changes to the Gummble API, MCP server, and platform.

We follow semver-ish: breaking changes ship at /v2 (not yet released) and are announced 30 days in advance.

2026-05-23 · v1.4.0

  • NEW /oauth/session browser-bridge endpoint for cross-domain OAuth flows.
  • FIX application_type and other RFC 7591 standard fields are now accepted on DCR (previously rejected by whitelist validator).
  • FIX /oauth/authorize was returning 401 JSON for anonymous users; now correctly 302s to the FE login page with return_to.
  • FIX oauth_csrf cookie check is now actually enforced (previously silent no-op due to missing cookie-parser).

2026-05-15 · v1.3.0

  • NEW MCP server hosted at mcp.gummble.com with OAuth 2.1 RS.
  • NEW RFC 8414 + 7517 + 7591 + 9728 + 8707 metadata endpoints.
  • NEW Per-user rate limiting on MCP via Cloudflare KV.

2026-04-30 · v1.2.0

  • NEW Visual search endpoint with embedding cosine similarity.
  • NEW Magic-byte image validation on uploads.
  • CHG SSRF protection now scans request bodies recursively, not just hardcoded fields.

2026-04-10 · v1.1.0

  • NEW Webhook signing with HMAC-SHA256 + replay protection.
  • NEW Refresh token reuse detection with family-level revocation.
  • CHG Rate limiter now keys per-user for authenticated traffic.

2026-03-20 · v1.0.0

  • Initial public release. REST API, web app, billing via Polar.