Changelog

Remote MCP via OAuth 2.1

• Full OAuth 2.1 authorization server lives at api.apilocker.app. PKCE-mandatory (S256), Dynamic Client Registration per RFC 7591, refresh-token rotation with family-wide reuse detection, RFC 8414 metadata discovery, RFC 9728 protected-resource metadata. Any MCP client that speaks the modern remote-MCP spec can connect over HTTPS with no pasted master tokens — just a consent screen click.
• Claude Connectors Directory submission-ready. Matches every technical requirement in Anthropic's submission guide: Streamable HTTP transport, OAuth 2.0 authorization code flow, safety annotations (readOnlyHint / destructiveHint / idempotentHint / openWorldHint) on all 21 MCP tools, CORS allowlisted for claude.ai + claude.com.
• New consent screen at /oauth-consent with the brand-new API Locker mascot, scope descriptions in plain English, user-email display, explicit trust warning, and Approve/Deny buttons. Preserves return_to through the OAuth round-trip so users land back on the consent page after sign-in.
• Three scopes: vault:read (list/get/reveal/activity/doctor), vault:write (store/rotate/rename/pause/resume/delete/tokens/devices), vault:proxy (make proxied API calls through stored credentials). Enforced per-tool on the MCP endpoint.

Connected MCP clients panel

• New dashboard panel: view and revoke every remote MCP client you've authorized. Each entry shows the client name, logo, requested scopes, first-authorized timestamp, last-active timestamp, and a one-click Revoke button. Revoking kills every access token AND refresh token in the grant family in a single statement — the client must re-authorize through the consent screen to reconnect.
• New endpoints: GET /v1/oauth/grants lists your active grants (grouped by refresh-token family, not raw token rows), and POST /v1/oauth/grants/:id/revoke kills one. Both session-authed, and the user_id check in the revoke query prevents cross-user revocation.

Dynamic OAuth sign-in provider registry

• Adding a new sign-in provider is now a one-object code change. src/oauth-providers.ts is the canonical registry — each entry defines authorize URL, token URL, user-info URL, scopes, and a mapping function from the provider's user-info response to our normalized shape. Routes /v1/auth/:provider and /v1/auth/:provider/callback dispatch generically.
• Five providers pre-registered: Google, GitHub, LinkedIn, Slack, Microsoft. Only Google and GitHub are enabled today (because they have credentials in the vault) — the others are one dashboard click away.
• Login / signup pages render provider buttons dynamically from GET /v1/auth/providers. Zero HTML edits needed to enable a new provider. And return_to now round-trips through the OAuth dance correctly, so deep-linked sign-in flows work.

Infrastructure + polish

• CORS bug fix: cross-origin callers now get the correct Access-Control-Allow-Origin header. Previously every response baked in www.apilocker.app regardless of the caller's Origin, which worked by coincidence for the dashboard but would have blocked Claude and every other cross-origin caller.
• MCP protocol version negotiation: the server now supports the 2025-06-18, 2025-03-26, and 2024-11-05 spec versions and echoes back whichever the client asks for.
• New brand identity: the API Locker mascot logo is live everywhere — favicons, Open Graph social share image, the consent screen, the dashboard dashboard, and the top of the GitHub + npm READMEs. 9 size variants hosted at /brand/.
• Multi-lane contact: new support@, security@, feedback@, privacy@, and legal@ email addresses, all routed through Cloudflare Email Routing. Wired into every footer, the docs, the privacy policy, the terms, and the README.
• Terms of service updated with a dedicated MCP server section (3a) covering local stdio bridge vs. remote OAuth 2.1 flow, user responsibility when approving third-party clients, revocation semantics, audit logging, and refresh token theft protection.

End-to-end verified

• Every step of the OAuth 2.1 flow has been tested against production: DCR → authorize → consent → token exchange → MCP initialize → tools/list → store_key → reveal_key → delete_key → Connected clients panel → Revoke → access/refresh both rejected. 16/16 steps pass.

Registry publishing

• Listed on registry.modelcontextprotocol.io as io.github.apilocker/apilocker. Any AI tool that auto-discovers MCP servers via the canonical registry can now find API Locker.
• mcpName field added to package.json — required by the MCP Registry's package-ownership verification flow. No runtime impact; pure metadata.
• Repo-level server.json describes the stdio bridge for the MCP Registry listing: npm package identifier, transport, and the apilocker mcp positional argument.

Partial OAuth credential rotation

• apilocker rotate <alias> --field <name> — rotate just the client_secret or refresh_token of an OAuth credential without touching client_id, authorize URL, token URL, scopes, or redirect URI. The server decrypts the existing blob, merges the new field(s), re-encrypts, and bumps rotated_at. Scoped tokens that reference the credential keep working unchanged.
• Dashboard Rotate Secret button on every OAuth credential card. Opens a modal with a "New client secret" password field + an optional "New refresh token" field. Submit goes through the new partial-rotation endpoint. Audit log records which fields were swapped (/rotate:client_secret vs /rotate:client_secret,refresh_token).
• POST /v1/keys/:keyId/rotate extended: body for api_key still { key }, body for oauth2 now { client_secret?, refresh_token? }. Response includes rotated_fields so the CLI and dashboard can display what changed.

Vault-backed OAuth sign-in (dogfooding the vault)

• The API Worker now reads its own Google and GitHub OAuth credentials from its own vault at runtime. A new src/vault-client.ts helper decrypts directly from KV + D1 with a 60-second in-memory cache — no HTTP loopback, no bootstrap token. The only Worker-level config is APILOCKER_SERVICE_USER_ID.
• Rotating the Worker's own OAuth secrets is now a one-paste operation in the dashboard. Previously required four manual wrangler secret put calls synchronized across two providers, which bit us three times on the same literal-vs-placeholder paste mistake. That entire failure mode is gone.
• Wrangler secret cleanup: GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, GOOGLE_CLIENT_ID, and GOOGLE_CLIENT_SECRET are no longer needed as Worker secrets and have been deleted from production.

Monorepo + packaging

• Source code now lives at github.com/apilocker/apilocker as a monorepo (api/, cli/, site/). The CLI's package.json repository.url points at the monorepo with directory: "cli", and the npm package page shows the real repo.

The 1.0 release

• Three credential types now first-class: LLM API keys, service API keys, and OAuth credentials. 34 provider templates total.
• OAuth credentials as a full multi-field type. Store client_id, client_secret, refresh_token, scopes, and endpoints as a single named credential. 14 pre-configured templates: Google, GitHub App, Slack, Microsoft, Notion, Spotify, Twitter/X, LinkedIn, Discord, Zoom, Dropbox, Salesforce, HubSpot, plus Custom OAuth.
• apilocker run injects OAuth credentials as multiple env vars. A credential named google-oauth contributes GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET, GOOGLE_OAUTH_REFRESH_TOKEN, etc. — one env var per non-empty field.
• Three-bucket dashboard. Keys panel now shows LLM / Service / OAuth as three distinct sections, each with its own "+ Add" button that pre-selects the right tab in the Add Key modal.
• Homepage rewritten with three-pillar positioning: "One vault, three types of credentials."

New credential operations

• apilocker rename <old> <new> — lossless rename. Old names are remembered forever via a previous_names fallback, so existing .apilockerrc files and app code that reference the old name keep working. The CLI prints a gentle nudge whenever a legacy alias is used.
• apilocker pause <alias> / resume — freeze proxy access without deleting. Reveal / run / get / env still work on paused credentials, so you can still rotate or inspect during incident response.
• ElevenLabs provider template with the non-standard xi-api-key header correctly supported end-to-end through the proxy.
• Custom header name support in provider templates for any service with a non-standard auth header.

Security + operations

• OAuth CSRF protection: the GitHub/Google OAuth callbacks now require a valid state parameter bound to a 10-minute KV window. Stale callbacks are rejected with HTTP 400.
• Per-device master tokens with independent revocation. Revoking a device takes effect instantly and only affects that device.
• Open-redirect protection on OAuth return_to parameters (same-origin validation).
• Vault-only credentials are now first-class: base_url is optional. Credentials stored without one work with apilocker run/get/env but are not proxyable — a clear error message explains how to enable proxy access if you want it.
• Cleanup cron for expired device authorization codes.

• apilocker doctor — security health report. Flags stale rotations, unused keys, expiring tokens, stale devices, and insecure local config permissions. Every warning comes with a concrete remedy command.
• apilocker activity --follow — stream new proxy calls live, like tail -f. Poll every 2 seconds, deduped by ID. Perfect for debugging during development.
• apilocker update — check the npm registry for a newer version and show the upgrade command.

• apilocker import .env — migrate an existing project in 30 seconds. Reads a .env file, auto-detects providers from variable name prefixes, stores each secret, and offers to replace the .env with a committable .apilockerrc.
• apilocker rotate <alias> — replace a credential's value in place with a masked-input prompt. Scoped tokens that reference the key continue working without reissue.
• Tags and filters on apilocker list: filter by tag, provider, or substring search. Also added --tag as a repeatable flag on apilocker store.

• apilocker run -- <command> — the killer feature. Run any subprocess with vault secrets injected as environment variables. Raw secrets never touch disk, never hit shell history, never get committed to git. Ctrl+C, SIGTERM, and SIGHUP are forwarded to the child cleanly.
• apilocker get <alias> — print a single secret to stdout for scripting.
• apilocker env — emit shell-eval-able export statements. Supports sh / bash / zsh / fish / PowerShell formats.
• apilocker init + .apilockerrc support — pin a project to a specific set of credentials with a committable config file. After apilocker init, running apilocker run in that directory automatically picks up the right keys.

• apilocker register rewritten to use the RFC 8628 device authorization flow. No more pasted master tokens. Opens your browser for a one-click confirmation, same pattern as gh, vercel, wrangler.
• apilocker devices list / revoke — manage devices registered to your account directly from the CLI.
• Dashboard gets a Devices tab with matching list + revoke.

• First public release. Encrypted credential vault with CLI register, store, list, delete, token, activity. 19 provider templates for major API services. Published to npm as apilocker.