release 0.7.0 (#227)

release 0.7.0

This commit includes new changes to allow for adding auth mechanisms to the MCP protocol, alongside documentation changes.

---

Co-authored-by: Michelle Mabuyo <[email protected]>

Author: nicholascioli

.changesets/feat_nc_authnz.md

@@ -4,6 +4,58 @@ All notable changes to this project will be documented in this file.
 
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+# [0.7.0] - 2025-08-04
+
+## 🚀 Features
+
+### feat: add mcp auth - @nicholascioli PR #210
+
+The MCP server can now be configured to act as an OAuth 2.1 resource server, following
+guidelines from the official MCP specification on Authorization / Authentication (see
+[the spec](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization)).
+
+To configure this new feature, a new `auth` section has been added to the SSE and
+Streamable HTTP transports. Below is an example configuration using Streamable HTTP:
+
+```yaml
+transport:
+  type: streamable_http
+  auth:
+    # List of upstream delegated OAuth servers
+    # Note: These need to support the OIDC metadata discovery endpoint
+    servers:
+    - https://auth.example.com
+
+    # List of accepted audiences from upstream signed JWTs
+    # See: https://www.ory.sh/docs/hydra/guides/audiences
+    audiences:
+    - mcp.example.audience
+
+    # The externally available URL pointing to this MCP server. Can be `localhost`
+    # when testing locally.
+    # Note: Subpaths must be preserved here as well. So append `/mcp` if using
+    # Streamable HTTP or `/sse` is using SSE.
+    resource: https://hosted.mcp.server/mcp
+
+    # Optional link to more documentation relating to this MCP server.
+    resource_documentation: https://info.mcp.server
+
+    # List of queryable OAuth scopes from the upstream OAuth servers
+    scopes:
+    - read
+    - mcp
+    - profile
+```
+
+## 🐛 Fixes
+
+### Setting input_schema properties to empty when operation has no args ([Issue #136](https://github.com/apollographql/apollo-mcp-server/issues/136)) ([PR #212](https://github.com/apollographql/apollo-mcp-server/pull/212))
+
+To support certain scenarios where a client fails on an omitted `properties` field within `input_schema`, setting the field to an empty map (`{}`) instead. While a missing `properties` field is allowed this will unblock
+certain users and allow them to use the MCP server.
+
+
+
 # [0.6.1] - 2025-07-29
 
 ## 🐛 Fixes

.changesets/fix_locay_properties_empty_map.md

@@ -8,7 +8,7 @@ members = [
 
 [workspace.package]
 authors = ["Apollo <[email protected]>"]
-version = "0.6.1"
+version = "0.7.0"
 
 [workspace.dependencies]
 apollo-compiler = "1.27.0"

CHANGELOG.md

@@ -229,7 +229,9 @@ impl ServerHandler for Running {
                 // Optionally extract the validated token and propagate it to upstream servers
                 // if found
                 let mut headers = self.headers.clone();
-                if let Some(token) = context.extensions.get::<ValidToken>() {
+                if let Some(axum_parts) = context.extensions.get::<axum::http::request::Parts>()
+                    && let Some(token) = axum_parts.extensions.get::<ValidToken>()
+                {
                     headers.typed_insert(token.deref().clone());
                 }
 

Cargo.lock

@@ -26,14 +26,14 @@ To download a **specific version** of Apollo MCP Server (recommended for CI envi
 
 ```bash
 # Note the `v` prefixing the version number
-docker image pull ghcr.io/apollographql/apollo-mcp-server:v0.6.1
+docker image pull ghcr.io/apollographql/apollo-mcp-server:v0.7.0
 ```
 
 To download a specific version of Apollo MCP Server that is a release candidate:
 
 ```bash
 # Note the `v` prefixing the version number and the `-rc` suffix
-docker image pull ghcr.io/apollographql/apollo-mcp-server:v0.6.1-rc.1
+docker image pull ghcr.io/apollographql/apollo-mcp-server:v0.7.0-rc.1
 ```
 
 <Note>
@@ -65,7 +65,7 @@ To install or upgrade to a **specific version** of Apollo MCP Server (recommende
 
 ```bash
 # Note the `v` prefixing the version number
-curl -sSL https://mcp.apollo.dev/download/nix/v0.6.1 | sh
+curl -sSL https://mcp.apollo.dev/download/nix/v0.7.0 | sh
 ```
 
 If your machine doesn't have the `curl` command, you can get the latest version from the [`curl` downloads page](https://curl.se/download.html).
@@ -82,7 +82,7 @@ To install or upgrade to a **specific version** of Apollo MCP Server (recommende
 
 ```bash
 # Note the `v` prefixing the version number
-iwr 'https://mcp.apollo.dev/download/win/v0.6.1' | iex
+iwr 'https://mcp.apollo.dev/download/win/v0.7.0' | iex
 ```
 
 ## Usage
@@ -124,7 +124,7 @@ operations:
     - relative/path/to/your/operations/listing.graphql
 ```
 
-### Config options
+## Configuration options
 
 All fields are optional.
 
@@ -142,7 +142,7 @@ All fields are optional.
 | `schema`         | `SchemaSource`        |                          | Schema configuration                                          |
 | `transport`      | `Transport`           |                          | The type of server transport to use                           |
 
-#### GraphOS configuration
+### GraphOS
 
 These fields are under the top-level `graphos` key and define your GraphOS graph credentials and endpoints.
 
@@ -153,7 +153,7 @@ These fields are under the top-level `graphos` key and define your GraphOS graph
 | `apollo_registry_url`     | `URL`    |         | The URL to use for Apollo's registry                                                                            |
 | `apollo_uplink_endpoints` | `URL`    |         | List of uplink URL overrides. You can also provide this with the `APOLLO_UPLINK_ENDPOINTS` environment variable |
 
-#### Health check configuration
+### Health checks
 
 These fields are under the top-level `health_check` key.
 
@@ -173,7 +173,7 @@ Health checks are only available when using the `streamable_http` transport. The
 
 </Note>
 
-#### Introspection configuration
+### Introspection
 
 These fields are under the top-level `introspection` key. Learn more about the MCP [introspection tools](/apollo-mcp-server/guides#introspection-tools).
 
@@ -188,15 +188,15 @@ These fields are under the top-level `introspection` key. Learn more about the M
 | `validate`           | `object` |         | Validation tool configuration                                         |
 | `validate.enabled`   | `bool`   | `false` | Enable validation tool                                                |
 
-#### Logging configuration
+### Logging
 
 These fields are under the top-level `logging` key.
 
 | Option  | Type                                                | Default  | Description                     |
 | :------ | :-------------------------------------------------- | :------- | :------------------------------ |
 | `level` | `oneOf ["trace", "debug", "info", "warn", "error"]` | `"info"` | The minimum log level to record |
 
-#### Operation source configuration
+### Operation source
 
 These fields are under the top-level `operations` key. The available fields depend on the value of the nested `source` key.
 The default value for `source` is `"infer"`.
@@ -213,7 +213,7 @@ The default value for `source` is `"infer"`.
 | Uplink             | `source` | `"uplink"`       |         | Load operations from an uplink manifest. Note: This source requires an Apollo key and graph reference                                             |
 | Infer              | `source` | `"infer"`        | \*      | Infer where to load operations based on other configuration options.                                                                              |
 
-#### Overrides configuration
+### Overrides
 
 These fields are under the top-level `overrides` key.
 
@@ -224,7 +224,7 @@ These fields are under the top-level `overrides` key.
 | `enable_explorer`            | `bool`                              | `false`  | Expose a tool that returns the URL to open a GraphQL operation in Apollo Explorer. Note: This requires a GraphOS graph reference |
 | `mutation_mode`              | `oneOf ["none", "explicit", "all"]` | `"none"` | Defines the mutation access level for the MCP server                                                                             |
 
-#### Schema source configuration
+### Schema source
 
 These fields are under the top-level `schema` key. The available fields depend on the value of the nested `source` key.
 The default value for `source` is `"uplink"`.
@@ -235,7 +235,7 @@ The default value for `source` is `"uplink"`.
 | Local  | `path`   | `FilePath` |         | Path to the GraphQL schema                                                          |
 | Uplink | `source` | `"uplink"` | \*      | Fetch the schema from uplink. Note: This requires an Apollo key and graph reference |
 
-#### Transport configuration
+### Transport
 
 These fields are under the top-level `transport` key. The available fields depend on the value of the nested `type` key.
 The default value for `type` is `"stdio"`.
@@ -250,8 +250,55 @@ The default value for `type` is `"stdio"`.
 | StreamableHTTP | `address` | `IpAddr`            | `127.0.0.1` | The IP address to bind to                                                                                                     |
 | StreamableHTTP | `port`    | `u16`               | `5000`      | The port to bind to                                                                                                           |
 
-### Mapping rover dev options
 
-You can use the [`rover dev`](/rover/commands/dev) command of Rover CLI v0.32 or later to run an Apollo MCP Server instance for local development.
+### Auth
 
-Running `rover dev --mcp` starts an MCP Server. An optional configuration file path can be provided to configure the MCP server via `rover dev --mcp <PATH/TO/CONFIG>`.
+These fields are under the top-level `transport` key, nested under the `auth` key.
+
+| Option                   | Type           | Default | Description                                                                                        |
+| :----------------------- | :------------- | :------ | :------------------------------------------------------------------------------------------------- |
+| `servers`                | `List<URL>`    |         | List of upstream delegated OAuth servers (must support OIDC metadata discovery endpoint)           |
+| `audiences`              | `List<string>` |         | List of accepted audiences from upstream signed JWTs                                               |
+| `resource`               | `string`       |         | The externally available URL pointing to this MCP server. Can be `localhost` when testing locally. |
+| `resource_documentation` | `string`       |         | Optional link to more documentation relating to this MCP server                                    |
+| `scopes`                 | `List<string>` |         | List of queryable OAuth scopes from the upstream OAuth servers                                     |
+
+Below is an example configuration using `StreamableHTTP` transport with authentication:
+
+```yaml title="mcp.yaml"
+transport:
+  type: streamable_http
+  auth:
+    # List of upstream delegated OAuth servers
+    # Note: These need to support the OIDC metadata discovery endpoint
+    servers:
+    - https://auth.example.com
+
+    # List of accepted audiences from upstream signed JWTs
+    # See: https://www.ory.sh/docs/hydra/guides/audiences
+    audiences:
+    - mcp.example.audience
+
+    # The externally available URL pointing to this MCP server. Can be `localhost`
+    # when testing locally.
+    # Note: Subpaths must be preserved here as well. So append `/mcp` if using
+    # Streamable HTTP or `/sse` is using SSE.
+    resource: https://hosted.mcp.server/mcp
+
+    # Optional link to more documentation relating to this MCP server.
+    resource_documentation: https://info.mcp.server
+
+    # List of queryable OAuth scopes from the upstream OAuth servers
+    scopes:
+    - read
+    - mcp
+    - profile
+```
+
+## Run a local graph with MCP server using `rover dev`
+
+You can use the [`rover dev`](/rover/commands/dev) command of Rover CLI `v0.35` or later to run an Apollo MCP Server instance for local development alongside your local graph. Use the `--mcp` flag to start an MCP server and provide an optional configuration file.
+
+```sh
+rover dev --mcp <PATH/TO/CONFIG>
+```

Cargo.toml

@@ -186,6 +186,62 @@ introspection:
 apollo-mcp-server <path to the preceding config>
 ```
 
+## Set up authorization
+
+The Apollo MCP server supports authorizing clients (e.g. LLMs) in accordance with [the MCP specification](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization).
+
+Depending on whether you are connecting internal agents (first-party) or external agents (third-party, such as Claude, ChatGPT, or other public AI assistants), the steps to configure authorization will differ.
+
+For internal (first-party) agents, you need:
+
+- An [OAuth 2.1-compliant](https://oauth.net/2.1/) Identity Provider (for example, your own in-house IdP or a third-party IdP such as Auth0, Okta, Keycloak, etc)
+- An Apollo Router [configured to use JWT authentication](/graphos/routing/security/jwt)
+
+For external (third-party) agents, in addition to the preceding items, you also need:
+
+- A configuration file for the MCP server that [defines the `auth` settings](/apollo-mcp-server/command-reference#auth)
+
+### Example: Configure authentication with Auth0 and third-party agents
+
+Here is an example of how to set up Apollo MCP Server and Apollo Router, with Auth0 as the Identity Provider for external/third-party access.
+
+1. [Set up an Auth0 API](https://auth0.com/docs/get-started/auth0-overview/set-up-apis). You need your Auth0 domain for the next step.
+2. Configure the Apollo Router to [use JWT authentication](/graphos/routing/security/jwt):
+
+    This example router configuration enforces authentication on all requests and uses the JWKS endpoint provided by Auth0 to validate JWTs:
+
+    ```yaml title="Router configuration for JWT authentication"
+    authorization:
+      require_authentication: true # Enforces authentication on all requests
+    authentication:
+      router:
+        jwt:
+          jwks:
+            - url: https://<AUTH0 DOMAIN>/.well-known/jwks.json
+    ```
+
+3. Configure the MCP server to use the same Auth0 instance for authentication.
+
+    This example MCP server configuration enforces authentication on all requests, delegating the actual login process to your previously-configured Auth0 instance:
+
+    ```yaml title="Example MCP config for authentication"
+    transport:
+      type: streamable_http
+      address: "0.0.0.0"
+
+      auth:
+        servers:
+          - https://<AUTH0 DOMAIN>
+        audiences:
+          - <AUTH0 DEFAULT AUDIENCE>
+        resource: http://localhost:5000
+        scopes:
+          - read:users
+    ```
+
+    Refer to the [Authentication configuration section in the command reference](/apollo-mcp-server/command-reference#auth) for more details on the available `auth` options.
+
+
 ## Deploying the MCP server
 
 There are two ways to deploy and operate the MCP server.

crates/apollo-mcp-server/src/server/states/running.rs

@@ -14,7 +14,7 @@ BINARY_DOWNLOAD_PREFIX="${APOLLO_MCP_SERVER_BINARY_DOWNLOAD_PREFIX:="https://git
 
 # Apollo MCP Server version defined in apollo-mcp-server's Cargo.toml
 # Note: Change this line manually during the release steps.
-PACKAGE_VERSION="v0.6.1"
+PACKAGE_VERSION="v0.7.0"
 
 download_binary_and_run_installer() {
     downloader --check