v0.2.4 Release: AI Agents Connect via OAuth 2.1
July 6, 2026 04:08 PM
Release v0.2.4 is the biggest one since 0.2.0, and it is all about one thing: AI agents become first-class users of the platform. Claude, Cursor, Codex and any MCP-compatible host can now work with articles and media through the platform's own API — with permissions, rate limits and audit, just like humans.
The headline: connect with a single URL
Connecting an AI agent to your site used to mean juggling tokens, config files and Node.js bridges. Now, in Claude.ai, Claude Desktop or Cowork, you open Settings → Connectors → Add custom connector and paste one URL:
https://your-site.com/api/mcp
Everything else happens in the browser: log in to the platform, review the consent screen — which permissions to grant the agent and for how long — and you are done. No tokens to copy, nothing to install. Claude Code connects with a single command: claude mcp add --transport http my-site https://your-site.com/api/mcp.
Under the hood there is a full OAuth 2.1 authorization server following the MCP spec: discovery documents, Dynamic Client Registration (RFC 7591), mandatory PKCE S256, refresh-token rotation with replay detection, and a revocation endpoint (RFC 7009) — removing the connector on Claude's side instantly kills the access on the platform too.
The key architectural decision: an OAuth token is internally a regular platform API token. All enforcement — scopes, rate limits, audit, revocation — works identically for every connection method.
Personal Access Tokens and the MCP server
For hosts that send headers (Cursor, Codex, CI pipelines) there are classic Personal Access Tokens: created on the tokens page, shown exactly once, time-limited, and carrying a set of scopes: articles:read|write|publish|seo, media:read|write.
The MCP server ships in two flavors: a remote endpoint /api/mcp (Streamable HTTP — no repo checkout needed) and a local stdio server for development. Both share one tool registry: listing and reading articles, creating drafts, updating content, publishing (a separate scope!), SEO suggestions and the media library. Agents are draft-first by default: without an explicitly granted articles:publish nothing can go live.
The reader mode is thought through as well: a regular user's token with articles:read only sees published public articles — an agent can build digests without ever touching drafts.
Role policies: who, what and for how long
The administrator decides which roles get machine access — and through which channel:
per-role enablement — by default only admins issue tokens; editors, users and any custom roles are enabled explicitly;
auth channels — a role can be allowed PAT only, OAuth connections only, or both;
scopes and max lifetime — the ceiling for anything the role grants its tokens;
policies are enforced on every request: narrow a role's permissions and all previously issued tokens obey immediately, no waiting for expiry.
New section: Machine access
Once agents become users, you need oversight. The new admin page answers "who is connected, what are they doing, and how much are they consuming":
every user with tokens and OAuth connections, active or revoked;
usage over rolling windows — 1h / 6h / 12h / 24h / 7d, with a separate MCP-call counter, per token and per user;
a feed of recent requests: time, transport, tool called;
revocation of any token and a full machine-access block per user — an instant kill-switch for abuse or platform overload. Blocking is non-destructive: unblock, and every connection works as before.
Also in this release
English localization of the platform UI plus typography and controls refinements;
sidebar state fix (open sections follow the URL and localStorage);
CI/CD: pipeline stability, automatic container restarts, an upgraded quality gate;
security, SEO and dependency updates;
a ready-made patch for porting the whole MCP module into projects built on the boilerplate — with an adaptation guide and a verification checklist.
Try it
Two environment variables switch it on: API_TOKENS_ENABLED=1 and MCP_OAUTH_ENABLED=1. Code, docs and patches live in the nextjs-super-boilerplate repository, release v0.2.4.
P.S. This article was created by Claude through the very MCP connector it describes — the draft, the cover and the diagrams were all delivered by an agent over an OAuth connection.