Skip to content

AnythingMCP

v0.1.11 Breaking

This release includes 3 breaking changes for platform teams planning a safe upgrade.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-agents anthropic api-gateway api-to-mcp chatgpt claude
+14 more
database gemini graphql llm-tools mcp mcp-gateway mcp-middleware mcp-proxy mcp-server model-context-protocol openapi rest self-hosted soap

Affected surfaces

auth rbac breaking_upgrade

Summary

AI summary

AnythingMCP now supports full multi‑tenant organization-based data isolation.

Full changelog

What's New

Multi-Tenant Organization System

AnythingMCP now supports full multi-tenancy with organization-based data isolation. This is a major architectural upgrade that enables secure multi-user SaaS deployments.

Organizations

  • Each user registration creates a new Organization (workspace)
  • Invited users join the inviter's Organization automatically
  • Users can belong to multiple organizations with different roles per org
  • Slack/GitHub-style org switcher in the navbar dropdown
  • Settings > Organization page to manage workspace name and create new orgs

Data Isolation

  • All resources (connectors, MCP servers, tools, audit logs) are scoped per organization
  • Cross-organization access is blocked at the API level (403/404)
  • MCP endpoint validates that the authenticated user belongs to the MCP server's organization
  • Export and health-check endpoints return only the current org's data

Per-Organization Configuration

  • Licensing: Each organization has its own license key, activated and verified independently
  • SMTP: Per-org email configuration with fallback to global settings
  • Roles: Custom MCP roles scoped per organization
  • Users: Admin user management shows only org members

Multi-Org Membership

  • Users can be invited to additional organizations (multi-org support)
  • Per-org roles: a user can be ADMIN in their org but EDITOR in another
  • POST /api/organizations/switch endpoint issues a new JWT on org change
  • GET /api/organizations/mine returns all orgs the user belongs to

Database Migrations

  • New models: Organization, OrganizationMember, OrgSettings
  • organizationId added to: User, Connector, McpServerConfig, Role, McpApiKey, InvitationToken, License
  • Data migration automatically groups existing users by invitation chains
  • Backward compatible with self-hosted single-org deployments

Website (License API)

  • License MongoDB schema updated with organizationId field
  • Verify, activate, trial, and register API routes accept optional organizationId
  • Stripe webhook stores organizationId from checkout metadata

Technical Details

  • 46 files changed, 1421 insertions, 238 deletions
  • 2 database migrations with automatic data backfill
  • 24/24 API tests passing (isolation, multi-org, switch, license, audit)
  • Frontend and backend fully tested

Breaking Changes

  • All resources (connectors, MCP servers, tools, audit logs) are now scoped per organization; cross‑organization access returns 403/404.
  • Database schema changes: added `Organization`, `OrganizationMember`, `OrgSettings` models and `organizationId` field to User, Connector, McpServerConfig, Role, McpApiKey, InvitationToken, License.
  • API endpoints now require the authenticated user's organization to match the target resource; existing single‑org deployments must migrate data via provided backfill migrations.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track AnythingMCP

Get notified when new releases ship.

Sign up free

About AnythingMCP

All releases →

Related context

Beta — feedback welcome: [email protected]