This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Affected surfaces
Summary
AI summaryOAuth 2.0 endpoints added with PKCE mandatory, dynamic client registration, refresh‑token rotation, and RFC 9728 metadata while API key auth remains supported.
Full changelog
OAuth 2.0 Authorization Server
mcp.sheetsdata.com now exposes the MCP spec's OAuth 2.0 endpoints
(/.well-known/oauth-authorization-server, /authorize, /token,
/register, /revoke, /.well-known/oauth-protected-resource/mcp).
Modern MCP clients (Claude Desktop, Cursor, Windsurf, VS Code, Cline, etc.)
can discover OAuth automatically and run a click-to-authorize flow against
the SheetsData web dashboard at sheetsdata.com/oauth/authorize. This
replaces the manual "copy API key, paste into JSON config" step on first
connect.
What's included
- PKCE (S256) is mandatory
- Dynamic client registration (RFC 7591)
- Refresh token rotation
- RFC 9728 protected resource metadata
- Per-organization billing + rate limits resolve identically for OAuth and API key flows
Backward compatible
API key (Bearer token) auth continues to work — pick whichever fits the
client. Use API keys for CI/CD, scripts, and headless agents.
Install snippets
See the README
for OAuth install snippets for Claude Desktop, Cursor, Windsurf, VS Code,
Cline, Amp, Zed, Continue, and Claude Code.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About octoco-ltd/sheetsdata-mcp
Instant access to electronic component datasheets for AI agents — specs, pinouts, package info, absolute max ratings extracted from manufacturer PDFs on demand.
Related context
Beta — feedback welcome: [email protected]