UPinar/contrastapi

v1.33.4 Feature

This release adds 1 notable feature for engineering teams evaluating rollout.

Published 18d MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-agents ai-security api claude cve security

+13 more

domain-recon email-security email-validation llm-tools mcp mitre-atlas mitre-d3fend model-context-protocol osint sigma-rules threat-intelligence vulnerability-management web-intel

Affected surfaces

auth

Summary

AI summary

API keys can now be sent via the X-API-Key header in addition to Authorization: Bearer.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Malformed `cc_`-prefixed `X-API-Key` now returns `401` instead of degrading to Free tier Malformed `cc_`-prefixed `X-API-Key` now returns `401` instead of degrading to Free tier Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	API keys accepted via `X-API-Key: cc_<key>` header in addition to `Authorization: Bearer` API keys accepted via `X-API-Key: cc_<key>` header in addition to `Authorization: Bearer` Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	`.well-known registration` URL corrected to `https://api.contrastcyber.com/pricing` `.well-known registration` URL corrected to `https://api.contrastcyber.com/pricing` Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Medium	`Authorization: Bearer` takes precedence when both headers present; whitespace-tolerant `Authorization: Bearer` takes precedence when both headers present; whitespace-tolerant Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

Hotfix on top of v1.33.3.

Added

API keys are now accepted via the X-API-Key: cc_<key> request header, in addition to the existing Authorization: Bearer cc_<key>. This unblocks Pro authentication for clients that send the key as X-API-Key (e.g. the Smithery MCP marketplace connection config and the official Python SDK), which previously fell back to the keyless Free tier.
Authorization: Bearer takes precedence when both headers are present; whitespace-tolerant (parity with Bearer); a malformed cc_-prefixed X-API-Key returns 401 instead of silently degrading to Free. Keyless requests remain Free tier (unchanged).

Fixed

.well-known registration URL corrected to https://api.contrastcyber.com/pricing (previous host returned 404).

Notes

Wire-compatible / additive — existing Authorization: Bearer clients unaffected.
Tests: 2434 passing (+10 auth tests). MCP tools / Resources / Prompts unchanged (53 / 7 / 3). No schema or tool-contract change.

Follows v1.33.3.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track UPinar/contrastapi

Get notified when new releases ship.

About UPinar/contrastapi

Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.

All releases →

Related context

Related tools

Earlier breaking changes

v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.