Skip to content

vinkius-labs/mcp-fusion

v3.14.0 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 2mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

mcp mcp-framework mcp-server model-context-protocol

Affected surfaces

auth

Summary

AI summary

OAuth 2.0 BYOA enables marketplace buyers to authenticate with external providers using platform‑managed token lifecycles.

Full changelog

Added

@vurb/core — OAuth 2.0 BYOA (Bring Your Own Account)

Marketplace buyers can now authenticate with OAuth 2.0 providers (Calendly, Salesforce, Slack, Zoom, etc.) using their own OAuth credentials — orchestrated entirely by the platform, with zero MCP server code changes.

  • 'oauth2' credential type — New value in the CredentialType union. When a credential field uses type: 'oauth2', the platform takes over the full token lifecycle: initiation, code exchange, encrypted storage, proactive refresh, and runtime injection.
  • OAuthConfig interface — Attached to a CredentialDef via oauth?: OAuthConfig. Declares the provider's OAuth endpoints, scopes, grant type, and field references:
    • provider — Display name
    • grant_type'authorization_code' (default) or 'client_credentials'
    • authorize_url — Provider's consent screen URL (auth code only)
    • token_url — Token exchange endpoint
    • scopes — Required OAuth scopes
    • client_id_field / client_secret_field — References to buyer's credential keys
    • user_info_url / user_info_email_path — Optional endpoint to show connected email
    • token_expires_in — Fallback TTL when provider doesn't return expires_in
    • supports_refresh — Whether provider returns refresh tokens
    • extra_params — Extra token request params (keys ending in _field resolved from buyer credentials)
  • oauth? on CredentialDef — Optional field, only valid when type is 'oauth2'

Full Changelog: https://github.com/vinkius-labs/vurb.ts/compare/v3.13.1...v3.14.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track vinkius-labs/mcp-fusion

Get notified when new releases ship.

Sign up free

About vinkius-labs/mcp-fusion

A TypeScript framework for building production-ready MCP servers with automatic tool discovery, multi-transport support (stdio/SSE/HTTP), built-in validation, and zero-config setup.

All releases →

Related context

Earlier breaking changes

  • v4.0.0 All packages now published under the `@mcpfusion` npm scope.
  • v4.0.0 GitHub repository renamed to vinkius-labs/mcpfusion; npm packages under @mcpfusion scope.
  • v4.0.0 All source code, documentation, CLI output, workflows, and npm packages now use the @mcpfusion scope.

Beta — feedback welcome: [email protected]