docs(mcp): document the MCP_TOKEN header breaking change + one-time warning (#84)

The shared MCP_TOKEN guard moved from 'Authorization: Bearer <MCP_TOKEN>' to the X-MCP-Token header (Authorization is now per-user Basic/Bearer), silently breaking existing /mcp clients. Document it as a Breaking Change in CHANGELOG (reconfigure to X-MCP-Token). Add a once-per-process migration warning: when MCP_TOKEN is set, no x-mcp-token is present, and Authorization carries the old 'Bearer <MCP_TOKEN>', log a hint to migrate — without changing the auth decision (still rejected) or logging the token value. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 03:40:40 +03:00
parent a11c87c4dc
commit d45ca00bcc
2 changed files with 44 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+### Breaking Changes
+
+- **MCP shared-token auth moved to its own header.** The `/mcp` shared guard
+  no longer reads `Authorization: Bearer <MCP_TOKEN>`; it now reads only the
+  `X-MCP-Token` header. Existing MCP clients (e.g. Claude Desktop) configured
+  with `Authorization: Bearer <MCP_TOKEN>` must be reconfigured to send
+  `X-MCP-Token: <MCP_TOKEN>` instead. The `Authorization` header is now
+  reserved for per-user HTTP Basic / Bearer access JWT credentials. See
+  `MCP_TOKEN` in `.env.example`. As a one-time aid, the server logs a single
+  migration warning when it sees the old-style header.
+
 ## [0.91.0] - 2026-06-18

 Gitmost is a community-focused fork of Docmost. This release drops the