v0.1.8 — Bearer-compatible endpoint fix
Fixes a default-endpoint regression introduced in v0.1.7 that made all unauthenticated stdio calls return 401 Unauthorized - missing api-token for external MCP clients (Claude Desktop, Cursor, Windsurf, Raycast, anything not running inside a browser).
Root cause
Default HASHLOCK_ENDPOINT in v0.1.7 pointed at https://hashlock.markets/api/graphql — the browser-only Next.js SSR proxy that authenticates via the httpOnly api-token cookie set by /sign/login. External MCP clients do not maintain a cookie jar, so every Bearer-authenticated call was rejected.
Fix
Default HASHLOCK_ENDPOINT now points at https://hashlock.markets/graphql — the Apollo gateway directly, which accepts Authorization: Bearer <jwt> exactly as advertised in the README, ai-plugin.json, MCP registry manifest, and llms.txt.
Also bumps @hashlock-tech/sdk peer dep to ^0.1.4, which fixes a parallel SDK issue where MAINNET_ENDPOINT was hardcoded to a (now-decommissioned) old droplet IP.
How to upgrade
npm install @hashlock-tech/mcp@0.1.8
# or just remove + reinstall if you used `npx -y @hashlock-tech/mcp`If you set HASHLOCK_ENDPOINT explicitly in your mcpServers config you are unaffected.
A note on gitHead in the npm metadata
npm view @hashlock-tech/mcp@0.1.8 gitHead reports df6794e4. That is not the source-of-truth for what shipped — df6794e4 predates the fix. The published dist/index.js matches the source at this tag (42f8f2c); npm captures gitHead from the most recent commit at publish time, and the source commit landed minutes after npm publish ran. Treat this tag as authoritative.
Verification
A new smoke test backend/shared/scripts/smoke-mcp-stdio.ts (in the main monorepo) installs @hashlock-tech/mcp@0.1.8 into a sandbox, mints a real SIWE JWT, runs the stdio server, and asserts tools/list returns the 6 expected tools.