Every release, agent-callable.
Yanib ships a spec-compliant Model Context Protocol server. Point Claude Desktop, Cursor, ChatGPT desktop, or your own pipeline at it and agents can query, draft, translate, and publish releases — using the exact code path the dashboard uses.
Quick start
Two minutes to get an agent talking to your Yanib account.
- 1
Add Yanib to your MCP client.
Drop the config below into
claude_desktop_config.json(macOS:~/Library/Application Support/Claude/claude_desktop_config.json).{ "mcpServers": { "yanib": { "url": "https://yanib.dev/api/mcp", "auth": "oauth" } } } - 2
Restart the client and sign in.
On first connection, the client redirects you to Yanib's consent screen. Pick the scopes you want to grant (see the catalog below) and approve. Yanib mints an access token and hands it back to the client — you never copy-paste anything.
- 3
Ask the agent about your releases.
Try things like “using yanib, what did we ship last week?” or “draft release v2.4.0 from the unpublished PRs”.
Endpoint
https://yanib.dev/api/mcp- Transport
- Streamable HTTP (2026-07-28 MCP spec), stateless — each request stands alone.
- Auth
- OAuth 2.1 Bearer token. Discovery per RFC 9728.
- Content-Type
- application/json
- Accept
- application/json, text/event-stream
.well-known/oauth-protected-resourceRFC 9728 metadata advertising Yanib as the protected resource.
.well-known/oauth-authorization-serverRFC 8414 metadata — auth endpoint, token endpoint, registration endpoint.
Tool catalog
Seven tools, one intent each. Names prefixed yanib_ so they don't collide when your agent has multiple MCP servers loaded.
yanib_list_recent_releasesreadreleases:readReturn the caller's most recent published releases with their changelog entries.
args: repo?, since?, limit?
yanib_search_releasesreadreleases:readKeyword search over release titles, summaries, and entries. Answers 'when did we ship X'.
args: query, repo?, limit?
yanib_get_repo_activityreadreleases:readMerged PRs on a repo not yet rolled into a published release. The raw material for the next release.
args: repo, limit?
yanib_draft_releasewritereleases:draftAI-draft a new release from unconsumed PRs. Creates a DRAFT — does NOT publish.
args: repo, tagName
yanib_translate_releasewritetranslations:generateTranslate a release into any of 13 languages. Cached in the DB — repeat calls hit the cache.
args: releaseId, lang
yanib_generate_social_postwritesocial:generateDraft Twitter and/or LinkedIn copy for a release. Text only — never posts anywhere.
args: releaseId, platform?
yanib_publish_releasedestructivereleases:publishPublish a DRAFT — emails subscribers, fires integrations, updates the platform release. Requires explicit user confirmation.
args: releaseId, confirmation: true
Human-in-the-loop. yanib_publish_release carries the MCP destructiveHint annotation and requires an explicit confirmation: true argument. A well-behaved client surfaces a confirmation UI to you before calling it; the server rejects the call otherwise.
How auth works
OAuth 2.1 with PKCE and dynamic client registration — no client secrets, no copy-pasting keys.
- 1
Client hits /api/mcp with no token.
Server responds 401 with WWW-Authenticate: Bearer resource_metadata=...
- 2
Client fetches /.well-known/oauth-protected-resource.
Sees authorization_servers: ["https://yanib.dev"] and Yanib's supported scopes.
- 3
Client fetches /.well-known/oauth-authorization-server.
Gets authorization_endpoint, token_endpoint, registration_endpoint. PKCE S256 is mandatory.
- 4
Client POSTs to /oauth/register with its metadata.
Public client by default — no client_secret, PKCE-only. Yanib returns a client_id.
- 5
Client redirects you to /oauth/authorize.
You sign in to Yanib (or re-use your session), see the consent screen with requested scopes, approve.
- 6
Yanib redirects to your client's redirect_uri with a code.
The code is single-use, short-lived, PKCE-bound.
- 7
Client POSTs to /oauth/token with grant_type=authorization_code + code_verifier.
Yanib returns an access_token (1 hour) + refresh_token (30 days). Refresh rotates on every use.
- 8
Client uses Authorization: Bearer <access_token> for MCP calls.
Access tokens are scoped — tools without the right scope return an error result.
Scopes
Grant the narrowest scope the agent actually needs. You can revoke access anytime from your Yanib settings.
releases:readRead releases, entries, search history, and unpublished repo activity.releases:draftCreate AI-drafted releases from unconsumed PRs.releases:publishPublish a DRAFT release. Sends real emails and fires integrations — destructive.translations:generateTranslate release entries into supported languages.social:generateDraft Twitter / LinkedIn copy from a release.
Testing without a client
The endpoint speaks JSON-RPC 2.0 over HTTP POST. You can drive it end-to-end with curl if you're debugging your own integration.
curl -s -X POST https://yanib.dev/oauth/register \
-H "Content-Type: application/json" \
-d '{
"client_name": "My agent",
"redirect_uris": ["https://myagent.example/callback"],
"scope": "releases:read"
}'curl -s -X POST https://yanib.dev/api/mcp \
-H "Authorization: Bearer $YANIB_MCP_TOKEN" \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'curl -s -X POST https://yanib.dev/api/mcp \
-H "Authorization: Bearer $YANIB_MCP_TOKEN" \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-d '{
"jsonrpc":"2.0",
"id":2,
"method":"tools/call",
"params":{
"name":"yanib_list_recent_releases",
"arguments":{"limit":5}
}
}'Design & security
A few opinions baked into the server that we think matter for anyone building on top.
One tool = one user intent.
No god-tools that take a free-form params blob. Every tool has a precise Zod schema. Agents pick correctly more often as a result.
PKCE S256 is mandatory.
The MCP 2026-07-28 spec forbids non-PKCE flows and token pass-through. Public clients (installed apps) never see a client_secret.
Compact JSON responses.
Every tool call inflates the agent's context window. We paginate, trim PR bodies to 500 chars, and return the smallest useful shape.
Stateless.
No session state on our side. Same request/response semantics from any client, any region, any load-balanced node.
Ready to connect an agent?
Sign in to Yanib, connect a repo, then point Claude Desktop, Cursor, or your own pipeline at https://yanib.dev/api/mcp.