v0.1.8 — Bearer-compatible endpoint fix

v0.1.8 — Bearer-compatible endpoint fix

Fixes a default-endpoint regression introduced in v0.1.7 that made all unauthenticated stdio calls return 401 Unauthorized - missing api-token for external MCP clients (Claude Desktop, Cursor, Windsurf, Raycast, anything not running inside a browser).

Root cause

Default HASHLOCK_ENDPOINT in v0.1.7 pointed at https://hashlock.markets/api/graphql — the browser-only Next.js SSR proxy that authenticates via the httpOnly api-token cookie set by /sign/login. External MCP clients do not maintain a cookie jar, so every Bearer-authenticated call was rejected.

Fix

Default HASHLOCK_ENDPOINT now points at https://hashlock.markets/graphql — the Apollo gateway directly, which accepts Authorization: Bearer <jwt> exactly as advertised in the README, ai-plugin.json, MCP registry manifest, and llms.txt.

Also bumps @hashlock-tech/sdk peer dep to ^0.1.4, which fixes a parallel SDK issue where MAINNET_ENDPOINT was hardcoded to a (now-decommissioned) old droplet IP.

How to upgrade

npm install @hashlock-tech/mcp@0.1.8
# or just remove + reinstall if you used `npx -y @hashlock-tech/mcp`

If you set HASHLOCK_ENDPOINT explicitly in your mcpServers config you are unaffected.

A note on gitHead in the npm metadata

npm view @hashlock-tech/mcp@0.1.8 gitHead reports df6794e4. That is not the source-of-truth for what shipped — df6794e4 predates the fix. The published dist/index.js matches the source at this tag (42f8f2c); npm captures gitHead from the most recent commit at publish time, and the source commit landed minutes after npm publish ran. Treat this tag as authoritative.

Verification

A new smoke test backend/shared/scripts/smoke-mcp-stdio.ts (in the main monorepo) installs @hashlock-tech/mcp@0.1.8 into a sandbox, mints a real SIWE JWT, runs the stdio server, and asserts tools/list returns the 6 expected tools.

v0.1.7 — Canonical MCP server for Hashlock Markets

⚠️ DEPRECATED — DO NOT USE

v0.1.7 ships with a default HASHLOCK_ENDPOINT of https://hashlock.markets/api/graphql — the browser-only cookie proxy. External MCP clients (Claude Desktop, Cursor, Windsurf, Raycast) cannot authenticate against it because they do not maintain cookies, so every Bearer-authenticated call returns 401 Unauthorized - missing api-token.

Use v0.1.8 instead. The npm tarball for v0.1.7 has been deprecated (npm view @hashlock-tech/mcp@0.1.7 deprecated).

---

v0.1.7 — Canonical MCP server for Hashlock Markets First fully-documented release of @hashlock-tech/mcp — the canonical MCP server for Hashlock Markets. Sealed-bid intent trading + HTLC atomic settlement for AI agents, across Ethereum, Bitcoin, and SUI. ### What's included - 6 tools: create_rfq, respond_rfq, create_htlc, withdraw_htlc, refund_htlc, get_htlc - Two transports: - Remote streamable-http at https://hashlock.markets/mcp (preferred) - Local stdio via npx -y @hashlock-tech/mcp - Auth: 7-day JWT issued via SIWE (Sign-In With Ethereum) at https://hashlock.markets/sign/login - Cross-chain: Ethereum (EVM), Bitcoin (wrapped HTLC), SUI (Move HTLC) ### Install Option A — Remote streamable-http (preferred): ​json { "mcpServers": { "hashlock": { "url": "https://hashlock.markets/mcp", "transport": "streamable-http", "headers": { "Authorization": "Bearer <token from hashlock.markets/sign/login>" } } } } ​ Option B — Local stdio via npx: ​json { "mcpServers": { "hashlock": { "command": "npx", "args": ["-y", "@hashlock-tech/mcp"], "env": { "HASHLOCK_ACCESS_TOKEN": "<token from hashlock.markets/sign/login>" } } } } ​ ### Links - npm: https://www.npmjs.com/package/@hashlock-tech/mcp - MCP Registry: https://registry.modelcontextprotocol.io (search: hashlock) - Integration guide (111 KB): https://hashlock.markets/llms-full.txt - Website: https://hashlock.markets ### Disambiguation Hashlock Markets (Delaware C-Corp) is not affiliated with Hashlock Pty Ltd (Australian smart contract audit firm, hashlock.com). The name coincidence is not a relationship — distinct products, entities, jurisdictions, and founders. ### Deprecated - hashlock-mcp-server (unscoped npm, legacy) — deprecated 2026-04-19, superseded by @hashlock-tech/mcp. - langchain-hashlock (PyPI) — superseded for MCP-based integrations.