v0.3.0

The release where the MCP server became a real product. v0.2.0 was a thin OpenAPI→MCP wrapper with Basic Auth and one-shot calls. v0.3.0 lets an AI agent authenticate, provision from zero, place a call or send a message, and respond to live call/message webhooks in real time — plus the host, profile, and packaging work to run it reliably.

✨ Highlights

OAuth2 client credentials (replaces Basic Auth)

• BW_CLIENT_ID / BW_CLIENT_SECRET exchanged for a bearer token; account ID auto-discovered from the JWT — no more BW_ACCOUNT_ID required.
• New setCredentials / clearCredentials tools for mid-session auth (the zero-to-one onboarding path).

Live voice & messaging

• Callback HTTP routes for inbound messages and voice answer/gather/disconnect, served on the same transport as the MCP tools.
• In-memory EventStore bridges webhooks → agent via getCallbackEvents / getInboundMessages.
• generateBXML + respondToCallback — pre-queue BXML before answer and drive a two-way call.
• configureCallbacks wires a Bandwidth app's webhook URLs at the server automatically.

Account discovery

• listApplications, listPhoneNumbers, createApplication — hand-written tools over the Dashboard XML API (which from_openapi can't generate).

Build Registration (formerly Express)

• Single createRegistration tool kicks off a Bandwidth Build trial account; SMS/email verification finishes in the user's browser.

Hosted mode & host resolution

• streamable-http / sse transports, BW_MCP_BASE_URL, loopback-default bind; setCredentials withheld over HTTP for safety.
• BW_ENVIRONMENT=test|uat plus per-host overrides (BW_API_URL, BW_VOICE_URL, BW_MESSAGING_URL), centralized so OpenAPI-derived tools honor them too.
• Opt-in cloudflared dev tunnel (BW_MCP_DEV_TUNNEL) for local callback testing.

Context-window sanity

• Tool profiles (voice / messaging / lookup / onboarding / recordings / full) — curated default instead of dumping 400+ tools.
• Dynamic, tool-aware instructions sent at MCP init.

⚠️ Breaking changes

• Auth model changed from Basic Auth → OAuth2. BW_USERNAME / BW_PASSWORD are gone; set BW_CLIENT_ID / BW_CLIENT_SECRET instead.
• BW_ACCOUNT_ID is now optional — auto-discovered from JWT claims.
• MFA tools removed (generateMessagingCode, generateVoiceCode, verifyCode). The MFA API doesn't support OAuth2 yet; the tools are parked on feat/mfa-tools until it does.
• fastmcp upgraded 2.13 → 3.x (patches 3 Snyk vulns). Requires mcp >= 1.24.

🔒 Security

• Upgraded fastmcp to 3.x, resolving SNYK-PYTHON-FASTMCP-15871014 / 15871029 / 15871030 (SSRF + command injection).
• Secrets redacted from resource://config; dead Basic Auth helper removed.

Validated

Core surface — auth, discovery, lookup, messaging + media, voice read/state, callback wiring — validated end-to-end against stage and prod. Role-gated tools (number listing, lookup) confirmed working on properly-entitled accounts.

Install: uvx --from git+https://github.com/Bandwidth/mcp-server@v0.3.0 start

v0.2.0

What's Changed

• SWI-8923 Switch to TN Lookup V2 by @ckoegel in #4

Full Changelog: v0.1.0...v0.2.0

v0.1.0

What's Changed

• SWI-8019 Create Bandwidth MCP Server by @ckoegel in #1

New Contributors

• @ckoegel made their first contribution in #1

Full Changelog: https://github.com/Bandwidth/mcp-server/commits/v0.1.0