beeper · stainless-app · May 7, 2026 · May 8, 2026 · May 8, 2026
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "5.0.0"
+  ".": "5.0.1"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,18 @@
 # Changelog
 
+## 5.0.1 (2026-05-08)
+
+Full Changelog: [v5.0.0...v5.0.1](https://github.com/beeper/desktop-api-js/compare/v5.0.0...v5.0.1)
+
+### Bug Fixes
+
+* **mcp:** require auth for standalone HTTP server ([eb86fa5](https://github.com/beeper/desktop-api-js/commit/eb86fa551df33109e963e2faf304b0380ac504f2))
+
+
+### Chores
+
+* redact api-key headers in debug logs ([f34de70](https://github.com/beeper/desktop-api-js/commit/f34de708e01ce81a9cb6a9dcd180c44e76b4f2fd))
+
 ## 5.0.0 (2026-05-07)
 
 Full Changelog: [v4.8.0...v5.0.0](https://github.com/beeper/desktop-api-js/compare/v4.8.0...v5.0.0)

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@beeper/desktop-api",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "description": "The official TypeScript library for the Beeper Desktop API",
   "author": "Beeper Desktop <help@beeper.com>",
   "types": "dist/index.d.ts",

diff --git a/packages/mcp-server/manifest.json b/packages/mcp-server/manifest.json
@@ -1,7 +1,7 @@
 {
   "dxt_version": "0.2",
   "name": "@beeper/desktop-mcp",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "description": "The official MCP Server for the Beeper Desktop API",
   "author": {
     "name": "Beeper Desktop",

diff --git a/packages/mcp-server/package.json b/packages/mcp-server/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@beeper/desktop-mcp",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "description": "The official MCP Server for the Beeper Desktop API",
   "author": "Beeper Desktop <help@beeper.com>",
   "types": "dist/index.d.ts",

diff --git a/packages/mcp-server/src/auth.ts b/packages/mcp-server/src/auth.ts
@@ -7,7 +7,6 @@ import { McpOptions } from './options';
 export const parseClientAuthHeaders = (req: IncomingMessage, required?: boolean): Partial<ClientOptions> => {
   if (req.headers.authorization) {
     const scheme = req.headers.authorization.split(' ')[0]!;
-    const value = req.headers.authorization.slice(scheme.length + 1);
     switch (scheme) {
       case 'Bearer':
         return { accessToken: req.headers.authorization.slice('Bearer '.length) };
@@ -16,14 +15,15 @@ export const parseClientAuthHeaders = (req: IncomingMessage, required?: boolean)
           'Unsupported authorization scheme. Expected the "Authorization" header to be a supported scheme (Bearer).',
         );
     }
-  } else if (required) {
-    throw new Error('Missing required Authorization header; see WWW-Authenticate header for details.');
   }
 
   const accessToken =
     Array.isArray(req.headers['x-beeper-access-token']) ?
       req.headers['x-beeper-access-token'][0]
     : req.headers['x-beeper-access-token'];
+  if (!accessToken && required) {
+    throw new Error('Missing required Authorization header; see WWW-Authenticate header for details.');
+  }
   return { accessToken };
 };
 

diff --git a/packages/mcp-server/src/http.ts b/packages/mcp-server/src/http.ts
@@ -38,7 +38,7 @@ const newServer = async ({
   // endpoint so clients know how to authenticate (RFC 9728).
   let authOptions: Partial<ClientOptions>;
   try {
-    authOptions = parseClientAuthHeaders(req, false);
+    authOptions = parseClientAuthHeaders(req, true);
   } catch (error) {
     const resourceIdentifier = oauthResourceIdentifier(req);
     res.set(

diff --git a/packages/mcp-server/src/server.ts b/packages/mcp-server/src/server.ts
@@ -28,7 +28,7 @@ export const newMcpServer = async ({
   new McpServer(
     {
       name: 'beeper_desktop_api_api',
-      version: '5.0.0',
+      version: '5.0.1',
     },
     {
       instructions: await getInstructions({ stainlessApiKey, customInstructionsPath }),

diff --git a/packages/mcp-server/tests/auth.test.ts b/packages/mcp-server/tests/auth.test.ts
@@ -0,0 +1,24 @@
+import { IncomingMessage } from 'node:http';
+import { parseClientAuthHeaders } from '../src/auth';
+
+const reqWithHeaders = (headers: IncomingMessage['headers']) => ({ headers }) as IncomingMessage;
+
+describe('parseClientAuthHeaders', () => {
+  it('returns bearer access token from Authorization header', () => {
+    expect(parseClientAuthHeaders(reqWithHeaders({ authorization: 'Bearer token' }), true)).toEqual({
+      accessToken: 'token',
+    });
+  });
+
+  it('returns x-beeper-access-token when auth is required', () => {
+    expect(parseClientAuthHeaders(reqWithHeaders({ 'x-beeper-access-token': 'token' }), true)).toEqual({
+      accessToken: 'token',
+    });
+  });
+
+  it('throws when auth is required and no token is present', () => {
+    expect(() => parseClientAuthHeaders(reqWithHeaders({}), true)).toThrow(
+      'Missing required Authorization header',
+    );
+  });
+});
diff --git a/src/internal/utils/log.ts b/src/internal/utils/log.ts
@@ -107,6 +107,8 @@ export const formatRequestDetails = (details: {
           name,
           (
             name.toLowerCase() === 'authorization' ||
+            name.toLowerCase() === 'api-key' ||
+            name.toLowerCase() === 'x-api-key' ||
             name.toLowerCase() === 'cookie' ||
             name.toLowerCase() === 'set-cookie'
           ) ?

diff --git a/src/version.ts b/src/version.ts
@@ -1 +1 @@
-export const VERSION = '5.0.0'; // x-release-please-version
+export const VERSION = '5.0.1'; // x-release-please-version
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		export const VERSION = '5.0.0'; // x-release-please-version
		export const VERSION = '5.0.1'; // x-release-please-version