Release · May 30, 2026

What's New — May 2026

Webhook signing secrets with envelope encryption, MCP server authentication with OAuth 2.0 and OIDC, hardened webhook delivery, and encrypted token storage in the dashboard.

Webhook signing secrets

Each user can now mint a per-account webhook signing secret to verify that delivery payloads actually come from SnapshotFlow. Secrets are stored encrypted at rest using AES-256-GCM with an operator-managed Key Encryption Key — a database dump alone does not expose active secrets.

  • New REST endpoints: POST /auth/webhook-secret, GET, PUT /rotate, DELETE
  • 8-character plaintext prefix stored for UI identification and logs without exposing the full secret
  • KEK version field enables future key rotation without re-encrypting all rows at once
  • Full test suite: 460 lines covering crypto round-trips, rotation, and deletion
# Create a signing secret
curl -X POST https://api.snapshotflow.com/auth/webhook-secret \
  -H "X-Api-Key: $API_KEY"

# Rotate it
curl -X PUT https://api.snapshotflow.com/auth/webhook-secret/rotate \
  -H "X-Api-Key: $API_KEY"

MCP server: OAuth 2.0 + OIDC

The Model Context Protocol server now ships with a full OAuth 2.0 authorization server and OIDC provider. AI agents — Claude, Cursor, or any MCP-compatible client — can authenticate with their own OAuth credentials instead of sharing a raw API key.

  • OAuth 2.0 authorization code flow with PKCE for public clients
  • OIDC discovery endpoint (/.well-known/openid-configuration)
  • Google sign-in integration for human-initiated flows
  • Per-client token issuance with standard scopes; tokens stored in mcp_oauth_tokens table (migration 0007)
  • MCP tools: capture_screenshot, capture_batch, visual_diff, get_job_status
MCP setup guide

Webhook delivery hardening + SSRF protection

Webhook delivery now blocks requests to RFC 1918 private ranges, loopback, link-local, and IPv6 unique-local / link-local addresses, preventing a crafted webhook URL from being used as a server-side request forgery vector against internal infrastructure.

  • SSRF block list covers IPv4 (10/8, 172.16/12, 192.168/16, 127/8, 169.254/16) and IPv6 ULA / link-local
  • Configurable delivery timeout via WEBHOOK_TIMEOUT_MS env var (default 5 s)
  • Correct User-Agent: SnapshotFlow-Webhook/1.0 on all deliveries
  • Remaining TOCTOU bypass vectors from code review addressed

Dashboard: encrypted token storage

The Angular dashboard now encrypts the session JWT before writing it to localStorage. A lightweight token-cipher utility wraps the browser's SubtleCrypto API, so a raw localStorage dump no longer yields a usable token.

  • Cipher uses the Web Crypto API — zero external dependencies
  • Storage keys centralised in shared/constants/storage-keys.ts; no more inline string literals
  • Full spec coverage for encrypt / decrypt round-trip

Try every new feature now

200 screenshots per month, no credit card required. All features available from day one.

Start for free Read the docs
All news