@eventcatalog/core 3.39.6 → 3.40.1

package/dist/analytics/analytics.cjs

@@ -37,7 +37,7 @@ var import_axios = __toESM(require("axios"), 1);
 var import_os = __toESM(require("os"), 1);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.1";
 
 // src/constants.ts
 var VERSION = version;

package/dist/analytics/analytics.js

@@ -1,7 +1,7 @@
 import {
   raiseEvent
-} from "../chunk-ORVOST63.js";
-import "../chunk-IKZ5ITXP.js";
+} from "../chunk-4OEF5W6Y.js";
+import "../chunk-HNG4KOYQ.js";
 export {
   raiseEvent
 };

package/dist/analytics/log-build.cjs

@@ -111,7 +111,7 @@ var import_axios = __toESM(require("axios"), 1);
 var import_os = __toESM(require("os"), 1);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.1";
 
 // src/constants.ts
 var VERSION = version;
@@ -187,6 +187,42 @@ var getFeatures = async (configFile) => {
     output: configFile.output || "static"
   };
 };
+var CLOUD_ANALYTICS_ENDPOINT = "https://api.ecingest.dev/v1/analytics/ingest";
+var toCloudResourceCounts = (counts) => ({
+  domains: counts.domains || 0,
+  services: counts.services || 0,
+  events: counts.events || 0,
+  commands: counts.commands || 0,
+  queries: counts.queries || 0,
+  flows: counts.flows || 0,
+  channels: counts.channels || 0,
+  entities: counts.entities || 0,
+  containers: counts.containers || 0,
+  dataProducts: counts["data-products"] || 0,
+  teams: counts.teams || 0,
+  users: counts.users || 0,
+  designs: counts.designs || 0,
+  diagrams: counts.diagrams || 0,
+  ubiquitousLanguages: counts.ubiquitousLanguages || 0
+});
+var reportCloudResourceInventory = async (configFile, resourceCounts) => {
+  const analytics = configFile.cloud?.analytics;
+  if (!analytics?.enabled || !analytics.trackingId || !analytics.writeKey) return;
+  const endpoint = analytics.endpoint || CLOUD_ANALYTICS_ENDPOINT;
+  await fetch(endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "X-EventCatalog-Analytics-Key": analytics.writeKey
+    },
+    body: JSON.stringify({
+      trackingId: analytics.trackingId,
+      event: "catalog.resource_inventory_reported",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      counts: toCloudResourceCounts(resourceCounts)
+    })
+  });
+};
 var main = async (projectDir, { isEventCatalogStarterEnabled, isEventCatalogScaleEnabled, isBackstagePluginEnabled }) => {
   if (process.env.NODE_ENV === "CI") return;
   try {
@@ -205,6 +241,7 @@ var main = async (projectDir, { isEventCatalogStarterEnabled, isEventCatalogScal
     }
     const features = await getFeatures(configFile);
     const resourceCounts = await countResources(projectDir);
+    await reportCloudResourceInventory(configFile, resourceCounts);
     await raiseEvent({
       command: "build",
       org: organizationName,

package/dist/analytics/log-build.js

@@ -1,9 +1,9 @@
 import {
   log_build_default
-} from "../chunk-MQAZ4LXP.js";
-import "../chunk-ORVOST63.js";
+} from "../chunk-7UR72UMK.js";
 import "../chunk-4UVFXLPI.js";
-import "../chunk-IKZ5ITXP.js";
+import "../chunk-4OEF5W6Y.js";
+import "../chunk-HNG4KOYQ.js";
 import "../chunk-5T63CXKU.js";
 export {
   log_build_default as default

package/dist/{chunk-ORVOST63.js → chunk-4OEF5W6Y.js}

@@ -1,6 +1,6 @@
 import {
   VERSION
-} from "./chunk-IKZ5ITXP.js";
+} from "./chunk-HNG4KOYQ.js";
 
 // src/analytics/analytics.js
 import axios from "axios";

package/dist/{chunk-MQAZ4LXP.js → chunk-7UR72UMK.js}

@@ -1,10 +1,10 @@
-import {
-  raiseEvent
-} from "./chunk-ORVOST63.js";
 import {
   countResources,
   serializeCounts
 } from "./chunk-4UVFXLPI.js";
+import {
+  raiseEvent
+} from "./chunk-4OEF5W6Y.js";
 import {
   getEventCatalogConfigFile,
   verifyRequiredFieldsAreInCatalogConfigFile
@@ -19,6 +19,42 @@ var getFeatures = async (configFile) => {
     output: configFile.output || "static"
   };
 };
+var CLOUD_ANALYTICS_ENDPOINT = "https://api.ecingest.dev/v1/analytics/ingest";
+var toCloudResourceCounts = (counts) => ({
+  domains: counts.domains || 0,
+  services: counts.services || 0,
+  events: counts.events || 0,
+  commands: counts.commands || 0,
+  queries: counts.queries || 0,
+  flows: counts.flows || 0,
+  channels: counts.channels || 0,
+  entities: counts.entities || 0,
+  containers: counts.containers || 0,
+  dataProducts: counts["data-products"] || 0,
+  teams: counts.teams || 0,
+  users: counts.users || 0,
+  designs: counts.designs || 0,
+  diagrams: counts.diagrams || 0,
+  ubiquitousLanguages: counts.ubiquitousLanguages || 0
+});
+var reportCloudResourceInventory = async (configFile, resourceCounts) => {
+  const analytics = configFile.cloud?.analytics;
+  if (!analytics?.enabled || !analytics.trackingId || !analytics.writeKey) return;
+  const endpoint = analytics.endpoint || CLOUD_ANALYTICS_ENDPOINT;
+  await fetch(endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "X-EventCatalog-Analytics-Key": analytics.writeKey
+    },
+    body: JSON.stringify({
+      trackingId: analytics.trackingId,
+      event: "catalog.resource_inventory_reported",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      counts: toCloudResourceCounts(resourceCounts)
+    })
+  });
+};
 var main = async (projectDir, { isEventCatalogStarterEnabled, isEventCatalogScaleEnabled, isBackstagePluginEnabled }) => {
   if (process.env.NODE_ENV === "CI") return;
   try {
@@ -37,6 +73,7 @@ var main = async (projectDir, { isEventCatalogStarterEnabled, isEventCatalogScal
     }
     const features = await getFeatures(configFile);
     const resourceCounts = await countResources(projectDir);
+    await reportCloudResourceInventory(configFile, resourceCounts);
     await raiseEvent({
       command: "build",
       org: organizationName,

package/dist/{chunk-LEUIMTEQ.js → chunk-BRMLU4PR.js}

@@ -1,6 +1,6 @@
 import {
   logger
-} from "./chunk-4OSFLWLG.js";
+} from "./chunk-OIVICT4V.js";
 import {
   cleanup,
   getEventCatalogConfigFile

package/dist/{chunk-IKZ5ITXP.js → chunk-HNG4KOYQ.js}

@@ -1,5 +1,5 @@
 // package.json
-var version = "3.39.6";
+var version = "3.40.1";
 
 // src/constants.ts
 var VERSION = version;

package/dist/{chunk-4OSFLWLG.js → chunk-OIVICT4V.js}

@@ -1,6 +1,6 @@
 import {
   VERSION
-} from "./chunk-IKZ5ITXP.js";
+} from "./chunk-HNG4KOYQ.js";
 
 // src/utils/cli-logger.ts
 import pc from "picocolors";

package/dist/constants.cjs

@@ -25,7 +25,7 @@ __export(constants_exports, {
 module.exports = __toCommonJS(constants_exports);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.1";
 
 // src/constants.ts
 var VERSION = version;

package/dist/constants.js

@@ -1,6 +1,6 @@
 import {
   VERSION
-} from "./chunk-IKZ5ITXP.js";
+} from "./chunk-HNG4KOYQ.js";
 export {
   VERSION
 };

package/dist/docs/development/ask-your-architecture/03-mcp-server/getting-started.md

@@ -45,6 +45,78 @@ Visit the endpoint in your browser to verify. It returns available tools and res
 }
 ```
 
+### Protect with OAuth
+
+<AddedIn version="3.40.0" />
+
+The built-in MCP server can be protected with OAuth Bearer tokens, following the MCP authorization specification for HTTP transports.
+
+EventCatalog acts as the OAuth protected resource server for `/docs/mcp`. Your identity provider or authorization server remains responsible for user login, consent, client registration, `/authorize`, `/oauth/token`, and token refresh.
+
+Configure MCP authorization in `eventcatalog.config.js`:
+
+```js title="eventcatalog.config.js"
+module.exports = {
+  output: 'server',
+  mcp: {
+    auth: {
+      enabled: true,
+      resource: 'https://your-eventcatalog.com/docs/mcp',
+      authorizationServers: ['https://auth.example.com'],
+      issuer: 'https://auth.example.com',
+      audience: 'https://your-eventcatalog.com/docs/mcp',
+      requiredScopes: ['catalog:read'],
+      jwksUri: 'https://auth.example.com/.well-known/jwks.json',
+    },
+  },
+};
+```
+
+When enabled, EventCatalog serves protected resource metadata at `/.well-known/oauth-protected-resource`. Unauthenticated MCP clients receive a `401 Unauthorized` response with a `WWW-Authenticate` header pointing at that document. MCP clients then obtain an access token from the advertised authorization server and call `/docs/mcp` with:
+
+```http
+Authorization: Bearer <access-token>
+```
+
+The access token must be valid, unexpired, issued by the configured issuer, intended for the configured audience, and include all required scopes.
+
+#### Key signing options
+
+Choose one of the following strategies for token validation:
+
+| Strategy | Config fields |
+|---|---|
+| JWKS endpoint (recommended) | `jwksUri` |
+| Inline asymmetric public key | `publicKey` or `publicKeyEnvVar` |
+| Symmetric shared secret | `sharedSecret` or `sharedSecretEnvVar` |
+
+Prefer `publicKeyEnvVar` or `sharedSecretEnvVar` over inline values to avoid committing secrets to source control.
+
+#### All options
+
+| Field | Required | Description |
+|---|---|---|
+| `enabled` | Yes | Enables OAuth Bearer token validation |
+| `resource` | No | Absolute URL of the MCP resource. Set this explicitly when behind a proxy |
+| `protectedResourceMetadataUrl` | No | URL for the protected resource metadata document. Defaults to `/.well-known/oauth-protected-resource` |
+| `authorizationServers` | No | Authorization server URLs advertised to MCP clients |
+| `issuer` | No | Expected token issuer (`iss` claim) |
+| `audience` | No | Expected token audience (`aud` claim). Defaults to `resource` |
+| `requiredScopes` | No | Scopes every token must include |
+| `jwksUri` | No | JWKS endpoint for asymmetric JWT validation |
+| `publicKey` | No | Inline public key for asymmetric JWT validation |
+| `publicKeyEnvVar` | No | Environment variable containing the public key |
+| `sharedSecret` | No | Inline shared secret for symmetric JWT validation |
+| `sharedSecretEnvVar` | No | Environment variable containing the shared secret |
+
+:::note Existing website authentication
+The `auth.enabled` and `eventcatalog.auth.js` settings protect the EventCatalog website with browser sessions. MCP authorization is separate because MCP clients authenticate with Bearer tokens, not browser cookies.
+:::
+
+:::tip Authorization server discovery
+EventCatalog serves `/.well-known/oauth-protected-resource` for MCP client discovery. It does not serve `/.well-known/oauth-authorization-server`, `/authorize`, or `/oauth/token` -- those endpoints must be provided by the authorization server listed in `authorizationServers`. If your MCP client expects those endpoints on the catalog host, proxy the authorization server behind that host with your load balancer or reverse proxy.
+:::
+
 ### Connect clients
 
 <details>

package/dist/eventcatalog.cjs

@@ -114,7 +114,7 @@ var verifyRequiredFieldsAreInCatalogConfigFile = async (projectDirectory) => {
 var import_picocolors = __toESM(require("picocolors"), 1);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.1";
 
 // src/constants.ts
 var VERSION = version;
@@ -282,6 +282,42 @@ var getFeatures = async (configFile) => {
     output: configFile.output || "static"
   };
 };
+var CLOUD_ANALYTICS_ENDPOINT = "https://api.ecingest.dev/v1/analytics/ingest";
+var toCloudResourceCounts = (counts) => ({
+  domains: counts.domains || 0,
+  services: counts.services || 0,
+  events: counts.events || 0,
+  commands: counts.commands || 0,
+  queries: counts.queries || 0,
+  flows: counts.flows || 0,
+  channels: counts.channels || 0,
+  entities: counts.entities || 0,
+  containers: counts.containers || 0,
+  dataProducts: counts["data-products"] || 0,
+  teams: counts.teams || 0,
+  users: counts.users || 0,
+  designs: counts.designs || 0,
+  diagrams: counts.diagrams || 0,
+  ubiquitousLanguages: counts.ubiquitousLanguages || 0
+});
+var reportCloudResourceInventory = async (configFile, resourceCounts) => {
+  const analytics = configFile.cloud?.analytics;
+  if (!analytics?.enabled || !analytics.trackingId || !analytics.writeKey) return;
+  const endpoint = analytics.endpoint || CLOUD_ANALYTICS_ENDPOINT;
+  await fetch(endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "X-EventCatalog-Analytics-Key": analytics.writeKey
+    },
+    body: JSON.stringify({
+      trackingId: analytics.trackingId,
+      event: "catalog.resource_inventory_reported",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      counts: toCloudResourceCounts(resourceCounts)
+    })
+  });
+};
 var main = async (projectDir, { isEventCatalogStarterEnabled: isEventCatalogStarterEnabled2, isEventCatalogScaleEnabled: isEventCatalogScaleEnabled2, isBackstagePluginEnabled }) => {
   if (process.env.NODE_ENV === "CI") return;
   try {
@@ -300,6 +336,7 @@ var main = async (projectDir, { isEventCatalogStarterEnabled: isEventCatalogStar
     }
     const features = await getFeatures(configFile);
     const resourceCounts = await countResources(projectDir);
+    await reportCloudResourceInventory(configFile, resourceCounts);
     await raiseEvent({
       command: "build",
       org: organizationName,

package/dist/eventcatalog.config.d.cts

@@ -47,6 +47,47 @@ type PagesConfiguration = {
 type AuthConfig = {
     enabled: boolean;
 };
+type McpAuthConfig = {
+    /**
+     * Require OAuth Bearer tokens for the built-in MCP server.
+     * EventCatalog acts as the MCP protected resource server; the
+     * configured authorization server remains responsible for login,
+     * consent, token issuance, and client registration.
+     */
+    enabled?: boolean;
+    /**
+     * Absolute URL for the MCP resource. Defaults to the request origin
+     * plus `/docs/mcp`, but production deployments behind proxies should
+     * set this explicitly.
+     */
+    resource?: string;
+    /**
+     * Optional absolute URL for the OAuth Protected Resource Metadata
+     * document. Defaults to `/.well-known/oauth-protected-resource`.
+     */
+    protectedResourceMetadataUrl?: string;
+    /** Authorization server issuer/base URLs advertised to MCP clients. */
+    authorizationServers?: string[];
+    /** Expected token issuer (`iss`). */
+    issuer?: string;
+    /** Expected token audience (`aud`). Defaults to `resource`. */
+    audience?: string | string[];
+    /** Scopes required to call the MCP server. */
+    requiredScopes?: string[];
+    /** JWKS endpoint used to validate asymmetric JWT access tokens. */
+    jwksUri?: string;
+    /** Inline public key for asymmetric JWT validation. */
+    publicKey?: string;
+    /** Environment variable containing the public key. */
+    publicKeyEnvVar?: string;
+    /** Inline shared secret for symmetric JWT validation. Prefer `sharedSecretEnvVar`. */
+    sharedSecret?: string;
+    /** Environment variable containing the shared secret. */
+    sharedSecretEnvVar?: string;
+};
+type McpConfig = {
+    auth?: McpAuthConfig;
+};
 type GA4Config = {
     measurementId: string;
 };
@@ -57,6 +98,16 @@ type PostHogConfig = {
     apiKey: string;
     apiHost?: string;
 };
+type EventCatalogCloudAnalyticsConfig = {
+    enabled: boolean;
+    trackingId: string;
+    writeKey?: string;
+    endpoint?: string;
+    debug?: boolean;
+};
+type EventCatalogCloudConfig = {
+    analytics?: EventCatalogCloudAnalyticsConfig;
+};
 type IntegrationsConfig = {
     ga4?: GA4Config;
     gtm?: GTMConfig;
@@ -90,6 +141,7 @@ interface Config {
      */
     theme?: CatalogTheme;
     auth?: AuthConfig;
+    mcp?: McpConfig;
     rss?: {
         enabled: boolean;
         limit: number;
@@ -201,6 +253,7 @@ interface Config {
     queries?: {
         tableConfiguration?: TableConfiguration;
     };
+    cloud?: EventCatalogCloudConfig;
     integrations?: IntegrationsConfig;
     scalarConfiguration?: ScalarConfiguration;
 }

package/dist/eventcatalog.config.d.ts

@@ -47,6 +47,47 @@ type PagesConfiguration = {
 type AuthConfig = {
     enabled: boolean;
 };
+type McpAuthConfig = {
+    /**
+     * Require OAuth Bearer tokens for the built-in MCP server.
+     * EventCatalog acts as the MCP protected resource server; the
+     * configured authorization server remains responsible for login,
+     * consent, token issuance, and client registration.
+     */
+    enabled?: boolean;
+    /**
+     * Absolute URL for the MCP resource. Defaults to the request origin
+     * plus `/docs/mcp`, but production deployments behind proxies should
+     * set this explicitly.
+     */
+    resource?: string;
+    /**
+     * Optional absolute URL for the OAuth Protected Resource Metadata
+     * document. Defaults to `/.well-known/oauth-protected-resource`.
+     */
+    protectedResourceMetadataUrl?: string;
+    /** Authorization server issuer/base URLs advertised to MCP clients. */
+    authorizationServers?: string[];
+    /** Expected token issuer (`iss`). */
+    issuer?: string;
+    /** Expected token audience (`aud`). Defaults to `resource`. */
+    audience?: string | string[];
+    /** Scopes required to call the MCP server. */
+    requiredScopes?: string[];
+    /** JWKS endpoint used to validate asymmetric JWT access tokens. */
+    jwksUri?: string;
+    /** Inline public key for asymmetric JWT validation. */
+    publicKey?: string;
+    /** Environment variable containing the public key. */
+    publicKeyEnvVar?: string;
+    /** Inline shared secret for symmetric JWT validation. Prefer `sharedSecretEnvVar`. */
+    sharedSecret?: string;
+    /** Environment variable containing the shared secret. */
+    sharedSecretEnvVar?: string;
+};
+type McpConfig = {
+    auth?: McpAuthConfig;
+};
 type GA4Config = {
     measurementId: string;
 };
@@ -57,6 +98,16 @@ type PostHogConfig = {
     apiKey: string;
     apiHost?: string;
 };
+type EventCatalogCloudAnalyticsConfig = {
+    enabled: boolean;
+    trackingId: string;
+    writeKey?: string;
+    endpoint?: string;
+    debug?: boolean;
+};
+type EventCatalogCloudConfig = {
+    analytics?: EventCatalogCloudAnalyticsConfig;
+};
 type IntegrationsConfig = {
     ga4?: GA4Config;
     gtm?: GTMConfig;
@@ -90,6 +141,7 @@ interface Config {
      */
     theme?: CatalogTheme;
     auth?: AuthConfig;
+    mcp?: McpConfig;
     rss?: {
         enabled: boolean;
         limit: number;
@@ -201,6 +253,7 @@ interface Config {
     queries?: {
         tableConfiguration?: TableConfiguration;
     };
+    cloud?: EventCatalogCloudConfig;
     integrations?: IntegrationsConfig;
     scalarConfiguration?: ScalarConfiguration;
 }

package/dist/eventcatalog.js

@@ -1,7 +1,7 @@
 import {
-  runMigrations
-} from "./chunk-XUAF2H54.js";
-import "./chunk-CA4U2JP7.js";
+  log_build_default
+} from "./chunk-7UR72UMK.js";
+import "./chunk-4UVFXLPI.js";
 import {
   resolve_catalog_dependencies_default
 } from "./chunk-WAJIJEI3.js";
@@ -12,10 +12,10 @@ import {
   watch
 } from "./chunk-K3ZVEX2Y.js";
 import {
-  log_build_default
-} from "./chunk-MQAZ4LXP.js";
-import "./chunk-ORVOST63.js";
-import "./chunk-4UVFXLPI.js";
+  runMigrations
+} from "./chunk-XUAF2H54.js";
+import "./chunk-CA4U2JP7.js";
+import "./chunk-4OEF5W6Y.js";
 import {
   catalogToAstro
 } from "./chunk-YDXB3BD2.js";
@@ -28,13 +28,13 @@ import {
 } from "./chunk-ULZYHF3V.js";
 import {
   generate
-} from "./chunk-LEUIMTEQ.js";
+} from "./chunk-BRMLU4PR.js";
 import {
   logger
-} from "./chunk-4OSFLWLG.js";
+} from "./chunk-OIVICT4V.js";
 import {
   VERSION
-} from "./chunk-IKZ5ITXP.js";
+} from "./chunk-HNG4KOYQ.js";
 import {
   getEventCatalogConfigFile,
   verifyRequiredFieldsAreInCatalogConfigFile

package/dist/generate.cjs

@@ -78,7 +78,7 @@ var getEventCatalogConfigFile = async (projectDirectory) => {
 var import_picocolors = __toESM(require("picocolors"), 1);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.1";
 
 // src/constants.ts
 var VERSION = version;

package/dist/generate.js

@@ -1,8 +1,8 @@
 import {
   generate
-} from "./chunk-LEUIMTEQ.js";
-import "./chunk-4OSFLWLG.js";
-import "./chunk-IKZ5ITXP.js";
+} from "./chunk-BRMLU4PR.js";
+import "./chunk-OIVICT4V.js";
+import "./chunk-HNG4KOYQ.js";
 import "./chunk-5T63CXKU.js";
 export {
   generate

package/dist/utils/cli-logger.cjs

@@ -36,7 +36,7 @@ module.exports = __toCommonJS(cli_logger_exports);
 var import_picocolors = __toESM(require("picocolors"), 1);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.1";
 
 // src/constants.ts
 var VERSION = version;

package/dist/utils/cli-logger.js

@@ -1,7 +1,7 @@
 import {
   logger
-} from "../chunk-4OSFLWLG.js";
-import "../chunk-IKZ5ITXP.js";
+} from "../chunk-OIVICT4V.js";
+import "../chunk-HNG4KOYQ.js";
 export {
   logger
 };

package/eventcatalog/src/enterprise/analytics/components/AnalyticsHead.astro

@@ -3,11 +3,15 @@ import config from '@config';
 import { isIntegrationsEnabled } from '@utils/feature';
 
 const integrations = config.integrations;
+const cloudAnalytics = config.cloud?.analytics;
 const enabled = isIntegrationsEnabled() && integrations;
 const hasProviders = enabled && (integrations?.ga4 || integrations?.gtm || integrations?.posthog);
 const debug = integrations?.debug ?? false;
+const cloudDebug = cloudAnalytics?.debug ?? debug;
+const cloudAnalyticsEndpoint = cloudAnalytics?.endpoint || 'https://api.ecingest.dev/v1/analytics/ingest';
+const isCloudAnalyticsEnabled = cloudAnalytics?.enabled === true && !!cloudAnalytics?.trackingId;
 // Render the manager if there are providers OR if debug mode is on (so users can verify the pipeline)
-const shouldRender = enabled && (hasProviders || debug);
+const shouldRender = isCloudAnalyticsEnabled || (enabled && (hasProviders || debug));
 
 // Build script contents in frontmatter to avoid Prettier/JSX parsing issues with braces in inline scripts
 const ga4ConfigScript = integrations?.ga4
@@ -35,6 +39,7 @@ posthog.init(${posthogApiKey}, {api_host: ${posthogApiHost}, person_profiles: 'i
 const hasGA4 = !!integrations?.ga4;
 const hasGTM = !!integrations?.gtm;
 const hasPostHog = !!integrations?.posthog;
+const hasCloudAnalytics = !!isCloudAnalyticsEnabled;
 
 const managerScript = `(function() {
 function AnalyticsManager(opts) {
@@ -57,6 +62,28 @@ AnalyticsManager.prototype.pageView = function(url, props) {
     try { this.adapters[i].pageView(url, props); } catch(e) {}
   }
 };
+function createId(prefix) {
+  var bytes = new Uint8Array(16);
+  if (window.crypto && window.crypto.getRandomValues) {
+    window.crypto.getRandomValues(bytes);
+  } else {
+    for (var i = 0; i < bytes.length; i++) bytes[i] = Math.floor(Math.random() * 256);
+  }
+  return prefix + '_' + Array.prototype.map.call(bytes, function(byte) {
+    return byte.toString(16).padStart(2, '0');
+  }).join('');
+}
+function getStoredId(storage, key, prefix) {
+  try {
+    var existing = storage.getItem(key);
+    if (existing) return existing;
+    var id = createId(prefix);
+    storage.setItem(key, id);
+    return id;
+  } catch(e) {
+    return createId(prefix);
+  }
+}
 var manager = new AnalyticsManager({ debug: ${debug} });
 ${
   hasGA4
@@ -85,6 +112,56 @@ ${
 });`
     : ''
 }
+${
+  hasCloudAnalytics
+    ? `var eventCatalogCloudLastPath;
+manager.register({
+  name: 'eventcatalog-cloud',
+  track: function(event, props) {
+    if (event !== 'catalog.page_viewed' && event !== 'catalog.built' && event !== 'catalog.resource_inventory_reported') return;
+
+    var payload = Object.assign({
+      trackingId: ${JSON.stringify(cloudAnalytics?.trackingId || '')},
+      event: event,
+      anonymousId: getStoredId(window.localStorage, 'eventcatalog-cloud-anonymous-id', 'anon'),
+      sessionId: getStoredId(window.sessionStorage, 'eventcatalog-cloud-session-id', 'sess'),
+      timestamp: new Date().toISOString()
+    }, props || {});
+
+    var body = JSON.stringify(payload);
+    if (${cloudDebug}) console.log('[EventCatalog Cloud Analytics] track: ' + event, payload);
+
+    try {
+      fetch(${JSON.stringify(cloudAnalyticsEndpoint)}, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: body,
+        keepalive: true,
+        credentials: 'omit'
+      }).catch(function() {});
+    } catch(e) {}
+  },
+  pageView: function(url, props) {
+    props = props || {};
+    var path = props.url || url || window.location.pathname;
+    var payload = {
+      path: path,
+      section: props.section || undefined,
+      referrer: eventCatalogCloudLastPath || document.referrer || undefined
+    };
+    if (props.resource_type && props.resource_id) {
+      payload.resource = {
+        type: props.resource_type,
+        id: props.resource_id,
+        version: props.resource_version || undefined
+      };
+    }
+    eventCatalogCloudLastPath = path;
+    this.track('catalog.page_viewed', payload);
+  }
+});`
+    : ''
+}
 window.__ec_analytics = manager;
 })();`;
 ---

package/eventcatalog/src/enterprise/analytics/components/AnalyticsTracker.astro

@@ -3,10 +3,12 @@ import config from '@config';
 import { isIntegrationsEnabled } from '@utils/feature';
 
 const integrations = config.integrations;
+const cloudAnalytics = config.cloud?.analytics;
 const enabled = isIntegrationsEnabled() && integrations;
 const hasProviders = enabled && (integrations?.ga4 || integrations?.gtm || integrations?.posthog);
 const debug = integrations?.debug ?? false;
-const shouldRender = enabled && (hasProviders || debug);
+const isCloudAnalyticsEnabled = cloudAnalytics?.enabled === true && !!cloudAnalytics?.trackingId;
+const shouldRender = isCloudAnalyticsEnabled || (enabled && (hasProviders || debug));
 
 const base = (config.base || '/').replace(/\/$/, '');
 const baseJson = JSON.stringify(base);

package/eventcatalog/src/enterprise/auth/middleware/middleware-auth.ts

@@ -6,7 +6,7 @@
 // src/middleware/auth.ts
 import type { MiddlewareHandler } from 'astro';
 import { getSession } from 'auth-astro/server';
-import { isAuthEnabled } from '@utils/feature';
+import { isAuthEnabled, isEventCatalogMCPAuthEnabled } from '@utils/feature';
 import jwt from 'jsonwebtoken';
 import { isLLMSTxtEnabled } from '@utils/feature';
 
@@ -97,6 +97,10 @@ export function getPublicRoutes(isLLMSTextEnabled: boolean) {
   ];
 }
 
+export function isMcpRoute(pathname: string) {
+  return pathname === '/docs/mcp' || pathname.startsWith('/docs/mcp/');
+}
+
 export const authMiddleware: MiddlewareHandler = async (context, next) => {
   const { request, redirect, locals } = context;
   const url = new URL(request.url);
@@ -118,6 +122,7 @@ export const authMiddleware: MiddlewareHandler = async (context, next) => {
 
   if (
     pathname.startsWith('/_') ||
+    (isEventCatalogMCPAuthEnabled() && isMcpRoute(pathname)) ||
     systemRoutes.some((route) => pathname.startsWith(route)) ||
     pathname.startsWith('/.well-known/') ||
     publicRoutes.some((route) => pathname.startsWith(route)) ||

package/eventcatalog/src/enterprise/feature.ts

@@ -66,6 +66,8 @@ export const isDiagramComparisonEnabled = () => isEventCatalogScaleEnabled();
 
 export const isEventCatalogMCPEnabled = () => isEventCatalogScaleEnabled() && isSSR();
 
+export const isEventCatalogMCPAuthEnabled = () => isEventCatalogMCPEnabled() && (config?.mcp?.auth?.enabled ?? false);
+
 export const isIntegrationsEnabled = () => isEventCatalogScaleEnabled();
 
 export const isExportPDFEnabled = () => true;

package/eventcatalog/src/enterprise/integrations/eventcatalog-features.ts

@@ -12,6 +12,7 @@ import {
   isEventCatalogScaleEnabled,
   isEventCatalogStarterEnabled,
   isEventCatalogMCPEnabled,
+  isEventCatalogMCPAuthEnabled,
   isFullCatalogAPIEnabled,
   isDevMode,
   isIntegrationsEnabled,
@@ -72,6 +73,17 @@ export default function eventCatalogIntegration(): AstroIntegration {
           });
         }
 
+        if (isEventCatalogMCPAuthEnabled()) {
+          params.injectRoute({
+            pattern: '/.well-known/oauth-protected-resource',
+            entrypoint: path.join(catalogDirectory, 'src/enterprise/mcp/oauth-protected-resource.ts'),
+          });
+          params.injectRoute({
+            pattern: '/.well-known/oauth-protected-resource/[...path]',
+            entrypoint: path.join(catalogDirectory, 'src/enterprise/mcp/oauth-protected-resource.ts'),
+          });
+        }
+
         // Handle routes for authentication
         if (isAuthEnabled()) {
           configureAuthentication(params);

package/eventcatalog/src/enterprise/mcp/mcp-auth.ts

@@ -0,0 +1,266 @@
+/**
+ * Licensed under the EventCatalog Commercial License.
+ * See /packages/core/eventcatalog/src/enterprise/LICENSE
+ */
+
+import jwt, { type Algorithm, type JwtPayload } from 'jsonwebtoken';
+import { createPublicKey, type JsonWebKey, type KeyObject } from 'node:crypto';
+import config from '../../../eventcatalog.config.js';
+import type { Config } from '../../../../src/eventcatalog.config';
+
+type ConfiguredMcpAuth = NonNullable<NonNullable<Config['mcp']>['auth']>;
+
+export type McpAuthConfig = ConfiguredMcpAuth;
+
+type TokenClaims = JwtPayload & {
+  scope?: string;
+  scp?: string[];
+};
+
+type JwksKey = JsonWebKey & {
+  kid?: string;
+};
+
+type AuthFailure = {
+  ok: false;
+  status: 401 | 403;
+  error: string;
+  description: string;
+  requiredScopes: string[];
+  metadataUrl: string;
+};
+
+export type McpAuthResult =
+  | {
+      ok: true;
+      claims?: TokenClaims;
+    }
+  | AuthFailure;
+
+const jwksCache = new Map<string, { expiresAt: number; keys: JwksKey[] }>();
+
+const quote = (value: string) => `"${value.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`;
+
+export const getMcpAuthConfig = (): McpAuthConfig | undefined => config?.mcp?.auth;
+
+export const isMcpAuthEnabled = (
+  authConfig: McpAuthConfig | undefined = getMcpAuthConfig()
+): authConfig is McpAuthConfig & { enabled: true } => authConfig?.enabled === true;
+
+export function getMcpResourceUrl(request: Request, authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  if (authConfig?.resource) return authConfig.resource;
+  return new URL('/docs/mcp', request.url).href;
+}
+
+export function getMcpProtectedResourceMetadataUrl(request: Request, authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  if (authConfig?.protectedResourceMetadataUrl) return authConfig.protectedResourceMetadataUrl;
+  return new URL('/.well-known/oauth-protected-resource', request.url).href;
+}
+
+export function getMcpRequiredScopes(authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  return authConfig?.requiredScopes ?? [];
+}
+
+export function getMcpProtectedResourceMetadata(request: Request, authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  if (!isMcpAuthEnabled(authConfig)) return undefined;
+
+  return {
+    resource: getMcpResourceUrl(request, authConfig),
+    authorization_servers: authConfig?.authorizationServers ?? [],
+    scopes_supported: getMcpRequiredScopes(authConfig),
+  };
+}
+
+export function createWwwAuthenticateHeader(failure: AuthFailure) {
+  const params = [
+    `realm=${quote('mcp')}`,
+    `resource_metadata=${quote(failure.metadataUrl)}`,
+    failure.requiredScopes.length > 0 ? `scope=${quote(failure.requiredScopes.join(' '))}` : undefined,
+    failure.error ? `error=${quote(failure.error)}` : undefined,
+    failure.description ? `error_description=${quote(failure.description)}` : undefined,
+  ].filter(Boolean);
+
+  return `Bearer ${params.join(', ')}`;
+}
+
+export function createMcpAuthErrorResponse(failure: AuthFailure) {
+  return new Response(JSON.stringify({ error: failure.error, message: failure.description }), {
+    status: failure.status,
+    headers: {
+      'Content-Type': 'application/json',
+      'WWW-Authenticate': createWwwAuthenticateHeader(failure),
+    },
+  });
+}
+
+export async function validateMcpRequest(
+  request: Request,
+  authConfig: McpAuthConfig | undefined = getMcpAuthConfig()
+): Promise<McpAuthResult> {
+  if (!isMcpAuthEnabled(authConfig)) return { ok: true };
+
+  const metadataUrl = getMcpProtectedResourceMetadataUrl(request, authConfig);
+  const requiredScopes = getMcpRequiredScopes(authConfig);
+  const authHeader = request.headers.get('Authorization');
+  const bearerMatch = authHeader?.match(/^Bearer\s+(.*)$/i);
+
+  if (!bearerMatch) {
+    return {
+      ok: false,
+      status: 401,
+      error: 'invalid_token',
+      description: 'Missing Bearer access token',
+      requiredScopes,
+      metadataUrl,
+    };
+  }
+
+  const token = bearerMatch[1].trim();
+
+  if (!token) {
+    return {
+      ok: false,
+      status: 401,
+      error: 'invalid_token',
+      description: 'Missing Bearer access token',
+      requiredScopes,
+      metadataUrl,
+    };
+  }
+
+  try {
+    const claims = await verifyAccessToken(token, request, authConfig);
+    const missingScopes = getMissingScopes(claims, requiredScopes);
+
+    if (missingScopes.length > 0) {
+      return {
+        ok: false,
+        status: 403,
+        error: 'insufficient_scope',
+        description: `Missing required scope${missingScopes.length > 1 ? 's' : ''}: ${missingScopes.join(' ')}`,
+        requiredScopes,
+        metadataUrl,
+      };
+    }
+
+    return { ok: true, claims };
+  } catch {
+    return {
+      ok: false,
+      status: 401,
+      error: 'invalid_token',
+      description: 'Invalid or expired Bearer access token',
+      requiredScopes,
+      metadataUrl,
+    };
+  }
+}
+
+async function verifyAccessToken(token: string, request: Request, authConfig: McpAuthConfig): Promise<TokenClaims> {
+  const decoded = jwt.decode(token, { complete: true });
+  const algorithm = decoded && typeof decoded === 'object' ? (decoded.header.alg as Algorithm | undefined) : undefined;
+
+  if (!algorithm || algorithm === 'none') {
+    throw new Error('Unsupported JWT algorithm');
+  }
+
+  const key = await getVerificationKey(token, authConfig);
+  const audience = getJwtAudience(authConfig.audience ?? getMcpResourceUrl(request, authConfig));
+
+  const payload = jwt.verify(token, key, {
+    audience,
+    issuer: authConfig.issuer,
+    algorithms: [algorithm],
+    clockTolerance: 5,
+  });
+
+  if (!payload || typeof payload === 'string') {
+    throw new Error('Invalid JWT payload');
+  }
+
+  return payload as TokenClaims;
+}
+
+async function getVerificationKey(token: string, authConfig: McpAuthConfig): Promise<string | Buffer | KeyObject> {
+  const sharedSecret = getConfiguredValue(authConfig.sharedSecret, authConfig.sharedSecretEnvVar);
+  if (sharedSecret) return sharedSecret;
+
+  const publicKey = getConfiguredValue(authConfig.publicKey, authConfig.publicKeyEnvVar);
+  if (publicKey) return publicKey;
+
+  if (authConfig.jwksUri) {
+    return getJwksVerificationKey(token, authConfig.jwksUri);
+  }
+
+  throw new Error('MCP auth requires jwksUri, publicKey, publicKeyEnvVar, sharedSecret, or sharedSecretEnvVar');
+}
+
+function getConfiguredValue(value: string | undefined, envVar: string | undefined) {
+  if (value) return value;
+  if (envVar) return process.env[envVar];
+  return undefined;
+}
+
+async function getJwksVerificationKey(token: string, jwksUri: string) {
+  const decoded = jwt.decode(token, { complete: true });
+  const kid = decoded && typeof decoded === 'object' ? decoded.header.kid : undefined;
+  const keys = await getJwksKeys(jwksUri);
+  const jwk = keys.find((key) => (kid ? key.kid === kid : keys.length === 1));
+
+  if (!jwk) {
+    throw new Error('No matching JWKS key found for token');
+  }
+
+  return createPublicKey({ key: jwk, format: 'jwk' });
+}
+
+function getJwtAudience(audience: string | string[]) {
+  if (Array.isArray(audience)) {
+    if (audience.length === 0) return undefined;
+    return audience as [string, ...string[]];
+  }
+
+  return audience;
+}
+
+async function getJwksKeys(jwksUri: string): Promise<JwksKey[]> {
+  const cached = jwksCache.get(jwksUri);
+  if (cached && cached.expiresAt > Date.now()) {
+    return cached.keys;
+  }
+
+  const response = await fetch(jwksUri, {
+    headers: {
+      Accept: 'application/json',
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to fetch JWKS: ${response.status}`);
+  }
+
+  const body = (await response.json()) as { keys?: JwksKey[] };
+  const keys = body.keys ?? [];
+  jwksCache.set(jwksUri, { keys, expiresAt: Date.now() + 5 * 60 * 1000 });
+  return keys;
+}
+
+function getMissingScopes(claims: TokenClaims, requiredScopes: string[]) {
+  if (requiredScopes.length === 0) return [];
+
+  const scopes = new Set<string>();
+
+  if (typeof claims.scope === 'string') {
+    for (const scope of claims.scope.split(/\s+/)) {
+      if (scope) scopes.add(scope);
+    }
+  }
+
+  if (Array.isArray(claims.scp)) {
+    for (const scope of claims.scp) {
+      scopes.add(scope);
+    }
+  }
+
+  return requiredScopes.filter((scope) => !scopes.has(scope));
+}

package/eventcatalog/src/enterprise/mcp/mcp-server.ts

@@ -32,6 +32,7 @@ import {
   toolDescriptions,
 } from '@enterprise/tools/catalog-tools';
 import { getCollection } from 'astro:content';
+import { createMcpAuthErrorResponse, validateMcpRequest } from './mcp-auth';
 
 const catalogDirectory = process.env.PROJECT_DIR || process.cwd();
 
@@ -462,6 +463,12 @@ const mcpResources = [
 
 // Health check endpoint
 app.get('/', async (c: Context) => {
+  const auth = await validateMcpRequest(c.req.raw);
+
+  if (!auth.ok) {
+    return createMcpAuthErrorResponse(auth);
+  }
+
   return c.json({
     name: 'EventCatalog MCP Server',
     version: '1.0.0',
@@ -475,6 +482,12 @@ app.get('/', async (c: Context) => {
 // MCP protocol endpoint - handles POST requests for MCP protocol
 app.post('/', async (c: Context) => {
   try {
+    const auth = await validateMcpRequest(c.req.raw);
+
+    if (!auth.ok) {
+      return createMcpAuthErrorResponse(auth);
+    }
+
     // Create fresh server and transport per request — the MCP SDK's
     // WebStandardStreamableHTTPServerTransport is single-use in stateless
     // mode: it sets _hasHandledRequest=true after the first call and throws

package/eventcatalog/src/enterprise/mcp/oauth-protected-resource.ts

@@ -0,0 +1,25 @@
+/**
+ * Licensed under the EventCatalog Commercial License.
+ * See /packages/core/eventcatalog/src/enterprise/LICENSE
+ */
+
+import type { APIRoute } from 'astro';
+import { getMcpProtectedResourceMetadata } from './mcp-auth';
+
+export const GET: APIRoute = async ({ request }) => {
+  const metadata = getMcpProtectedResourceMetadata(request);
+
+  if (!metadata) {
+    return new Response(JSON.stringify({ error: 'mcp_auth_not_configured' }), {
+      status: 404,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  return new Response(JSON.stringify(metadata, null, 2), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  });
+};
+
+export const prerender = false;

package/eventcatalog/src/utils/feature.ts

@@ -29,6 +29,7 @@ export {
   isCustomStylesEnabled,
   isDiagramComparisonEnabled,
   isEventCatalogMCPEnabled,
+  isEventCatalogMCPAuthEnabled,
   isIntegrationsEnabled,
   isExportPDFEnabled,
 } from '../enterprise/feature';

package/package.json

@@ -7,7 +7,7 @@
   },
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
-  "version": "3.39.6",
+  "version": "3.40.1",
   "publishConfig": {
     "access": "public"
   },
@@ -107,8 +107,8 @@
     "uuid": "^10.0.0",
     "zod": "^4.3.6",
     "@eventcatalog/sdk": "2.21.2",
-    "@eventcatalog/linter": "1.0.24",
-    "@eventcatalog/visualiser": "^3.21.0"
+    "@eventcatalog/visualiser": "^3.21.0",
+    "@eventcatalog/linter": "1.0.24"
   },
   "devDependencies": {
     "@astrojs/check": "^0.9.9",