M53.3Released May 15, 2026

Activation polish + API keys + MCP setup

Welcome email auto-fire, the api_keys infrastructure, /settings/mcp documentation, /getting-started richer post-first-event page, and three Claude/MCP SEO landing pages.

Onboarding MCP Core

Highlights

Welcome email auto-fires from /api/auth/signup. Delivery failure never blocks signup; production never falls back to logging plaintext tokens.
Migration 0017 adds the api_keys table — sha256 hash at rest, six-char prefix, plaintext shown once, workspace-scoped + RBAC-gated.
/settings/api-keys ships with one-time plaintext reveal, label + create + revoke flow, audit-log writes.
/settings/mcp documents MCP end-to-end: what it is, how Claude connects, capabilities, security, operator approval, example workflows, copy-paste configs (Desktop / Code / VS Code), troubleshooting.
/getting-started — longer post-first-event guide with six plan-aware next actions.
Three SEO landing pages: /mcp-seo-workflows, /claude-seo-operator, /ai-seo-operations.

Why this matters

M53 shipped onboarding + billing. M53.3 closed the activation gap: a new operator can now sign up, install the snippet, see first event, get a welcome email, generate an API key, copy a Claude config, and read the guide for their next step — without operator hand-holding.

API key infrastructure

Migration 0017 creates api_keys with token_hash unique index, six-char public prefix, last_used_at + revoked_at lifecycle stamps. Plaintext format: wmk_<22 base62> (~131 bits of entropy). Issuance writes an audit row; revocation writes another. The MCP server (M54) reads from this table.

Documentation surface

/settings/mcp ships three copy-paste config cards (Claude Desktop's claude_desktop_config.json, Claude Code's claude mcp add CLI, VS Code's settings.json). The endpoint URL is derived from NEXT_PUBLIC_DASHBOARD_URL; production builds without the env fail loudly.

Infrastructure notes

Migration 0017_m53_3_api_keys.sql — additive, idempotent.
RESEND_API_KEY + EMAIL_FROM (or RESEND_FROM_EMAIL) for the welcome template.
EMAIL_REPLY_TO optional.

Security notes

API keys hashed at rest (sha256). Plaintext shown exactly once.
Reset tokens hashed at rest.
Welcome email helper audits every send (sent / failed / skipped) with status + provider message id only — never the body.

Real MCP server for WebmasterID Core

Production MCP HTTP endpoint at /api/agent/mcp with ten read-only tools, Bearer auth via the api_keys table, plan gating, audit logging, payload caps, and a per-key rate limit.

POST /api/agent/mcp — JSON-RPC 2.0 over HTTP. Methods: initialize, tools/list, tools/call.
Ten read-only tools: sites, summary, recent events, bot intelligence, AI referrals, top pages, recommendations, repo mappings, execution sessions, plan status.
Workspace-scoped Bearer auth against the api_keys table; revoked keys rejected and audited.
+ 2 more — see the release page

Read release notes →

M53May 15, 2026

OnboardingBillingCore

SaaS onboarding + Stripe billing

Self-serve signup, the onboarding wizard, the three-plan Stripe model, real Checkout + customer portal, and plan enforcement on /api/sites.

Self-serve signup (gated by CORE_SIGNUP_ENABLED) replaces the request-access flow.
Onboarding wizard: workspace → first site → tracker snippet → first event → /onboarding/success.
Three plans wired end-to-end: Pro $49/mo (Core + Agent), Agency $199/mo (Core + Agent + Team Operations), Business custom (Core + Agent + Advanced).
+ 3 more — see the release page

Read release notes →