In the previous post we took a local MCP server from stdio to live in Claude.ai through a public URL (tunnel). Anyone with that URL could call its tools. That is fine for a weather demo, not for anything that touches real data. The next step is authentication: each user logs in, and the server only runs tools for tokens it trusts.

MCP standardized on OAuth 2.1 for this. The part nobody warns you about is that OAuth binds the entire flow to your server's URL. Discovery, client registration, and t...

Every MCP server hits the same graduation moment. You build it, point Claude Desktop at it over stdio, and it just works. Then you want the same tools in Claude.ai on your phone, or you want to show a teammate, or you start wiring up OAuth. Suddenly stdio is not enough, and the friendly "works on my machine" story turns into connection-failed errors and docs about transports you had never heard of.

This is a working walkthrough of that crossing. By the end you will have a local MCP server reacha...

Yesterday it was TanStack. 42 packages, 84 malicious versions, published to npm in a six-minute burst, live for about twenty minutes before a security researcher caught it. The attacker didn't steal anyone's npm token. They compromised TanStack's CI pipeline, poisoned a build cache across a fork-PR trust boundary, and extracted the GitHub Actions worker's OIDC token to publish directly. The payload ran on npm install, harvested every credential it could reach (AWS, GCP, Kubernetes, Vault, ~/.npm...

The thing nobody warned me about with AI coding, once I started leaning on it for serious work, is that the bottleneck stops being the code. It becomes context. The agent will happily write whatever you ask, but if it doesn't know what the rest of the system looks like, what the constraints are, or what's already been decided, you get something that compiles, looks clean, and is wrong in ways you only spot a week later.

So this post is really about context management. And there's a reason that m...

When LocalCan 1.0 shipped, it did one thing: gave your local apps a .local domain you could trust. v2 added Public URLs so you could share your work-in-progress with the outside world.

Today's release is a different scale of jump. LocalCan 3.0 Beta is the biggest update we've ever shipped — fully rewritten, with a daemon architecture, new infrastructure, a new configuration model, and broader platform support. Everything we wanted to improve in v2 is now in this release.

Here's what's new.

A rea...

If you've integrated Stripe, you know the drill. You write your checkout flow, set up a webhook endpoint, deploy to staging... and then spend 20 minutes debugging why your checkout.session.completed event never arrives. Or worse, it arrives but your handler crashes, and you have no idea what the payload looked like.

The problem isn't Stripe. It's the feedback loop. Every time you change your webhook handler, you redeploy, trigger a test event, check the logs, and repeat. It's slow, painful, and ...

If you've built anything non-trivial with React Native and Expo, you've probably hit the tunnel wall.

You're working on a feature that needs a real device — maybe camera access, push notifications, or just making sure your gestures feel right outside the simulator. You run npx expo start --tunnel, wait for it to connect... and it either takes forever, gives you a new URL (again), or just drops mid-session.

This isn't a niche complaint. Expo's tunnel has been a pain point for years, with open iss...

Ever notice how Stripe IDs look like cus_dnh9ixB5QT or pi_3MqO8sL? That's not by accident.

These prefixed IDs aren't just a technical choice - they're a UX win. When you're debugging at 2am, team_ZsIylPM6qgNa tells you exactly what you're looking at. When users paste IDs in support tickets, you instantly know which table to query. When comparing two IDs side by side, the prefix makes it obvious if they're the same type.

I recently implemented this pattern in LocalCan when adding team support - t...

Table of Contents:

1. Development Setup
   • 1.1 Next.js
   • 1.2 Nginx
   • 1.3 Docker Compose for Development
   • 1.4 Connect from Next.js to Postgres
2. Production Setup
   • 2.1 GitLab - Create Repositories and Build Images
   • 2.2 Docker Compose for Production
   • 2.3 Certificate Renewal
   • 2.4 Setup Ubuntu
   • 2.5 GitLab Deployment Pipeline
   • 2.6 Connect to Postgres from Your Computer
   • BONUS: Logging with Loki

In this tutorial, you'll learn how to self-host your Next.js app or any other service on a VPS. No need for Vercel, Goo...

When you're developing SaaS applications, APIs or web apps locally, you need a way to expose your localhost to the internet. Maybe you're showing a demo to a client, testing with team members, or working with OAuth integrations.

But here's the thing - not all tunneling services are created equal. Some are lightning fast, while others will make you want to throw your laptop out the window.

I tested the top 6 tunneling services to see which one actually delivers the best speed. The results might s...

Key Takeaways

• Local tunneling creates secure connections between your localhost and the internet, enabling external access to development servers without complex network configurations

• Popular tools like ngrok, LocalCan, and Pinggy offer simple one-command setup for HTTP, TCP, and UDP tunneling with various pricing models and features

• Essential for webhook testing, remote collaboration, and bypassing NAT/firewall restrictions in development workflows

• Security measures including authentic...

AbortController is like a stop button for your JavaScript code. It lets you cancel things that are running - like API calls, streams, or event listeners.

Personally, after years of coming up with overly complex and tedious ways to remove listeners in React components, discovering AbortController and specifically AbortSignal greatly simplified my life!

Most developers don't know about this powerful feature. But once you learn it, you'll use it everywhere. Here's what happens when you don't have p...

Being a solo developer means wearing many hats – from writing code and managing databases to debugging APIs and handling infrastructure. The right tools can make these tasks easier and more efficient. While there are popular choices for each job, there are also underrated macOS-compatible tools that offer superb functionality (often with better usability or affordability) yet haven't hit the mainstream. Below, we highlight 10 such tools across various categories (version control, databases, API ...

Ngrok is a popular tunneling solution that’s used by thousands of developers. Although Ngrok has been a popular choice for some time, many developers are now seeking alternatives due to concerns about pricing, feature limitations, or specific project requirements.

Also, the fact that their free plan is limiting and makes you move to a subscription plan for unrestricted bandwidth is something that many developers don’t like. This is why we’ll discuss some Ngrok alternatives that don't come with t...

In this post, we will dive into protecting your WebSocket server from attacks. I will share my learnings from mitigating attacks on Webhook.cool↗, a free online webhook tester that is #3 on Google with lots of traffic and is open to use for everyone without a sign-up.

WebSockets allow for real-time communication between a server and clients, improving the usability and UX of many web applications. However, they can be a vector for attacks that are not easy to spot. Imagine this: server logs look...

When developing web apps, it's essential to mirror the production environment as closely as possible. This includes using HTTPS, which allows testing of critical features like authentication, secure cookies, service workers, PWAs, and the Geolocation API to name a few. These features are often restricted to secure contexts, thereby reducing the likelihood of encountering unexpected issues when deploying to production.

In this post, we'll explore how to create a self-signed certificate for local ...