Developers

Everything megachangelog tracks is available over four channels — a read-only REST API, RSS feeds, an MCP server, and signed webhooks. The base URL is https://megachangelog.com.

Authentication

Browsing is anonymous. You only need a key for per-user data (your feed and account).

Create an API key on your account page. Keys look like mck_<prefix>_<secret> and are shown once at creation — store the full value. Send it as a bearer token:

Authorization: Bearer mck_<prefix>_<secret>

For read-only RSS access to your personal feed there is also an unguessable feed token (manage it on your account page) powering /feed/<token>/rss.xml — no header required, so it works in any feed reader.

REST API

Versioned under /api/v1, JSON responses, CORS open to all origins, and limit/offset paging (max 100). Public endpoints are edge-cached; authenticated ones are private, no-store.

GET/api/v1

Index — lists every endpoint, feed, and MCP tool.

GET/api/v1/companies

Tracked companies. Query: industry, search, limit, offset.

GET/api/v1/companies/{slug}

One company plus its recent entries.

GET/api/v1/entries

Recent entries across all companies. Query: company (slug), limit, offset.

GET/api/v1/playlists/{id}

A public or unlisted playlist: its companies and a merged feed.

GET/api/v1/meauth

The authenticated user (name, email, key scopes).

GET/api/v1/me/feedauth

The authenticated user's personal feed (followed companies).

Examples

# Public — no auth, CORS-enabled (Access-Control-Allow-Origin: *)
curl "https://megachangelog.com/api/v1/entries?limit=5"
curl "https://megachangelog.com/api/v1/companies?industry=developer-tools&search=ver"
curl "https://megachangelog.com/api/v1/companies/vercel"

# Authenticated — create a key at https://megachangelog.com/account
curl -H "Authorization: Bearer mck_<prefix>_<secret>" \
  "https://megachangelog.com/api/v1/me/feed?limit=60"

Entry shape

List endpoints return { data, pagination }. Each entry is the same stable object everywhere (REST, MCP, and webhooks):

{
  "id": "…",
  "title": "Increased Blob store limit for Hobby users",
  "summary": "Hobby projects can now store up to 1 GB in Blob.",
  "version": null,
  "changeType": "improvement",
  "tags": ["storage"],
  "publishedAt": "2026-06-20T12:00:00.000Z",
  "url": "https://megachangelog.com/changes/vercel/increased-blob-store-limit-…",
  "sourceUrl": "https://vercel.com/changelog/…",
  "company": { "slug": "vercel", "name": "Vercel" }
}

RSS feeds

RSS 2.0 with full content:encoded. Point any reader at these URLs.

GET/rss.xml

Everything, newest first.

GET/companies/{slug}/rss.xml

A single company.

GET/playlists/{id}/rss.xml

A public or unlisted playlist.

GET/feed/{feedToken}/rss.xml

Your personal feed, authenticated by the unguessable token.

MCP server

A streamable-HTTP Model Context Protocol server at /api/mcp. Browse tools work anonymously; pass a bearer key to unlock get_my_feed.

claude mcp add --transport http megachangelog \
  https://megachangelog.com/api/mcp \
  --header "Authorization: Bearer mck_<prefix>_<secret>"

TOOLsearch_companies

Search companies by name, optionally filtered by industry.

TOOLlist_recent_changes

Recent entries across all companies, or scoped to one.

TOOLget_company_changelog

One company's recent entries with a header.

TOOLget_playlist

A public/unlisted playlist's companies and merged feed.

TOOLget_my_feedauth

The authenticated user's personal feed.

Webhooks

Get an HTTP POST when companies you follow (directly or in a playlist) publish new changes. Register endpoints on your account page.

Each delivery is a JSON POST carrying every new entry since the last successful delivery (newest companies you watch, capped per delivery). The only event today is entry.created.

POST <your-endpoint>
Content-Type: application/json
User-Agent: megachangelog-webhooks/1
X-Megachangelog-Event: entry.created
X-Megachangelog-Delivery: <uuid>
X-Megachangelog-Webhook-Id: <uuid>
X-Megachangelog-Signature: sha256=<hex>

{
  "event": "entry.created",
  "deliveryId": "…",
  "webhookId": "…",
  "deliveredAt": "2026-06-22T13:15:00.000Z",
  "entries": [ /* array of entry objects, same shape as the REST API */ ]
}

Verifying the signature

Every request carries X-Megachangelog-Signature: sha256=<hex>, an HMAC-SHA256 of the raw request body keyed by your endpoint's signing secret (shown once when you create or rotate it). Reject requests that don't match.

import { createHmac, timingSafeEqual } from "node:crypto";

// rawBody must be the exact bytes you received (do not re-serialize JSON).
function verify(secret, rawBody, signatureHeader) {
  const expected =
    "sha256=" + createHmac("sha256", secret).update(rawBody).digest("hex");
  const a = Buffer.from(signatureHeader);
  const b = Buffer.from(expected);
  return a.length === b.length && timingSafeEqual(a, b);
}

Delivery & retries: a failed delivery is retried on the next cycle (the cursor only advances on success), and an endpoint that keeps failing is automatically disabled — re-enable it from your account page. Respond with a 2xx within 10 seconds to ack.