Download  PNG

Light
Dark

Download  SVG

Light
Dark
Download all assets
Book a demo
D
burger menu iconburger menu icon_close
Product
Changelog
May 29, 2026
Rootly MCP supports OAuth 2.0

Rootly MCP supports OAuth 2.0

Solutions
How Poll Everywhere cut on-call tooling costs and made response faster with Rootly.
KnowBe4 turns Incident Response into a repeatable, predictable system with Rootly.
How Achievers productized reliability on Microsoft Teams with Rootly AI.
How Momentum minimizes the number of engineers on-call with Rootly AI.
How Motive achieves 99.99% reliability with Rootly.
How Clay uses Rootly to streamline incident management.
How Webflow uses Rootly to build a proactive reliability culture.
How Wealthsimple uses Rootly to create a culture of wellness and psychological safety for incident commanders.
Replit brings structure, speed, and better decision-making to incident response with Rootly.
How Upstart uses Rootly to create an incident response system that grows with them.
How ROLLER scales globally while keeping a lean SRE team.
How Lucidworks uses Rootly to create bespoke incident management for their distinct product offering.
Customers
Resources
Latest Blog
May 20, 2026
Why we got rid of our small-PR rule

Why we got rid of our small-PR rule

Pricing
Log in
Book a demo
Changelog

May 28, 2026

Rootly MCP supports OAuth 2.0

Rootly MCP supports OAuth 2.0

The Rootly MCP server now supports OAuth 2.0. AI agents and other MCP clients can connect to Rootly by signing in and receiving a scoped, short-lived token, instead of being configured with a long-lived API key.

Why it matters

Connecting an agent to Rootly used to mean generating an API key and pasting it into the client’s configuration. That key carries the full permissions of whoever created it, doesn’t expire on its own, and lives wherever the agent is configured. As more teams wire AI tools into their incident and on-call workflows, that adds up to a lot of broad, long-lived secrets to keep track of.

With OAuth, an MCP client authenticates through a standard sign-in flow and receives a token scoped to only the access it needs, which expires on its own. You grant an agent exactly what it should be able to do, and nothing more.

How it works

Point your MCP client at Rootly and authorize it through the standard OAuth flow. The client receives a short-lived access token that refreshes automatically, so there’s no API key to copy around or rotate by hand. A token can never exceed the permissions of the user who authorized it.

The same OAuth support also covers direct API access and command-line tools, so scripts, CI pipelines, and CLI or TUI clients can authenticate the same way.

Getting started

See the documentation for setup steps, supported flows, and the full list of scopes.

What else shipped

Improvements

On-Call

  • Pay reports now support additional timezone settings, so shift pay is calculated against the timezone your team actually works in.
  • The weekly shift summary help text now accurately states that it covers the upcoming seven days, matching how the summary actually works.

Incident Response

  • API key expiration reminders can now be sent 30, 14, or 7 days in advance, giving you more notice before a key stops working.
  • A new Members read-and-edit permission lets you control who can view and manage org members, closing a gap where member data was readable by everyone.
  • You can now disable automatic role assignment for maintenance incidents, so scheduled maintenance doesn’t assign responders.
  • Markdown links in service and team descriptions are now clickable.
  • Shadows can now receive Slack notifications even when no Slack channel is configured on the schedule.
API

On-Call

  • PUT /v1/teams/:id now returns an error when a caller without the Members-manage permission tries to change user_ids, instead of silently dropping the change and returning a 200.
  • The List OnCalls endpoint is now more reliable for large schedules, fixing timeouts, slow responses, and cases where it returned empty data.

Incident Response

  • GET /v1/users/{id}?include=teams now returns only the teams in the workspace the API key authenticates against, rather than teams across all workspaces.
Terraform
  • The rootly_heartbeat resource now applies changes to its enabled setting, so toggling a heartbeat on or off through Terraform works as expected.
  • Fixed a race condition when multiple schedule changes are applied at once by adding a lock, improving reliability for concurrent Terraform runs.
MCP Server
  • Hosted MCP deployments now expose the full tool surface by default again, so remote clients no longer miss create and update workflows.
  • A new slimmer hosted profile of about 70 high-usage tools can be opted into with ?tool_profile=slim, the X-Rootly-Tool-Profile: slim header, or a server setting. An exact custom allowlist via ROOTLY_MCP_ENABLED_TOOLS still takes precedence over either profile.
  • Calling a tool with a missing or misnamed path argument now returns a clear validation error naming the missing parameter, instead of a misleading 404.
  • Tenants with Advanced Alert Routing enabled no longer hit repeated 403s, the replacement listAlertRoutes and getAlertRoute tools are now available by default, and the deprecated endpoint’s errors point to them.
  • getScheduleShifts and listShifts now reject date ranges larger than the upstream cap up front with a clear recommendation to split the request, instead of returning an opaque 422.
  • Tool descriptions now spell out the expected argument names and limits, for example incident_id for getIncident, the 10-result cap on search_incidents, user_ids rather than emails on check_responder_availability, and the plural schedule_ids on get_oncall_schedule_summary.
  • Blank optional filters (empty strings, whitespace, or empty lists) are now dropped before requests are sent upstream, preventing them from corrupting pagination.
Fixes

On-Call

  • Alerts created from incident attachments now get a correct timestamp and timeline event.
  • Alert labels are no longer overwritten when the notification system updates an alert, the original source name is preserved.
  • Slack alert messages now correctly update to show an acknowledged status.
  • HTML in an alert description now renders correctly for alerts created through the API.
  • Long alert descriptions no longer push action buttons off the screen in notifications.
  • Round Robin escalation policies now skip an empty schedule right away instead of waiting the full delay before moving on.
  • Custom alert fields now display correctly on the Slack alert message.
  • Syncing a Backstage catalog no longer overwrites a service’s owning team and escalation policies.

Incident Response

  • The dashboard editor no longer times out when saving changes to a large dashboard.
  • Status page updates now keep blank-line spacing instead of collapsing paragraphs together.
  • The API key expiration column now shows the year.
  • The Mark as Private toggle now respects elevated permissions granted through an incident permission set.
  • Marking a retrospective as published no longer publishes an empty document.
  • The Resolved status now appears on the initial Slack incident form when sub-statuses are ordered.
  • Renamed values on a built-in timestamp field now show correctly in the edit form.
  • An incident’s closed time is now recorded from when it was actually closed, not from when it was resolved.
  • You can now save a retrospective process description after the process has been created.
  • Publishing a retrospective no longer fails when an exported retrospective document is attached.
  • The default role from SCIM SSO is no longer shown as stale in the Edit Role screen.
  • The Slack Status Page button now links to the status page instead of the incident timeline.
  • Auto-skip retrospective is now applied when an incident is closed from Slack.
  • A Slack channel added to an incident manually is now reflected in the incident timeline.
  • The “Press Enter to add” helper no longer shows raw HTML tags.
  • Customers with zero Incident Response seats can now invite On-Call-only users.
  • Backstage sync now imports all services instead of stopping partway through.

Previous changelogs

SLA driven follow-up tasks.

May 14, 2026

Live mode on the Alerts view.

May 7, 2026

The Rootly Claude and Cursor plugins.

April 30, 2026

You and your teams deserve
modern incident management.

Get a 1:1 demo with one of our technical staff or start your free 14-day trial.

©Rootly 2026. All rights reserved.
Privacy policy
·
Terms of use
·
Vulnerability disclosure policy