Skip to main content
As Squirrels maintainers, we are dedicated in maintaining backward compatibility across all patch versions in the same minor version. We are also committed to avoid breaking changes across minor versions as much as possible. However, if absolutely necessary, we will provide a smooth upgrade path for users. The following are fixes and new features for v0.6.0.

Fixes

  • [BREAKING CHANGE] Renamed the SquirrelsProject.dataset method to SquirrelsProject.dataset_result to avoid confusion with the DashboardArgs.dataset method. Although the two methods had the same name, they had different purposes and return different types.

New features

[BREAKING CHANGE] Mounting Squirrels APIs into an existing FastAPI application
  • Added the SquirrelsProject.get_fastapi_components method to get the FastAPI components for the Squirrels project including mount path, lifespan, and FastAPI app. This allows you to mount the Squirrels APIs into an existing FastAPI application.
  • Since the project name and version are now included in the mount path, they have been removed from the rest of the API path for all endpoints. THIS IS A BREAKING CHANGE. See the /docs endpoint of the Squirrels API server for the updated API endpoints.
  • Running with sqrl run (i.e., in “standalone mode”) is equivalent to mounting the Squirrels APIs to the default mount path of /analytics/{project_name}/v{project_version} and running the main FastAPI app.
[BREAKING CHANGE] Column condition is now a list of strings
  • Column conditions are now defined as a list of strings instead of a single string. This allows for multiple conditions to be specified for a single column where each condition can be concise and easily understood.
  • Example:
columns:
  - name: amount
    type: float
    condition: ["group_by == 'Transaction'", "group_by == 'Category'"]
External auth strategy (auth_strategy: external)
  • Added project_variables.auth_strategy in squirrels.yml, allowing you to choose between:
    • managed (default): Squirrels-managed users, passwords, and API keys
    • external: Trust an external OAuth authorization server and validate provider-issued Bearer tokens
  • When auth_strategy is external:
    • auth_type defaults to required and auth_type: optional is not allowed.
    • You must define exactly one auth provider in pyconfigs/user.py, and that provider should support Dynamic Client Registration (DCR).
    • Provider-issued Bearer tokens may be JWTs (validated via JWKS) or opaque tokens (validated via userinfo_endpoint, with fallback to introspection_endpoint when available).
    • Certain Squirrels-managed auth endpoints are disabled (e.g., username/password login, API keys, user management).
    • Environment variables used for managed auth (such as SQRL_SECRET__ADMIN_PASSWORD, SQRL_AUTH__DB_FILE_PATH, and SQRL_AUTH__TOKEN_EXPIRE_MINUTES) do not apply.
  • Added /.well-known/oauth-protected-resource (OAuth 2.1 Protected Resource Metadata, RFC 9728) to help OAuth-aware clients discover the authorization server(s) when running in standalone mode.
  • MCP server auth: when auth_strategy is external and auth_type is required, the MCP server requires Authorization: Bearer <token> and responds with HTTP 401 + WWW-Authenticate pointing to the protected resource metadata endpoint.
Using MCP’s _meta field for configurables
  • It is now possible to pass configurables to MCP tools by specifying them in the _meta field of the tool call. More details on the _meta field can be found in the MCP specifications here.
  • Just like before, the user must have elevated access level to pass configurables to MCP tools. This usually means the user is an admin unless the SQRL_PERMISSIONS__ELEVATED_ACCESS_LEVEL environment variable is set to a lower value.
  • For example, if you have a configurable called schema_name in your project, you can pass it as a _meta field in the tool call with the key schema_name. Support for the request header format x-config-schema-name is also available for backwards compatibility.
  • Example JSON-RPC request body:
{
  "method": "tools/call",
  "params": {
    "name": "get_dataset_results_from_my_project",
    "arguments": {
      ...
    },
    "_meta": {
      "schema_name": "my_schema"
    }
  }
}
Dashboard context variables and configurables
  • Dashboards now have access to context variables defined in context.py. This allows dashboards to use dynamic logic based on parameter selections and user attributes, similar to how datasets work.
  • The sqrl argument in the dashboard’s main function now includes a ctx dictionary containing the context variables.
  • Dashboards can now override project-level configurables in their .yml configuration files using the configurables key.
  • These overrides are automatically merged with project-level defaults and are accessible via sqrl.configurables in the dashboard logic.
Static files
  • Static files can now be served from the resources/public/ directory.
  • For example, if you have an image in resources/public/images/logo.png, you can access it using the {mount_path}/public/images/logo.png route. When running in standalone mode (i.e., using sqrl run), the mount path is /analytics/{project_name}/v{project_version}.
  • When specifying the icon for an authentication provider in pyconfigs/user.py, you can now use a path starting with /public/ to indicate a file in the resources/public/ directory.

More info

For more details, see the GitHub release notes for v0.6.0.