1. maxwellg Dec 9, 2025

   > The only issue it solves is if you want to bring your own tools to an existing chatbot.

   That's a phenomenally important problem to solve for Anthropic, OpenAI, Google, and anyone else who wants to build generalized chatbots or assistants for mass consumer adoption. As well as any existing company or brand that owns data assets and wants to participate as an MCP Server. It's a chatbot app store standard. That's a huge market.

2. maxwellg Nov 12, 2025

   I've also had drivers do 50+ in residential areas, run red lights, play on their phones, cut off pedestrians in crosswalks, and once even park in a handicap spot at a gas station to buy cigs with me left in the back seat. If I was guaranteed a driver that could obey the traffic laws, I'd be happy to continue taking Ubers. That hasn't been the case.
3. maxwellg Oct 27, 2025

   The initial remote MCP specification was pretty painful, but the June spec and the upcoming November spec are much more workable - MCP auth is (mostly) just OAuth now. MCP Clients are OAuth clients and can be granted access tokens and managed just like any other 3rd party app integration.

   I'd love to hear more about the specific issues you're running into with the new version of the spec. (disclaimer - I work at an auth company! email in bio if you wanna chat)

4. 1 point Oct 10, 2025

   Show HN: ChatGPT Tamagochi Pet Using Apps SDK

   0 comments maxwellg chatagotchi.app
5. maxwellg Oct 6, 2025

   Ironic that DHH is politically active enough that it affects his day to day activities and public perception of his company - kind of the exact opposite of his own policy he expects his employees to abide by.
6. maxwellg Sep 30, 2025

   I’ve bought several of the WAOAW sleep masks as well. They’re great for the price point - I have a nasty habit of forgetting them in hotel beds though. I tend to go through one every few years or so. My wife enjoys hers as well.

   Has anyone bought the third brand to round out the discussion?

7. maxwellg Sep 20, 2025

   The innocuous https://grants.github.com/apply URL goes to a completely different site. Sneaky sneaky.
8. maxwellg Sep 8, 2025

   I should caveat this by saying this is certainly not 9/9/6, yeesh. Weekdays are fuzzy but never 12 hour days. Do you count going to a meetup after hours as work? A dinner with a prospect? Early coffee with a coworker? Saturdays or Sundays are maybe two or three hours at the most.
9. maxwellg Sep 8, 2025

   Of course we are! This year has been the most exciting (and fun!) of my career in the Bay. There is so much to do and so much going on. Things that were impossible a year ago suddenly feel imminent. Nobody is forcing (or really even asking) me to work on the weekends but if I have an interesting idea bouncing around in my brain I'm not going to wait to Monday to play around with it.
10. maxwellg Aug 28, 2025

    Cloudflare is only the first to market with a solution. If this proposal catches on every WAF vendor under the sun will have it implemented before the next sales cycle. Enforcement of this standard will be commoditized down to nothing.
11. maxwellg Aug 27, 2025

    It cracks me up to no end how the dev tools are much better MCP clients than the web chatbots. Claude Code is so _so_ much better at MCP than Claude Web, which has issues with managing DCR client state, is comparatively terrible at surfacing debug information up, doesn't let regular users see under the hood at how tools are described or called, etc.

    Using Claude Code or your IDE of choice to book a hotel is a fun unintended side effect of this.

12. maxwellg Aug 25, 2025

    I would also recommend the OAuth 2.1 IETF draft as a precursor to the BCP: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-...

    Although it isn't a published RFC yet, it intends to replace several sometimes-conflicting previous RFCs + the BCP with a single document.

13. maxwellg Aug 24, 2025

    Refresh tokens are only really required if a client is accessing an API on behalf of a user. The refresh token tracks the specific user grant, and there needs to be one refresh token per user of the client.

    If a client is accessing an API on behalf of itself (which is a more natural fit for an API Key replacement) then we can use client_credentials with either client secret authentication or JWT bearer authentication instead.

14. maxwellg Aug 19, 2025

    Many "softer" forms of SSO have trickled down too. Google + Microsoft OAuth are ubiquitous today without any upchage. OAuth from a Google Workspace account managed by an IT admin has many of the same security guarantees as SAML or OIDC from a Google Workspace account, at least for a small player. There are some sketches like https://easie.dev/ that explore this further.
15. maxwellg Aug 15, 2025

    For extra security, an intermediary can set Content Security Policy (CSP) headers that instruct browsers to only connect to certain domains. CSP headers aren't a total solution, but they're a good tool in the toolkit for redundancy against exfiltration.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...

16. maxwellg Aug 15, 2025

    SSO chaining is super common in large corporate environments. Different orgs might have their own SSO IDP, acquisitions often bring their own, etc. Once a provider is in use, it is quite difficult to tear out later while keeping everyone in their proper accounts in all the apps that tie in. Many apps are really bad at SSO migrations, or deduplicating multiple SSO identities to a single user account.
17. maxwellg Aug 12, 2025

    This is conceptually extremely similar to the Web Push API: https://web.dev/articles/push-notifications-web-push-protoco...

    You'd need something at the browser/UA level to unsubscribe or to make the subscription exist for only a single message. Bad content publishers have taught us to never allow Web Push notifications since they always get inundated with marketing and other nonsense - being able to bake protections against that into the spec could be interesting.

18. maxwellg Aug 2, 2025

    I dream of a low-milage early 2000s Taco with aftermarket Carplay
19. maxwellg Aug 2, 2025

    Installing a dependency for myself is just and a little harder the first time. Asking every developer who will ever consume my service over CURL to install a dependency is absolutely an ongoing burden.
20. maxwellg Aug 2, 2025

    Each JWT was passed as a query param over a 307 redirect from my service to the other side, so the JWT itself was the whole request to prevent tampering from the browser. It was for an internal tool that did one thing, did it well, and never caused me any problems.

This user hasn’t submitted anything.