cd ~/series/demystifying-ai
MCP Goes Stateless - The Biggest Protocol Rewrite Since Launch
EP 04 MCP Blog Jul 13, 2026 5 min

MCP Goes Stateless: The Biggest Protocol Rewrite Since Launch

Seven groups of breaking changes ship Jul 28. Sessions are the headline, but OAuth, Extensions, and deprecations will blindside you if you only prep for one.

Share:
// TL;DR

MCP 2026-07-28 ships 7 breaking changes. Sessions removed. Handshake removed. OAuth hardened. HTTP+SSE deprecated. Roots/Sampling/Logging deprecated. New Extensions framework. One migration report: -412 lines, +168 lines. Remote HTTP servers must migrate before Jul 28. stdio-only servers can mostly wait.

# 7 Things That Break

This is not a version bump you can sleep through. Seven groups of changes will break remote servers built against today's spec.

01 Stateless core

initialize handshake + Mcp-Session-Id removed. No sessions, no sticky routing.

SEP-2575, SEP-2567
02 Routable headers required

Mcp-Method + Mcp-Name headers mandatory. Server rejects if headers and body disagree.

SEP-2243
03 Caching replaces notifications

ttlMs + cacheScope on list results. No more SSE change streams.

SEP-2549
04 Multi-round-trip redesign

InputRequiredResult replaces holding SSE streams open for multi-step flows.

SEP-2322
05 HTTP+SSE deprecated

Streamable HTTP is the only transport going forward. Legacy SSE enters 12-month deprecation.

SEP-2596
06 OAuth hardened

RFC 9207 iss validation now mandatory. Stricter authorization flows for remote servers.

07 Deprecations + schema changes

Roots, Sampling, Logging deprecated (12-month removal window). Error code -32002 becomes -32602. Tool input schemas now support full JSON Schema 2020-12 (oneOf, anyOf, $ref).

Remote HTTP servers

Migrate before Jul 28. Clients that speak 2026-07-28 will negotiate the new version; servers that don't will degrade and then stop working.

stdio-only local servers

Mostly wait. The SDK shims the lifecycle change. Upgrade at your next planned major bump.

# The Big One: Stateless Core

Old spec: handshake first, session header on every call, pinned to one server. New spec: one self-contained request, any instance.

BEFORE 2 round trips
POST /mcp
// 1. Handshake
{"method":"initialize",
 "params":{"protocolVersion":
   "2025-11-25"}}  

// Server sends session ID

POST /mcp
Mcp-Session-Id: sess_abc123
// 2. NOW call tools
{"method":"tools/call",
 "params":{"name":"search"}}
AFTER 1 round trip
POST /mcp
MCP-Protocol-Version: 2026-07-28
Mcp-Method: tools/call
Mcp-Name: search

{"method":"tools/call",
 "params":{"name":"search",
   "arguments":{"q":"otters"},
   "_meta":{
     "clientInfo":{
       "name":"my-app"}
   }}}  
_meta Version + capabilities ride on every request
server/discover On-demand capability query replaces initialize
State handles Explicit IDs replace implicit session state

PATTERN State handles in action

create_basket()           -> { basket_id: "bsk_a1b2" }

add_item({
  basket_id: "bsk_a1b2",
  item: "shoes"
})                         -> hits server 2

checkout({
  basket_id: "bsk_a1b2"
})                         -> hits server 5

Handle resolves against your backing store. Each call can hit any instance. The protocol just passes strings through.

# Everything Else That Ships

Sessions are the headline, but the spec revision is wider than that. Four more things you need to know.

Extensions framework SEP-2133

New features now ship as opt-in extensions, not core spec changes. Tasks (long-running work with its own lifecycle) and MCP Apps (server-rendered interactive UI) are the first two. This is how MCP evolves going forward without breaking the core.

OAuth hardened

RFC 9207 iss validation is now mandatory on token responses. Remote servers with OAuth flows must validate the issuer claim. This prevents mix-up attacks where a malicious authorization server substitutes tokens.

Deprecation policy + deprecated features

New 12-month deprecation policy: features get Active → Deprecated → Removed with at least 12 months between Deprecated and Removed. First batch: Roots, Sampling, Logging all enter Deprecated. The -32002 error code moves to standard -32602.

Full JSON Schema for tool inputs

Tool input schemas upgrade from a limited subset to full JSON Schema 2020-12. oneOf, anyOf, $ref, and conditionals are now valid. More expressive tool definitions without workarounds.

# The Migration

"My diff for a 15-tool server removed 412 lines and added 168. Statelessness mostly means deleting code."
-412
+168

Source: Hamza Shabbir's migration writeup

RC
May 21 Locked
1.0
Jul 28 Final
SDK
~10 wks Support
# Full migration checklist

## Stateless core
1. npm install @modelcontextprotocol/sdk@rc
2. grep -r "Mcp-Session-Id" src/        # delete all
3. grep -r "isInitializeRequest" src/   # delete all
4. grep -r "sessionIdGenerator" src/    # set undefined

## Infrastructure
5. Remove sticky sessions from k8s/nginx
6. Ensure Mcp-Method, Mcp-Name, MCP-Protocol-Version
   headers pass through proxy chain

## Caching + auth
7. Add ttlMs + cacheScope to tools/list
8. Add RFC 9207 iss validation to OAuth

## Cleanup
9. Replace error code -32002 with -32602
10. Verify:
   curl -H "Mcp-Method: tools/call" \
        -H "Mcp-Name: test" your-server/mcp
// Bottom Line

This is not just "sessions got removed." It's 7 groups of breaking changes spanning the core protocol, auth, transport, and feature lifecycle. The stateless core is the headline. The Extensions framework is how MCP evolves from here. The deprecation policy gives you 12 months. If you run remote HTTP MCP servers, start testing against the RC now. stdio servers can wait.

NEXT EPISODE
Wed
#05Upcoming

SkillOpt: Your Agent's Skills Are Trainable Parameters

Microsoft trained agent skills like neural network weights. +23 points on GPT-5.5 without changing a single model parameter.

Enjoyed this?

New episodes Mon, Wed, Sat.