The Model Context Protocol's next specification — release candidate locked May 21, 2026, final spec shipping July 28 — is the most significant protocol revision since MCP launched. If you're running MCP servers in any production context, the headline change is architectural: the stateful session layer is gone.
I've been tracking the SEPs (Specification Enhancement Proposals) that make up this release. Here's the breakdown of what's actually changing and what you need to do before July 28.
The Big Change: MCP Is Now Stateless
The current spec requires an initialize/initialized handshake and tracks sessions via Mcp-Session-Id. That means sticky routing — every request mid-session must hit the same server instance that handled the handshake. For anyone running more than one server instance behind a load balancer, this has meant either session affinity configs, shared session stores, or both.
The July 2026 spec eliminates all of that. No session handshake. No session ID header. Any request can land on any server instance, and a plain round-robin load balancer works. As the spec notes: "sticky routing and shared session stores that horizontal deployments needed before are no longer required at the protocol layer."
The migration cost is real though. Anything your server stored in session state — auth context, client capabilities, conversation context — needs to move to request payloads or live in external state the server treats as cache.
New Headers Required on Every Request
The Streamable HTTP transport now requires two new headers (SEP-2243):
Mcp-Method: The method being called (e.g.,tools/call,resources/read)Mcp-Name: The tool or resource name
The motivation is operational: load balancers, API gateways, and rate limiters can now route on the operation without inspecting message bodies. If you run different tool implementations on different server pools, routing on Mcp-Name at the gateway layer becomes straightforward.
The version header also changes: MCP-Protocol-Version: 2026-07-28 replaces the session-based versioning model.
Caching Gets Real: ttlMs and cacheScope
SEP-2549 adds ttlMs and cacheScope to list and resource read responses, modeled directly on HTTP Cache-Control.
ttlMs tells the client how long the response is valid. cacheScope indicates whether a cached response is safe to share across users or is user-scoped. A tools/list response with a reasonable TTL and global scope means clients don't hammer your server on every new connection — they reuse a cached tool catalog.
For MCP servers surfacing large tool catalogs or frequently-read resources, implementing these fields correctly meaningfully reduces server load. For clients, it makes a proper cache layer possible without guessing at freshness.
SSE Streams Are Out: Multi Round-Trip Requests Replace Them
Server-to-client streaming via SSE is being replaced by Multi Round-Trip Requests (SEP-2322). The flow: a server returns InputRequiredResult with a requestState payload when it needs input mid-operation. The client issues a new call with inputResponses included. Any server instance can handle the retry because the full context is in the payload.
This completes the stateless design — even mid-operation server-to-client communication is now stateless. If you've built direct MCP protocol implementations rather than relying on SDK abstractions, plan for this refactor. Most SDK updates will abstract the change, but direct implementations need new handling.
What's Being Deprecated
Three features enter formal deprecation with this spec:
| Feature | Replacement |
|---|---|
| Roots | Tool parameters or URIs |
| Sampling | Direct LLM provider APIs |
| Logging | stderr or OpenTelemetry |
There's a 12-month minimum deprecation window (SEP-2577), so nothing disappears before mid-2027. But the direction is set. If you're using sampling in any server — routing LLM calls through MCP — start the migration now. The intent is that agents call LLM providers directly.
New Capabilities Worth Knowing
Extensions (SEP-2133) become first-class: identified by reverse-DNS names, negotiated via capability maps, with independent version schedules. This is how the protocol grows without spec churn going forward — capabilities that aren't universally needed live as extensions rather than core.
Tasks extension graduates from experimental. tools/call now returns a task handle; clients drive progress via tasks/get, tasks/update, tasks/cancel. Long-running agent operations finally have a proper lifecycle model.
MCP Apps (SEP-1865): Servers can now serve HTML interfaces, sandboxed in iframes client-side. Worth auditing carefully before deploying anything that surfaces sensitive data — the security boundary is new and implementation quality will vary across clients.
JSON Schema 2020-12 is now fully supported (SEP-2106): oneOf, anyOf, allOf, conditionals, and $ref composition work correctly in tool input schemas. Matters for anything that needs conditional or polymorphic input types.
What to Do Before July 28
- Audit session state dependencies. Identify what your server stores per-session. Plan to move it to request payloads or external cache.
- Add
Mcp-MethodandMcp-Nameheaders. Required on all Streamable HTTP transport requests. - Add
ttlMsto list responses. Even conservative values (60000ms) improve client-side caching significantly. - Check for Roots or Sampling usage. If you're using either, start the migration path now, not under deadline.
- Pin your SDK version and watch for reference SDK releases that ship alongside the final spec on July 28.
The stateless redesign is the right call. Production MCP deployments have been working around the session model since the protocol launched. This spec makes proper deployment patterns first-class instead of workarounds. The migration work is real but tractable — and worth doing before the spec ships final.
Sources: MCP 2026 Roadmap — Model Context Protocol Blog · MCP July 2026 Release Candidate — Model Context Protocol Blog · MCP's biggest growing pains will soon be solved — The New Stack
Comments
Post a Comment