cd /news/ai-infrastructure/mcp-goes-stateless-what-the-july-28-… · home topics ai-infrastructure article
[ARTICLE · art-46030] src=byteiota.com ↗ pub= topic=ai-infrastructure verified=true sentiment=· neutral

MCP Goes Stateless: What the July 28 Spec Breaks

The Model Context Protocol's 2026-07-28 release candidate eliminates session-based architecture, removing the Mcp-Session-Id, initialize handshake, and sticky routing requirements. The change forces MCP server operators to update their implementations by July 28 to avoid breaking changes including new required headers, removal of SSE streams, and error code updates.

read4 min views1 publishedJul 1, 2026
MCP Goes Stateless: What the July 28 Spec Breaks
Image: Byteiota (auto-discovered)

The Model Context Protocol’s session-based architecture has been a quiet production liability since day one — and in 27 days, it’s gone. The 2026-07-28 release candidate, locked since May 21, eliminates Mcp-Session-Id

, the initialize

handshake, and sticky routing requirements in one sweep. If you’re running an MCP server today, you have until July 28 to understand what breaks and what to do about it.

Why Sessions Were a Liability #

The original MCP spec required a session handshake on every new connection. Servers minted an Mcp-Session-Id

that pinned each client to a specific instance. On paper, fine. In practice, a distributed deployment disaster.

The failure mode was subtle and nasty: pod A handled initialize

and issued the session ID, then the SDK’s long-lived SSE GET stream silently hashed to pod B — which knew nothing about that session — and returned a 404. Teams spent days debugging what looked like a network issue. The real culprit was a protocol-level assumption that every connection lands on the same machine. The fix was load balancer stickiness, which is infrastructure duct tape over a spec problem.

The new spec removes the assumption entirely.

What Stateless MCP Looks Like #

As of the 2026-07-28 spec, there is no handshake. Protocol version, client identity, and capabilities travel in a _meta

object on every request. Any server instance can handle any request. You can run MCP behind a plain round-robin load balancer, route traffic on the new Mcp-Method

header, and scale horizontally without sticky sessions or shared session stores.

Application state didn’t disappear — it moved somewhere more honest. Tools now return explicit opaque handles (think a basket_id

or job_id

). The model can see these handles, reason about them, and pass them forward on subsequent calls. Your server stores actual state in Redis, PostgreSQL, or wherever makes sense. The state is visible to the agent, which makes debugging substantially easier and agent behavior more predictable.

5 Breaking Changes in MCP Stateless 2026 #

Five things break on July 28 if you don’t act:

Session initialization removed: Theinitialize

/initialized

handshake is gone. Replace capability discovery with the newserver/discover

RPC.New required headers: All Streamable HTTP requests must includeMcp-Method

andMcp-Name

headers. These enable gateway routing without payload inspection. Omit them and your requests will fail.SSE streams eliminated: Long-lived GET streams for SSE are replaced by the Multi Round-Trip Request pattern. Servers returnInputRequiredResult

with an opaquerequestState

; clients echo it back on the follow-up request.Tasks moved to extension: If you’re using the core Tasks feature, it’s now a separate extension (SEP-2663) with a new polling lifecycle —tools/call

returns a handle, clients poll withtasks/get

. Thetasks/list

method is gone.Error code change: Missing resources previously returned-32002

. That’s now standard JSON-RPC-32602 . Update any error handling that keys on the specific code.

Three Deprecations — Don’t Panic Yet #

Roots, Sampling, and Logging are deprecated as of July 28. They still work. The spec guarantees a minimum 12-month window before removal, meaning nothing breaks until at least July 2027. But start planning: Roots moves to tool parameters or resource URIs; Sampling moves to direct LLM provider APIs; Logging moves to stderr or OpenTelemetry. None of these are urgent today, but they’re on the clock.

What’s New Worth Watching #

The spec ships two official extensions. MCP Apps (SEP-1865) lets servers render HTML interfaces in sandboxed iframes — tools declare UI templates, and all actions route through standard JSON-RPC audit/consent paths. It’s the first time MCP servers can ship embedded UIs without leaving the protocol’s security model. The Tasks extension (SEP-2663) replaces the old blocking pattern with a clean polling lifecycle that actually works without sessions.

The authorization layer also got a real upgrade. Six OAuth SEPs tighten the spec: clients must now validate the iss

parameter per RFC 9207 to prevent mix-up attacks, and OpenID Connect application_type declarations are required during Dynamic Client Registration. If you’re running MCP in multi-tenant or multi-server environments, audit your auth code now.

Migration Checklist: Before July 28 #

  • Remove session initialization logic from your server
  • Update request handling to read protocol version from _meta

fields - Add Mcp-Method

andMcp-Name

headers to all Streamable HTTP requests - Migrate any Tasks usage to the extension polling pattern

  • Audit OAuth/OIDC client registration against the six auth SEPs

SDK 1.3.0 already supports the explicit-handle pattern, so you can start building stateless-compatible tools today. Tier 1 SDKs (Python and TypeScript) are expected to ship full spec support within the 10-week validation window, which closes right around July 28.

The session model was a workaround dressed up as architecture. Good riddance.

── more in #ai-infrastructure 4 stories · sorted by recency
── more on @model context protocol 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/mcp-goes-stateless-w…] indexed:0 read:4min 2026-07-01 ·