MCP Goes Stateless: What the July 28 Spec Breaks The Model Context Protocol's 2026-07-28 release candidate eliminates session-based architecture, removing the Mcp-Session-Id, initialize handshake, and sticky routing requirements. The change forces MCP server operators to update their implementations by July 28 to avoid breaking changes including new required headers, removal of SSE streams, and error code updates. The Model Context Protocol’s session-based architecture has been a quiet production liability since day one — and in 27 days, it’s gone. The 2026-07-28 release candidate, locked since May 21 https://blog.modelcontextprotocol.io/posts/2026-07-28-release-candidate/ , eliminates Mcp-Session-Id , the initialize handshake, and sticky routing requirements in one sweep. If you’re running an MCP server today, you have until July 28 to understand what breaks and what to do about it. Why Sessions Were a Liability The original MCP spec required a session handshake on every new connection. Servers minted an Mcp-Session-Id that pinned each client to a specific instance. On paper, fine. In practice, a distributed deployment disaster. The failure mode was subtle and nasty: pod A handled initialize and issued the session ID, then the SDK’s long-lived SSE GET stream silently hashed to pod B — which knew nothing about that session — and returned a 404. Teams spent days debugging what looked like a network issue. The real culprit was a protocol-level assumption that every connection lands on the same machine. The fix was load balancer stickiness, which is infrastructure duct tape over a spec problem. The new spec removes the assumption entirely https://aaif.io/blog/mcp-is-growing-up/ . What Stateless MCP Looks Like As of the 2026-07-28 spec, there is no handshake. Protocol version, client identity, and capabilities travel in a meta object on every request. Any server instance can handle any request. You can run MCP behind a plain round-robin load balancer, route traffic on the new Mcp-Method header, and scale horizontally without sticky sessions or shared session stores. Application state didn’t disappear — it moved somewhere more honest. Tools now return explicit opaque handles think a basket id or job id . The model can see these handles, reason about them, and pass them forward on subsequent calls. Your server stores actual state in Redis, PostgreSQL, or wherever makes sense. The state is visible to the agent, which makes debugging substantially easier and agent behavior more predictable. 5 Breaking Changes in MCP Stateless 2026 Five things break on July 28 if you don’t act: Session initialization removed: The initialize / initialized handshake is gone. Replace capability discovery with the new server/discover RPC. New required headers: All Streamable HTTP requests must include Mcp-Method and Mcp-Name headers. These enable gateway routing without payload inspection. Omit them and your requests will fail. SSE streams eliminated: Long-lived GET streams for SSE are replaced by the Multi Round-Trip Request pattern. Servers return InputRequiredResult with an opaque requestState ; clients echo it back on the follow-up request. Tasks moved to extension: If you’re using the core Tasks feature, it’s now a separate extension SEP-2663 with a new polling lifecycle — tools/call returns a handle, clients poll with tasks/get . The tasks/list method is gone. Error code change: Missing resources previously returned -32002 . That’s now standard JSON-RPC -32602 . Update any error handling that keys on the specific code. Three Deprecations — Don’t Panic Yet Roots, Sampling, and Logging are deprecated as of July 28. They still work. The spec guarantees a minimum 12-month window before removal, meaning nothing breaks until at least July 2027. But start planning: Roots moves to tool parameters or resource URIs; Sampling moves to direct LLM provider APIs; Logging moves to stderr or OpenTelemetry. None of these are urgent today, but they’re on the clock. What’s New Worth Watching The spec ships two official extensions. MCP Apps SEP-1865 lets servers render HTML interfaces in sandboxed iframes — tools declare UI templates, and all actions route through standard JSON-RPC audit/consent paths. It’s the first time MCP servers can ship embedded UIs without leaving the protocol’s security model. The Tasks extension SEP-2663 replaces the old blocking pattern with a clean polling lifecycle that actually works without sessions. The authorization layer also got a real upgrade. Six OAuth SEPs tighten the spec: clients must now validate the iss parameter per RFC 9207 https://www.rfc-editor.org/rfc/rfc9207 to prevent mix-up attacks, and OpenID Connect application type declarations are required during Dynamic Client Registration. If you’re running MCP in multi-tenant or multi-server environments, audit your auth code now https://stacktr.ee/blog/mcp-2026-spec-changes . Migration Checklist: Before July 28 - Remove session initialization logic from your server - Update request handling to read protocol version from meta fields - Add Mcp-Method and Mcp-Name headers to all Streamable HTTP requests - Migrate any Tasks usage to the extension polling pattern - Audit OAuth/OIDC client registration against the six auth SEPs SDK 1.3.0 already supports the explicit-handle pattern, so you can start building stateless-compatible tools today. Tier 1 SDKs Python and TypeScript are expected to ship full spec support within the 10-week validation window, which closes right around July 28. The session model was a workaround dressed up as architecture. Good riddance.