The MCP 2026-07-28 release is the most significant update to the Model Context Protocol yet, introducing a stateless core, extensions framework, tasks, MCP apps, stronger authorization, and a formal deprecation policy. Here is everything developers need to know about the future of AI interoperability.
Stateless architecture, MCP Apps, Tasks, authorization hardening, and a future-proof extension framework.
Introduction
The Model Context Protocol (MCP) has quickly become the standard way for AI applications to communicate with tools, APIs, databases, and external services. Since its launch, MCP has enabled developers to build interoperable AI agents without creating custom integrations for every service.
On May 21, 2026, the MCP maintainers published the 2026-07-28 Release Candidate, the largest protocol revision since MCP was introduced. The release fundamentally changes how MCP servers operate by introducing a stateless protocol core, an official Extensions Framework, MCP Apps, a redesigned Tasks extension, stronger authorization standards, and a formal deprecation policy.
The final specification is scheduled for July 28, 2026.
Why This Release Matters
Previous MCP deployments often required:
- Sticky load balancer sessions
- Shared session stores
- Long-lived connections
- Complex gateway configurations
The new specification removes these requirements.
An MCP server can now run behind a standard HTTP load balancer where every request is independent and can be handled by any server instance.
This significantly simplifies scaling, deployment, and infrastructure management.
MCP Becomes Stateless
The headline feature of the 2026 release is a fully stateless protocol layer.
Before: Session-Based Communication
In MCP 2025-11-25, every client had to establish a session before calling tools.
POST /mcp HTTP/1.1Content-Type: application/json
{
"jsonrpc":"2.0",
"id":1,
"method":"initialize",
"params":{
"protocolVersion":"2025-11-25"
}
}The server responded with a session identifier.
Mcp-Session-Id: 1868a90c-3a3f-4f5b
Every subsequent request had to include this session.
POST /mcp HTTP/1.1Mcp-Session-Id: 1868a90c-3a3f-4f5b
{
"jsonrpc":"2.0",
"id":2,
"method":"tools/call"
}This architecture required sticky routing and shared storage between server instances.
After: Stateless Requests
In MCP 2026-07-28, every request contains everything necessary to process it.
POST /mcp HTTP/1.1MCP-Protocol-Version: 2026-07-28Mcp-Method: tools/callMcp-Name: search
{
"jsonrpc":"2.0",
"id":1,
"method":"tools/call",
"params":{
"name":"search",
"arguments":{
"q":"otters"
}
}
}No session IDs.
No handshake.
No sticky routing.
Any server instance can process the request.
Goodbye initialize()
One of the most significant breaking changes is the removal of the initialization handshake.
The following methods are gone:
- initialize
- initialized
Instead, client information and capabilities are sent through request metadata.
{
"_meta": {
"io.modelcontextprotocol/clientInfo": {
"name": "my-app",
"version": "1.0"
}
}
}A new server/discover endpoint allows clients to retrieve server capabilities when needed.
Stateful Applications Still Work
Removing sessions does not mean applications must become stateless.
Servers can return identifiers that models pass back later.
Example
Create Basket
{ "basket_id": "basket_123"}
Add Item
{ "basket_id": "basket_123", "item": "Laptop"}
This approach makes state explicit and visible to both the application and the AI model.
Multi Round-Trip Requests
One challenge of stateless systems is handling user interaction during tool execution.
The new specification introduces InputRequiredResult.
Example
A tool may require confirmation before deleting files.
{
"resultType": "inputRequired",
"inputRequests": {
"confirm": {
"type": "elicitation",
"message": "Delete 3 files?",
"schema": {
"type": "boolean"
}
}
}
}The client gathers the user's response and retries the request with the provided input.
This eliminates the need for long-lived Server-Sent Events connections while maintaining interactive workflows.
New Routing Headers
Infrastructure teams will appreciate the addition of routing-friendly headers.
Mcp-Method: tools/callMcp-Name: search
Load balancers, gateways, and rate limiters can now route traffic without parsing request bodies.
Benefits include:
- Simpler traffic routing
- Faster request inspection
- Better API gateway support
- Easier observability
Smart Caching Support
MCP now introduces cache metadata for list operations and resources.
{ "ttlMs": 300000, "cacheScope": "public"}
This enables:
- Tool list caching
- Reduced server load
- Faster client startup
- Shared cache support
Previously, clients often relied on persistent SSE streams to detect changes.
MCP Apps: Server-Rendered User Interfaces
One of the most exciting additions is MCP Apps.
MCP Apps allow servers to provide complete interactive user interfaces that hosts render inside sandboxed iframes.
Imagine a tool returning:
- Dashboards
- Approval workflows
- Data visualizations
- Interactive forms
Instead of building custom frontend integrations, servers can ship UI directly through MCP.
This creates a new category of AI-powered applications where tools are no longer limited to text responses.
Tasks Become an Official Extension
Tasks were previously an experimental core feature.
In 2026 they graduate into a standalone extension.
Previous Model
Tasks were tightly coupled to sessions.
New Model
Servers return a task handle.
{ "taskId": "task_789"}
Clients manage the lifecycle through dedicated APIs:
tasks/get
tasks/updatetasks/cancel
This redesign fits naturally within MCP's stateless architecture.
Authorization Gets Stronger
Security receives major attention in this release.
New requirements include:
- OAuth 2.0 alignment
- OpenID Connect improvements
- Issuer validation (RFC 9207)
- Dynamic client registration updates
- Refresh token guidance
- Step-up authorization clarification
Example
Clients must validate the authorization server issuer.
{ "iss": "https://auth.example.com"}
This prevents several classes of authorization mix-up attacks.
Extensions Become First-Class Citizens
Another major change is the introduction of the official Extensions Framework.
Extensions are now:
- Independently versioned
- Negotiated through capabilities
- Managed in separate repositories
- Governed through a formal process
Example identifiers:
com.company.tasksio.modelcontextprotocol.apps
This allows innovation without modifying the protocol core.
Full JSON Schema 2020-12 Support
Tool schemas are significantly more powerful.
Developers can now use:
{
"oneOf": [
{
"type": "string"
},
{
"type": "number"
}
]
}Additional capabilities include:
- oneOf
- anyOf
- allOf
- $ref
- $defs
- Conditional schemas
This enables richer validation and better tool definitions.
Deprecated Features
The release introduces MCP's first formal deprecation policy.
Deprecated Feature Recommended Replacement
Roots Tool parameters and resource URIs (Recommended)
Sampling Direct LLM provider APIs(Recommended)
Logging OpenTelemetry and stderr(Recommended)
Importantly, these features are only marked as deprecated and will remain supported for at least 12 months.
What This Means for Developers
If you're building MCP-powered applications, expect the following migration work:
Required Updates
- Remove initialize()/initialized()
- Remove session handling
- Add MCP-Protocol-Version headers
- Add Mcp-Method headers
- Support server/discover
- Update Tasks integrations
- Migrate deprecated features
Benefits
- Simpler deployments
- Better scalability
- Easier cloud hosting
- Improved observability
- Stronger security
- Rich UI experiences with MCP Apps
Looking Ahead
The 2026-07-28 release represents a major evolution of MCP from a session-oriented protocol into a modern stateless platform.
By introducing:
- Stateless transport
- Official extensions
- MCP Apps
- Improved authorization
- Formal governance
- Better caching
- Enhanced tooling support
MCP is positioning itself as the long-term foundation for AI agents, enterprise automation, and next-generation AI applications.
For teams already building on MCP, this release requires migration effort, but the payoff is a protocol that is easier to scale, easier to operate, and significantly more future-proof.
The future of AI integration is no longer just about connecting models to tools—it's about building an ecosystem where tools, interfaces, workflows, and agents can all communicate through a common, extensible standard.