> Saurabh Talele
downloadDownload Resume
MCP 2.0
Back to Archive

MCP 2026-07-28: The Biggest MCP Update Yet

Published
June 3, 2026

The MCP 2026-07-28 release is the most significant update to the Model Context Protocol yet, introducing a stateless core, extensions framework, tasks, MCP apps, stronger authorization, and a formal deprecation policy. Here is everything developers need to know about the future of AI interoperability.

Stateless architecture, MCP Apps, Tasks, authorization hardening, and a future-proof extension framework.

Introduction

The Model Context Protocol (MCP) has quickly become the standard way for AI applications to communicate with tools, APIs, databases, and external services. Since its launch, MCP has enabled developers to build interoperable AI agents without creating custom integrations for every service.

On May 21, 2026, the MCP maintainers published the 2026-07-28 Release Candidate, the largest protocol revision since MCP was introduced. The release fundamentally changes how MCP servers operate by introducing a stateless protocol core, an official Extensions Framework, MCP Apps, a redesigned Tasks extension, stronger authorization standards, and a formal deprecation policy.

The final specification is scheduled for July 28, 2026.


Why This Release Matters

Previous MCP deployments often required:

  • Sticky load balancer sessions
  • Shared session stores
  • Long-lived connections
  • Complex gateway configurations

The new specification removes these requirements.

An MCP server can now run behind a standard HTTP load balancer where every request is independent and can be handled by any server instance.

This significantly simplifies scaling, deployment, and infrastructure management.


MCP Becomes Stateless

The headline feature of the 2026 release is a fully stateless protocol layer.

StateLess MCP
StateLess MCP

Before: Session-Based Communication

In MCP 2025-11-25, every client had to establish a session before calling tools.

POST /mcp HTTP/1.1
Content-Type: application/json

typescript
{
  "jsonrpc":"2.0",
  "id":1,
  "method":"initialize",
  "params":{
    "protocolVersion":"2025-11-25"
  }
}

The server responded with a session identifier.

Mcp-Session-Id: 1868a90c-3a3f-4f5b

Every subsequent request had to include this session.

POST /mcp HTTP/1.1
Mcp-Session-Id: 1868a90c-3a3f-4f5b

typescript
{
  "jsonrpc":"2.0",
  "id":2,
  "method":"tools/call"
}

This architecture required sticky routing and shared storage between server instances.


After: Stateless Requests

In MCP 2026-07-28, every request contains everything necessary to process it.

POST /mcp HTTP/1.1
MCP-Protocol-Version: 2026-07-28
Mcp-Method: tools/call
Mcp-Name: search

typescript
{
  "jsonrpc":"2.0",
  "id":1,
  "method":"tools/call",
  "params":{
    "name":"search",
    "arguments":{
      "q":"otters"
    }
  }
}

No session IDs.

No handshake.

No sticky routing.

Any server instance can process the request.


Goodbye initialize()

One of the most significant breaking changes is the removal of the initialization handshake.

The following methods are gone:

  • initialize
  • initialized

Instead, client information and capabilities are sent through request metadata.

typescript
{
  "_meta": {
    "io.modelcontextprotocol/clientInfo": {
      "name": "my-app",
      "version": "1.0"
    }
  }
}

A new server/discover endpoint allows clients to retrieve server capabilities when needed.


Stateful Applications Still Work

Removing sessions does not mean applications must become stateless.

Servers can return identifiers that models pass back later.

Example

Create Basket

{
"basket_id": "basket_123"
}

Add Item

{
"basket_id": "basket_123",
"item": "Laptop"
}

This approach makes state explicit and visible to both the application and the AI model.


Multi Round-Trip Requests

One challenge of stateless systems is handling user interaction during tool execution.

The new specification introduces InputRequiredResult.

Example

A tool may require confirmation before deleting files.

typescript
{
  "resultType": "inputRequired",
  "inputRequests": {
    "confirm": {
      "type": "elicitation",
      "message": "Delete 3 files?",
      "schema": {
        "type": "boolean"
      }
    }
  }
}

The client gathers the user's response and retries the request with the provided input.

This eliminates the need for long-lived Server-Sent Events connections while maintaining interactive workflows.


New Routing Headers

Infrastructure teams will appreciate the addition of routing-friendly headers.

Mcp-Method: tools/call
Mcp-Name: search

Load balancers, gateways, and rate limiters can now route traffic without parsing request bodies.

Benefits include:

  • Simpler traffic routing
  • Faster request inspection
  • Better API gateway support
  • Easier observability


Smart Caching Support

MCP now introduces cache metadata for list operations and resources.

{
"ttlMs": 300000,
"cacheScope": "public"
}

This enables:

  • Tool list caching
  • Reduced server load
  • Faster client startup
  • Shared cache support

Previously, clients often relied on persistent SSE streams to detect changes.


MCP Apps: Server-Rendered User Interfaces

One of the most exciting additions is MCP Apps.

MCP Apps allow servers to provide complete interactive user interfaces that hosts render inside sandboxed iframes.

Imagine a tool returning:

  • Dashboards
  • Approval workflows
  • Data visualizations
  • Interactive forms

Instead of building custom frontend integrations, servers can ship UI directly through MCP.

This creates a new category of AI-powered applications where tools are no longer limited to text responses.


Tasks Become an Official Extension

Tasks were previously an experimental core feature.

In 2026 they graduate into a standalone extension.

Previous Model

Tasks were tightly coupled to sessions.

New Model

Servers return a task handle.

{
"taskId": "task_789"
}

Clients manage the lifecycle through dedicated APIs:

tasks/get
tasks/update
tasks/cancel

This redesign fits naturally within MCP's stateless architecture.


Authorization Gets Stronger

Security receives major attention in this release.

New requirements include:

  • OAuth 2.0 alignment
  • OpenID Connect improvements
  • Issuer validation (RFC 9207)
  • Dynamic client registration updates
  • Refresh token guidance
  • Step-up authorization clarification

Example

Clients must validate the authorization server issuer.

{
"iss": "https://auth.example.com"
}

This prevents several classes of authorization mix-up attacks.


Extensions Become First-Class Citizens

Another major change is the introduction of the official Extensions Framework.

Extensions are now:

  • Independently versioned
  • Negotiated through capabilities
  • Managed in separate repositories
  • Governed through a formal process

Example identifiers:

com.company.tasks
io.modelcontextprotocol.apps

This allows innovation without modifying the protocol core.


Full JSON Schema 2020-12 Support

Tool schemas are significantly more powerful.

Developers can now use:

typescript
{
  "oneOf": [
    {
      "type": "string"
    },
    {
      "type": "number"
    }
  ]
}

Additional capabilities include:

  • oneOf
  • anyOf
  • allOf
  • $ref
  • $defs
  • Conditional schemas

This enables richer validation and better tool definitions.


Deprecated Features

The release introduces MCP's first formal deprecation policy.

Deprecated Feature Recommended Replacement

Roots Tool parameters and resource URIs (Recommended)

Sampling Direct LLM provider APIs(Recommended)

Logging OpenTelemetry and stderr(Recommended)

Importantly, these features are only marked as deprecated and will remain supported for at least 12 months.


What This Means for Developers

If you're building MCP-powered applications, expect the following migration work:

Required Updates

  • Remove initialize()/initialized()
  • Remove session handling
  • Add MCP-Protocol-Version headers
  • Add Mcp-Method headers
  • Support server/discover
  • Update Tasks integrations
  • Migrate deprecated features

Benefits

  • Simpler deployments
  • Better scalability
  • Easier cloud hosting
  • Improved observability
  • Stronger security
  • Rich UI experiences with MCP Apps


Looking Ahead

The 2026-07-28 release represents a major evolution of MCP from a session-oriented protocol into a modern stateless platform.

By introducing:

  • Stateless transport
  • Official extensions
  • MCP Apps
  • Improved authorization
  • Formal governance
  • Better caching
  • Enhanced tooling support

MCP is positioning itself as the long-term foundation for AI agents, enterprise automation, and next-generation AI applications.

For teams already building on MCP, this release requires migration effort, but the payoff is a protocol that is easier to scale, easier to operate, and significantly more future-proof.

The future of AI integration is no longer just about connecting models to tools—it's about building an ecosystem where tools, interfaces, workflows, and agents can all communicate through a common, extensible standard.

Available for projects

Ready to build the next system?

Currently accepting high-impact opportunities in SaaS architecture and AI-driven products.