What is new in MCP 1.4 RC compared to MCP 1.3?

MCP 1.4 Release Candidate (April 2026) adds four major changes over 1.3: (1) stateless HTTP transport for serverless deployments, (2) standard server metadata served via /.well-known so capabilities are discoverable without a live connection, (3) authentication and authorization standardization (OAuth 2.1 + scopes per tool), and (4) audit logging hooks for compliance. It is backwards compatible with MCP 1.3 servers but adds new optional capabilities.

Should I upgrade my MCP server to 1.4 RC?

Yes, if you're building new servers — start on 1.4 RC. If you have a 1.3 server in production, the upgrade is mostly additive: 1.4 doesn't break 1.3 clients. The biggest reason to upgrade is the stateless transport (your server can run on Cloudflare Workers / Lambda) and the discovery metadata (your server shows up correctly in MCP catalogs). Wait for 1.4 GA (expected May/June 2026) for production-critical workloads.

Does MCP 1.4 work with Claude, ChatGPT, and Cursor?

Yes. As of April 28, 2026: Claude Desktop and Claude Code support MCP 1.4 RC features behind a flag; ChatGPT (with the MCP integration that shipped in March 2026) supports core 1.3 + partial 1.4; Cursor supports 1.3 fully and is rolling out 1.4 features in 3.2. All major clients pass through 1.3 features even when using 1.4 servers.

What is the .well-known metadata endpoint?

MCP 1.4 introduces /.well-known/mcp.json (or .mcp/server.json), a static JSON file that describes your server's capabilities, name, version, and supported tools without requiring a live MCP connection. This lets MCP catalogs index servers efficiently, lets clients pre-validate compatibility, and enables capability discovery during indexing rather than connection. Modeled on /.well-known patterns from RFC 5785.

Does MCP 1.4 finally fix authentication?

Largely yes. MCP 1.4 standardizes on OAuth 2.1 with PKCE for client-to-server auth, tool-level scopes (so a client can request just file:read instead of full server access), and standardized header formats for service-to-service. It still doesn't solve user identity propagation cleanly — that's deferred to 1.5. But for hosted MCP servers, 1.4 is the first version where 'how do I auth this' has a clear standard answer.

Quick Answer

MCP 1.4 RC vs MCP 1.3: What's New for AI Agents (April 2026)

Published: April 28, 2026

MCP 1.4 RC vs MCP 1.3: What’s New for AI Agents (April 2026)

Model Context Protocol 1.4 Release Candidate dropped in April 2026. It’s the most significant MCP update since the November 2025 spec — stateless transports, real server discovery, OAuth 2.1, and audit logging. Here’s what changed vs MCP 1.3 and what’s worth migrating now.

Last verified: April 28, 2026

TL;DR

Feature	MCP 1.3	MCP 1.4 RC
Transport	stdio + Streamable HTTP	+ Stateless HTTP
Server discovery	Connect-and-query	+ /.well-known/mcp.json
Authentication	Ad-hoc	OAuth 2.1 + tool scopes
Audit logging	None	Standard hooks
Server metadata	Live only	Static + live
Tool resource subscriptions	Yes	Yes
Client compatibility	All	Backwards compatible
Status	Stable	RC, GA expected May/Jun

Bottom line: 1.4 is mostly additive. New servers should start on 1.4 RC. Existing 1.3 servers don’t need to migrate, but stateless transport + discovery are big wins worth adding.

What changed: deep dive

1. Stateless HTTP transport

MCP 1.3 introduced Streamable HTTP, but it still required maintaining session state on the server (for SSE streams, in-flight tool calls). That’s a problem for serverless deployments — every request goes to a different worker.

MCP 1.4 RC adds Stateless HTTP, where each tool call is a self-contained request/response with no server-side session. Trade-offs:

✅ Runs cleanly on Cloudflare Workers, AWS Lambda, Vercel Functions.
✅ Trivial horizontal scaling.
❌ No long-running tool calls (must complete in a single request).
❌ No server-pushed notifications (tool list changes, resource updates).

You pick the transport per server: stateless for simple tool servers, Streamable HTTP for stateful integrations.

2. /.well-known/mcp.json discovery

The biggest practical win. MCP 1.4 standardizes a static JSON file that describes your server:

{
  "name": "weather-mcp",
  "version": "1.2.0",
  "protocolVersion": "1.4",
  "transports": ["stateless-http", "stdio"],
  "capabilities": {
    "tools": {"listTools": true, "callTool": true},
    "resources": {"listResources": false}
  },
  "tools": [
    {"name": "get_weather", "description": "...", "inputSchema": {...}}
  ]
}

Why this matters:

MCP catalogs (Anthropic’s registry, Smithery, etc.) can index your server without a live connection.
Clients can pre-validate compatibility before connecting.
Discovery becomes a static-file fetch instead of a stateful protocol exchange.

3. OAuth 2.1 + tool scopes

MCP 1.3 had no real auth story — implementations rolled their own.

MCP 1.4 standardizes:

OAuth 2.1 with PKCE for client-to-server auth.
Tool-level scopes — client requests tool:get_weather instead of full access.
Standard error codes for auth failures (invalid_scope, expired_token, etc.).

Still TBD in 1.5: end-user identity propagation through the agent. Today, the LLM agent acts as a single authenticated principal — the underlying user’s identity isn’t propagated to the MCP server. Working group is on it.

4. Audit logging hooks

For regulated industries, MCP 1.3’s “fire and forget” tool calls were a compliance nightmare. 1.4 adds:

Standard audit event format (JSON, OpenTelemetry-compatible).
Pre-call and post-call hooks.
Tool argument redaction guidelines (PII / secrets).

Enterprise MCP gateways (e.g. Atlassian Rovo, deepset Cloud) can now drop these into their existing audit pipelines without bespoke wrappers.

Backwards compatibility

Good news: MCP 1.4 RC is backwards compatible with 1.3 clients. A 1.4 server speaks 1.3 if the client doesn’t support 1.4 features. A 1.3 server works fine with 1.4 clients (it just doesn’t expose 1.4-only features).

Watch out for:

Stateless HTTP transport is 1.4-only — 1.3 clients won’t recognize it. Always offer Streamable HTTP or stdio as a fallback.
/.well-known/mcp.json is purely additive — 1.3 clients ignore it.
OAuth scopes degrade gracefully — 1.3 clients see “no auth” or “full auth” only.

What clients support 1.4 RC today

Client	MCP 1.4 support
Claude Desktop	Behind feature flag
Claude Code	Behind feature flag
ChatGPT (MCP integration)	Partial — discovery, no scopes yet
Cursor 3.1	1.3 fully; 1.4 in 3.2 (rolling out)
Windsurf	1.3 fully; 1.4 in next release
Antigravity	1.3 fully
OpenCode	1.4 RC native
Continue.dev	1.4 RC native
Zed	1.3 fully

What servers should I migrate first?

Public/internet-exposed MCP servers — get OAuth 2.1 in place. Critical.
High-volume tool servers — switch to stateless HTTP, save inference orchestration cost.
Audit-required enterprise MCP servers — wire up the audit hooks.
Catalog-listed servers — add /.well-known/mcp.json so you index correctly.

Servers that probably don’t need to migrate yet:

Internal-only stdio MCP servers (no transport benefit).
Single-user dev tools (no auth complexity).
Servers wrapping APIs that already do auth themselves.

How to migrate a 1.3 server to 1.4 RC

Update SDK. TypeScript: @modelcontextprotocol/[email protected]. Python: mcp==1.4.0rc1.
Add /.well-known/mcp.json to your static asset routing or generate it from your tool definitions at boot.
Add stateless HTTP transport if you want serverless. Most SDKs auto-generate handlers from your tool definitions.
Add OAuth scopes to your tool registration. Default scope is tool:<tool_name>.
Wire up audit hooks if needed. Default impl logs to stdout — easy to redirect.
Test with a 1.4 RC client (OpenCode is easiest — opencode from the terminal).

Common gotchas

Stateless HTTP + long tool calls don’t mix. If your tool call takes >30s, use Streamable HTTP, not stateless.
OAuth 2.1 PKCE requires HTTPS in production — Cloudflare Workers / Vercel handle this automatically; bare Node servers need a reverse proxy.
/.well-known/mcp.json must match your live server. If they drift, clients will see capability mismatches and bail.
Audit hooks are synchronous by default. For high-volume servers, wrap with an async queue.

Status and timeline

April 2026: 1.4 RC released. Most clients adding partial support.
May/June 2026: 1.4 GA expected.
Later in 2026: 1.5 working group focuses on end-user identity propagation, multi-tenant servers, formal capability versioning.

For now: start new servers on 1.4 RC, leave 1.3 production servers running, plan migration after 1.4 GA.

Last verified: April 28, 2026. Sources: MCP 2026 Roadmap (modelcontextprotocol.io), MCP 1.4 RC spec, MCP TypeScript SDK 1.4.0-rc release notes, MCP Python SDK 1.4.0rc1, Claude Desktop 1.13 release notes, Cursor 3.1/3.2 changelogs.