AI agents · OpenClaw · self-hosting · automation

Quick Answer

MCP Goes Stateless: What the 2026-07-28 Spec Breaks (and Fixes)

Published:

The One-Line Summary

MCP 2026-07-28 makes MCP stateless at the protocol layer. That single change removes the initialize handshake, removes Mcp-Session-Id, and drops the sticky-routing requirement. Everything else in the release candidate is downstream of that.

Final publication: July 28, 2026. Release candidate locked: May 21, 2026.

Why This Matters

MCP shipped in November 2024 as a stateful protocol modeled loosely after LSP (Language Server Protocol). That was a reasonable starting point for a local-first tool-connection protocol, but it created friction the moment MCP started running as remote HTTP servers at scale:

  • Load balancers needed session affinity (sticky routing to the replica that owned a session)
  • Autoscaling was hard (killing a replica killed its sessions)
  • Multi-region routing was painful (a request had to land on the replica that initialized)
  • Caching was disabled (session state made responses non-cacheable)

The 2026 release candidate is a rewrite of the protocol layer to remove all four constraints.

What Changes

1. The initialize/initialized handshake is gone

Old MCP required a two-message handshake at session start to negotiate capabilities. Under 2026-07-28, capabilities are discovered per-request via the extensions framework. Clients that hardcoded the initialize sequence must remove it.

2. Mcp-Session-Id header is removed

The session identifier that keyed all state is gone. Anything you stored by session id must move to durable storage keyed differently — typically by user/tenant/task id — or be re-derived from request context.

3. Sticky routing is not required (and often wrong)

Any replica can now serve any request. Load balancers should distribute freely. Setups that pinned a client to a replica for session continuity should remove that pinning.

4. Authorization aligns with OAuth 2.1 / OIDC

Clients must validate the iss (issuer) parameter on authorization responses. The authorization model closes several gaps that let deployed MCP servers rely on static API keys — a systemic risk called out in the 2026 MCP security surveys.

5. Roots, Sampling, and Logging are deprecated

The formal deprecation policy — new in this spec — means these three keep working for now but won’t get new features. Plan a migration for Q3-Q4 2026.

6. Extensions framework (MCP Apps, MCP Tasks)

  • MCP Apps: server returns server-rendered UI for the client to render
  • MCP Tasks: cacheable, traceable, routable long-running work

Both are opt-in.

What This Fixes in Practice

Pain pointBeforeAfter 2026-07-28
Autoscaling MCP serversKilled sessions on replica shutdownAny replica serves any request
Multi-region routingRequests pinned to init regionRoute by latency/policy freely
Response cachingSession state blocked cachingRequests are cacheable
Load balancer complexityRequired sticky routingAny LB config works
Auth confusionMixed static-key deploymentsOAuth 2.1 / OIDC discipline

If you run an MCP server as a hosted product, this is a genuine platform upgrade.

Migration Checklist

For MCP server operators:

  1. Audit session-scoped state — anything keyed by Mcp-Session-Id?
  2. Move state to durable storage — key by user/tenant/task id
  3. Drop initialize handshake handling — accept requests without it
  4. Remove sticky-routing config from your load balancer
  5. Adopt OAuth 2.1 / OIDC — validate iss on authorization responses
  6. Plan Roots/Sampling/Logging migration — deprecated, not deleted (yet)
  7. Decide on Apps/Tasks — opt in only if you need them

For MCP client authors:

  1. Drop initialize/initialized send-and-wait sequence
  2. Discover capabilities per-request via extensions
  3. Stop sending Mcp-Session-Id
  4. Validate authorization iss on OAuth responses
  5. Handle Apps/Tasks extensions if your UX benefits from server-rendered UI or long-running tasks

Deprecation Policy — the Quiet Big Deal

Before this release, MCP had no formal deprecation policy. Anything could break at any spec bump. The 2026-07-28 spec introduces a proper policy: deprecated features keep working for a defined period, get migration notes, and won’t receive new capabilities. That’s what makes Roots/Sampling/Logging deprecation tolerable instead of a fire drill.

For teams building MCP servers as a product, this is arguably as important as the statelessness change — it means you can commit to MCP as a stable target instead of a moving one.

SDK & Ecosystem Status (July 2026)

  • Anthropic reference SDKs — tracking the release candidate, expect major-version bumps through July-August 2026
  • Microsoft App Service MCP hosting — updated guidance published for stateless deployments
  • Cursor / Claude Code / other MCP hosts — release-candidate compatibility rolling in through Q3 2026
  • Community MCP registry — 3,000+ servers as of March 2026; migration status varies per author

Assume any MCP server / client you didn’t write yourself needs a check for 2026-07-28 compatibility before your July 28 rollout.

The Bottom Line

MCP 2026-07-28 makes MCP finally scalable as a protocol. The initialize handshake, Mcp-Session-Id, and sticky routing were all baked-in assumptions from the 2024 desktop-first design that got in the way once MCP became remote-first. Removing them unlocks autoscaling, multi-region routing, and response caching — with an extensions framework to add back Apps/Tasks only when you need them.

If you operate an MCP server, plan your stateless migration before July 28, 2026.

Sources