- Problem: The largest MCP specification update to date (2026-07-28) deprecates session management at the protocol layer, meaning stateful MCP servers must migrate.
- Solution: Understand exactly what is being removed (the handshake, Mcp-Session-Id) and follow our checklist to transition to a stateless architecture (explicit handles, new routing headers, Tasks lifecycle, hardened auth).
- Result: A concise migration checklist for server authors, plus timeline context to prevent panic (RC is locked, deprecation policy guarantees at least 12 months).
The MCP 2026-07-28 specification—the most significant update since the protocol's inception—turns the protocol stateless by removing the initialize/initialized handshake and the Mcp-Session-Id header. The practical benefit for operators: remote MCP servers can now run behind standard round-robin load balancers without requiring sticky sessions or a shared session store. If you are merely using MCP, this is largely handled by the SDKs. However, if you are writing MCP servers that maintain session-based state, this is the migration guide you need to schedule. The release candidate was locked on May 21, 2026, and the official spec launches on July 28, 2026—making now the perfect time to prepare.
TL;DR (Executive Summary)
- Problem: MCP is removing session tracking at the protocol layer. Any server pinning a client to a specific instance via
Mcp-Session-Idmust change how it manages state.- Solution: Understand what is removed (handshake, session ID,
tasks/list) and what is added (_meta,server/discover,Mcp-Method/Mcp-Nameheaders), then execute the migration checklist: explicit handles instead of sessions, emitting new headers, migrating Tasks to the new lifecycle, and tightening authentication.- Result: A clean migration checklist for server authors—with no reason to panic, as the new deprecation policy guarantees at least a 12-month grace period.
How Big of a Deal Is "Stateless"? (An Architect's View)
Before this release, a remote MCP server had to remember the client: the initialize handshake opened a session, and then the Mcp-Session-Id pinned the client to a specific server instance. Scaling horizontally required sticky routing based on session IDs or maintaining a shared data store (like Redis) so any instance could read the session state—exactly the kind of operational complexity that distributed systems engineers dread.
The 2026-07-28 spec removes this entirely. With no handshake and no session IDs at the protocol level, any request can be routed to any instance. Servers run on standard HTTP infrastructure, scaling via simple round-robin without sticky routing. For delivery managers and operators, this eliminates an entire infrastructure layer to maintain—but it means stateful servers assuming "an active session" must refactor how they manage state.
What is Removed and What is Added
| Action | Details | SEP |
|---|---|---|
| Remove | Handshake initialize/initialized |
SEP-2575 |
| Remove | Mcp-Session-Id header + protocol-level session management |
SEP-2567 |
| Remove | tasks/list method (insecure without protocol sessions) |
— |
| Add | Client info + capabilities passed in _meta on every request |
— |
| Add | server/discover method for clients to fetch capabilities initially |
— |
| Add | Mcp-Method and Mcp-Name headers (routing without reading the request body) |
SEP-2243 |
The paradigm shift: State does not disappear; it moves from being hidden in the transport layer to being explicit in the conversation. Instead of the server remembering the session, the server issues an explicit handle to the model, and the model carries it along.
Checklist for Migrating MCP Servers to Stateless
This is the core roadmap—the exact sequence I would follow to migrate a live MCP server:
- Upgrade the SDK. Wait for your language's SDK to release a version supporting the 2026-07-28 spec (Tier 1 SDKs are expected within the 10-week validation window). Avoid writing custom wrappers before the official SDK is ready.
- Remove all
Mcp-Session-Idassumptions. Audit where your server reads session IDs to look up state. This is the primary breaking point. - Replace sessions with explicit handles. Design your tool to "mint" and return a state handle (e.g.,
basket_idorbrowser_id). Subsequent tools should accept this handle as a regular parameter. The state is now held and passed back by the model. - Emit new headers. Send
Mcp-MethodandMcp-Name(SEP-2243) so edge infrastructure can route requests without parsing the JSON-RPC request body. - Convert multi-step flows to input-required. Instead of keeping SSE connections open while waiting, return an
InputRequiredResultcontaininginputRequestsandrequestState. The client will retry withinputResponsesand the echoedrequestState—which any server instance can now process. - Migrate Tasks to the new lifecycle. If using the experimental Tasks (from the
2025-11-25spec), switch to the new standard: return a task handle intools/call, and let the client manage execution viatasks/get,tasks/update, andtasks/cancel(SEP-2663—this is a breaking change). - Tighten authentication. Align with new security SEPs: validate
issparameters per RFC 9207 (SEP-2468), declare the OIDCapplication_typeduring Dynamic Client Registration (SEP-837), bind credentials to theissuer, and re-register upon issuer changes (SEP-2352).
To sum it up: Steps 2 and 3 are the heart of the migration (removing implicit sessions and using explicit handles); the rest covers routing headers, Tasks, and security. If your server is read-only or stateless, you will have almost zero migration effort.
Extensions: MCP Apps and Tasks Become First-Class Citizens
This specification formalizes the Extensions Framework (SEP-2133): utilizing reverse-DNS identifiers, negotiating via the extensions capability map, living in separate ext-* repositories, and versioning independently from the core spec. Two official extensions stand out:
- MCP Apps (SEP-1865) — The server sends interactive HTML interfaces that the host renders in a sandboxed iframe. Tools declare UI templates beforehand, allowing hosts to prefetch, cache, and audit them for security. The UI communicates back using the underlying JSON-RPC channel, ensuring all actions share the same audit trail as standard tool calls. This is MCP stepping from "returning text/data" to "returning the entire user interface."
- Tasks (SEP-2663) — A standard for long-running executions without maintaining persistent connections: the server returns a task handle, and the client checks status or updates execution using
tasks/get,tasks/update, andtasks/cancel.
No Need to Panic: Official Deprecation Policy
This release introduces the official deprecation policy (SEP-2577): features move through Active → Deprecated → Removed, guaranteeing a minimum of 12 months between deprecation and removal. Three annotation-like mechanisms are deprecated in this version (but will continue to function normally):
| Deprecated | Alternative |
|---|---|
| Roots | Tool parameters, resource URIs, or server configuration |
| Sampling | Directly invoking the LLM provider's API |
| Logging | stderr (for stdio transports) or structured OpenTelemetry |
If you have studied advanced MCP, these are the three mechanisms most frequently discussed. While the spec now recommends other paths, you have at least a full year to adapt—nothing will break overnight on July 28th.
Conclusion
MCP is growing up: transitioning from a sessionful protocol loaded with hidden states into a stateless core running on standard HTTP, paired with a structured extensions framework. For MCP consumers, SDKs handle the transition. For MCP server authors, the message is clear: remove session dependencies, transition states to explicit handles, emit the new routing headers—and know that you have at least a year to address deprecated features.
To connect the dots: The foundations of MCP (client/server architecture, the three core capabilities, transport layers) are covered in Model Context Protocol. The stateless_http paradigm, Streamable HTTP, and session IDs—the very items changed in this spec—are discussed in Advanced Model Context Protocol. When building agents that interact with these servers, check out Claude Agent SDK vs Claude API vs Claude Code; and for agents operating directly on web pages, see WebMCP. The complete learning path is compiled at [/learn/claude?lang=en].
Nguyễn Phúc Nguyên Châu
Delivery Manager
14 years of delivery experience (Websites, Systems, AI Automation) for the Vietnam–Japan market
Frequently Asked Questions
What is the biggest change in MCP 2026-07-28?
The protocol becomes stateless: the handshake (initialize/initialized) and the Mcp-Session-Id header are removed. Any request can hit any server instance, allowing remote MCP servers to run behind standard round-robin load balancers without requiring sticky sessions or a shared session store.
Will my current MCP server break on July 28th?
No, it won't break immediately. The specification introduces a new deprecation policy (SEP-2577) where features transition through Active → Deprecated → Removed, with a minimum of 12 months between deprecation and removal. This release primarily deprecates certain annotation-like fields (Roots, Sampling, Logging)—they will keep running. However, servers relying on protocol session IDs should start planning their migration.
If sessions are removed, where do I keep state?
Instead of relying on a session hidden inside the transport layer, the server 'mints' an explicit handle from a tool (such as basket_id or browser_id) and returns it. The model then passes this handle back as a normal parameter in subsequent calls, making state visible to the model rather than hidden in connection metadata.
What are MCP Apps and Tasks?
These are two official extensions under the new Extensions framework. MCP Apps (SEP-1865) allow servers to send interactive HTML interfaces that hosts render in a sandboxed iframe. Tasks (SEP-2663) standardize long-running processes: the server returns a task handle, and the client controls execution using tasks/get, tasks/update, and tasks/cancel.