MCP 2026-07-28 Release Candidate Brings Stateless Protocol and Auth Overhaul

The MCP 2026-07-28 release candidate, locked on May 21, 2026, is the most significant revision to the Model Context Protocol since its launch, with a final specification due July 28, 2026. The most consequential change is that MCP is now stateless at the protocol layer, meaning each request must carry protocol version, client info, and capabilities in metadata rather than relying on session state. Servers that previously depended on sticky sessions or connection memory must migrate explicit state into application-level handles, such as job or browser IDs passed as tool arguments. The release candidate also introduces MCP Apps, which allow servers to provide interactive HTML interfaces rendered in sandboxed iframes, with UI actions routed through the same consent path as standard tool calls. Authorization has been tightened around OAuth 2.0 and OpenID Connect, requiring clients to validate the issuer parameter per RFC 9207, with future clients expected to reject authorization responses that omit it.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.



Discussion (0)
Log in to join the discussion and vote.
Log in