The 2026 MCP Spec: A Server Readiness Checklist

The next Model Context Protocol (MCP) specification arrives on July 28. This is the largest update since the protocol launched. It includes breaking changes to transport, authorization, and tool schemas.

If your server follows the 2025-11-25 spec, it works today. However, these changes include new security properties for request routing and cache scope.

Use this checklist to prepare your server before the deadline.

Major Changes: Stateless Protocol MCP is moving to a stateless model at the protocol layer.

  • Remove the initialize/initialized handshake.
  • Move protocol version and client info into the _meta field of every request.
  • Implement server/discover for capability negotiation.
  • Stop using Mcp-Session-Id and remove the need for sticky sessions.
  • Move cross-call state to explicit tool arguments (like a basket_id).
  • Use Mcp-Method and Mcp-Name headers for Streamable HTTP.
  • Reject requests where headers and the body do not match.

Handling Input and Server-Initiated Requests A stateless protocol still needs to ask clients for information.

  • Issue server-initiated requests only while processing a client request.
  • Use InputRequiredResult instead of keeping an SSE stream open.
  • Treat requestState as untrusted. Sign or encrypt it to prevent replay attacks.

Cache and Tracing New fields help manage data freshness and visibility.

  • Add ttlMs and cacheScope to list and resource-read results.
  • Set cacheScope to match user or tenant sensitivity.
  • Use fixed W3C Trace Context key names in _meta.
  • Scrub sensitive data from the baggage field at trust boundaries.

Authorization and Schema Security The spec aligns closer to OAuth 2.0 and improves schema safety.

  • Supply the iss parameter on authorization responses.
  • Honor application_type in Dynamic Client Registration.
  • Adopt JSON Schema 2020-12 for tool schemas.
  • Never auto-dereference external $ref URIs to avoid SSRF attacks.
  • Limit schema depth and validation time to prevent DoS.
  • Return -32602 for missing resources instead of -32002.

Deprecations and Extensions Roots, Sampling, and Logging are deprecated. Plan to move to tool parameters, LLM provider APIs, or OpenTelemetry.

  • Negotiate extensions through the capability map.
  • Migrate experimental Tasks usage to the new extension lifecycle.
  • Declare MCP Apps UI templates ahead of time for host review.

Start your migration early to validate these changes against your workloads.

Source: https://dev.to/gustavo_gated/the-2026-07-28-mcp-spec-a-server-readiness-checklist-14nf

Optional learning community: https://t.me/GyaanSetuAi