𝗧𝗵𝗲 𝟮𝟬𝟮𝟲 𝗠𝗖𝗣 𝗦𝗽𝗲𝗰: 𝗔 𝗦𝗲𝗿𝘃𝗲𝗿 𝗥𝗲𝗮𝗱𝗶𝗻𝗲𝘀𝘀 𝗖𝗵𝗲𝗰𝗸𝗹𝗶𝘀𝘁

The next Model Context Protocol (MCP) specification arrives on July 28. This is the largest update since the protocol launched. It includes breaking changes to transport, authorization, and tool schemas.

If your server follows the 2025-11-25 spec, it works today. However, these changes include new security properties for request routing and cache scope.

Use this checklist to prepare your server before the deadline.

𝗠𝗮𝗷𝗼𝗿 𝗖𝗵𝗮𝗻𝗴𝗲𝘀: 𝗦𝘁𝗮𝘁𝗲𝗹𝗲𝘀𝘀 𝗣𝗿𝗼𝘁𝗼𝗰𝗼𝗹 MCP is moving to a stateless model at the protocol layer.

  • Remove the initialize/initialized handshake.
  • Move protocol version and client info into the _meta field of every request.
  • Implement server/discover for capability negotiation.
  • Stop using Mcp-Session-Id and remove the need for sticky sessions.
  • Move cross-call state to explicit tool arguments (like a basket_id).
  • Use Mcp-Method and Mcp-Name headers for Streamable HTTP.
  • Reject requests where headers and the body do not match.

𝗛𝗮𝗻𝗱𝗹𝗶𝗻𝗴 𝗜𝗻𝗽𝘂𝘁 𝗮𝗻𝗱 𝗦𝗲𝗿𝘃𝗲𝗿-𝗜𝗻𝗶𝘁𝗶𝗮𝘁𝗲𝗱 𝗥𝗲𝗾𝘂𝗲𝘀𝘁𝘀 A stateless protocol still needs to ask clients for information.

  • Issue server-initiated requests only while processing a client request.
  • Use InputRequiredResult instead of keeping an SSE stream open.
  • Treat requestState as untrusted. Sign or encrypt it to prevent replay attacks.

𝗖𝗮𝗰𝗵𝗲 𝗮𝗻𝗱 𝗧𝗿𝗮𝗰𝗶𝗻𝗴 New fields help manage data freshness and visibility.

  • Add ttlMs and cacheScope to list and resource-read results.
  • Set cacheScope to match user or tenant sensitivity.
  • Use fixed W3C Trace Context key names in _meta.
  • Scrub sensitive data from the baggage field at trust boundaries.

𝗔𝘂𝘁𝗵𝗼𝗿𝗶𝘇𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗦𝗰𝗵𝗲𝗺𝗮 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 The spec aligns closer to OAuth 2.0 and improves schema safety.

  • Supply the iss parameter on authorization responses.
  • Honor application_type in Dynamic Client Registration.
  • Adopt JSON Schema 2020-12 for tool schemas.
  • Never auto-dereference external $ref URIs to avoid SSRF attacks.
  • Limit schema depth and validation time to prevent DoS.
  • Return -32602 for missing resources instead of -32002.

Depreciaciones y extensiones Roots, Sampling y Logging están obsoletos. Planee migrar a parámetros de herramientas, APIs de proveedores de LLM o OpenTelemetry.

  • Negocie las extensiones a través del mapa de capacidades.
  • Migre el uso de Tasks experimentales al nuevo ciclo de vida de las extensiones.
  • Declare las plantillas de UI de MCP Apps con antelación para la revisión del host.

Comience su migración pronto para validar estos cambios con sus cargas de trabajo.

Fuente: https://dev.to/gustavo_gated/the-2026-07-28-mcp-spec-a-server-readiness-checklist-14nf

Comunidad de aprendizaje opcional: https://t.me/GyaanSetuAi