tlder@devMCP 2026-07-28 Specification Goes Final — Sessions Removed, OAuth Hardened
tlder@dev:~$
AI/ML/MCP

MCP 2026-07-28 Specification Goes Final — Sessions Removed, OAuth Hardened

  • Deadline
  • Action required
  • Breaking change
  • High importance

The RC locked May 21 and a 10-week SDK validation window is now running ahead of the July 28 final. The headline architectural change is a stateless core: sessions (SEP-2567) and the Mcp-Session-Id header are gone, which means MCP servers can finally sit behind ordinary round-robin load balancers without sticky-session hacks. That alone unblocks a class of deployment topologies that were awkward before. Three new extensions land alongside the core rewrite. MCP Apps brings server-rendered UIs into the protocol; the Tasks extension handles long-running work without holding a connection open; and the Authorization update aligns MCP's OAuth 2.0 flows with OpenID Connect. On the deprecation side, Roots, Sampling, and Logging are on a 12-month clock — start planning migrations now if you rely on any of them.