The Model Context Protocol specification shipping on July 28, 2026 removes the protocol-level session entirely. No initialize handshake. No session ID. Any request can hit any server instance. The release candidate locked on May 21, and the 10-week validation window closes when the final spec publishes.
This is the largest revision of MCP since Anthropic launched the protocol in November 2024. The Agentic AI Foundation (AAIF) under the Linux Foundation now governs the specification, and lead maintainers David Soria Parra and Den Delimarsky published the release candidate on the official MCP blog.
What Changes
Six Specification Enhancement Proposals (SEPs) work together to make MCP stateless at the protocol layer.
The initialize handshake is gone (SEP-2575). The 2025-11-25 specification required every client to send an initialize request before any tool call. The server returned a session ID. Every subsequent request carried that ID. The 2026-07-28 specification removes this entirely. Protocol version, client info, and capabilities now travel inline in a _meta field on each request.
The session ID is gone (SEP-2567). The Mcp-Session-Id header that pinned a client to one server instance is removed. Any MCP request can now land on any server instance behind a load balancer. Sticky sessions, shared session stores, and gateway logic that parsed MCP-specific headers are no longer required at the protocol layer.
New routing headers (SEP-2243). Every Streamable HTTP request now carries Mcp-Method (the JSON-RPC method, like tools/call) and Mcp-Name (the tool or resource name) as HTTP headers. Load balancers, gateways, and rate limiters can route traffic without opening the request body. Servers reject requests where the headers and body disagree.
Client-side caching (SEP-2549). Tool and resource list responses now carry ttlMs and cacheScope fields. Clients know exactly how long a tools/list response is valid and whether it can be shared across users. Redundant polling drops.
What Gets Deprecated
Three features enter deprecation, not removal:
Roots. Replaced by tool parameters or configuration.
Sampling. Servers that piggybacked on the client’s LLM for completions are directed to call LLM provider APIs directly.
Logging. Replaced by stderr or OpenTelemetry.
The new deprecation policy (SEP-2596) guarantees a minimum 12-month window between deprecation and removal. All three features continue to work in the 2026-07-28 specification and in every spec version published within the next 12 months.
What Gets Added
The Extensions framework. Capabilities like Tasks and MCP Apps ship as negotiated extensions rather than core protocol features. Servers and clients declare which extensions they support. Unrecognized extensions are ignored, not rejected.
Tasks extension. Long-running operations (CI pipelines, batch processing, human-in-the-loop approvals) get a formal lifecycle: create, poll, cancel, resume.
MCP Apps. Server-rendered UIs that display directly inside the client. A server can return an HTML panel (a dashboard, a form, a visualization) that the client renders inline. UI actions route through the same JSON-RPC consent path as tool calls.
Multi-round-trip requests (SEP-2322). A server can pause mid-call and request input from the client. The server returns an InputRequiredResult with a requestState payload. The client gathers the answer and reissues the call with inputResponses. Because the state travels in the payload, any server instance can process the retry.
What This Means for Claude Desktop, Cursor, and Other Clients
The 10-week validation window (May 21 to July 28) is for SDK maintainers and client implementers to ship support. Tier 1 SDKs (TypeScript, Python) are expected to ship within this window.
Clients built on the 2025-11-25 specification continue to work. The deprecation policy guarantees backward compatibility during the overlap period. The migration path for most users is invisible: update the client application, and the new protocol behavior applies automatically.
Server authors have more work. Any server that relies on the initialize handshake, the session ID, or protocol-level session state needs refactoring before July 28. The specification recommends minting explicit handles (a browser_id, a task_id) as ordinary tool arguments instead of relying on transport-level session state.
Timeline
May 21, 2026: Release candidate locked. Spec text frozen for validation.
July 28, 2026: Final specification publishes. SDK support expected same day for Tier 1.
12 months after July 28: Earliest possible removal of deprecated features (Roots, Sampling, Logging).
The full release candidate is in the draft specification on the MCP GitHub repository. The release candidate announcement is on the official MCP blog.