Been building against MCP for the last four months and the gap between what vendors claim and what the spec actually supports is getting hard to ignore.
If you have not read the official roadmap yet, it is worth your time. The document published by AAIF in March lays things out clearly and honestly. The list of what is still missing is longer than many people in the ecosystem seem willing to admit.
Stateless Streaming Is Not Here Yet
Stateless Streamable HTTP is still marked as in progress. That has real consequences.
Today, if you want to scale horizontally, you are dealing with sticky sessions or putting a stateful proxy in front of your servers. This is not a small implementation detail. It directly affects reliability, cost, and operational complexity.
Every MCP native at scale pitch I have seen quietly works around this with a custom session layer. That may be practical for now, but it is not what people assume when they hear "stateless protocol."
Async Work Is Still DIY
The Tasks primitive for async and long running operations is also in progress.
In practice, this means any agent doing multi minute work is faking async. Most teams end up with polling endpoints, custom retry logic, and their own definitions of job state.
The problem is not just inconvenience. It is fragmentation. Each implementation behaves slightly differently, which makes interoperability harder before it even begins.
Discovery Is Still Manual
Server discovery is another gap that shows up quickly.
The idea of Server Cards exposed via .well known URLs is promising, but not available yet. Right now, you cannot know what an MCP server can do without connecting to it first.
The Registry preview from late 2025 helps, but it is not a replacement for protocol level discovery. You still end up writing glue code just to answer basic capability questions.
Enterprise Auth Is Not Ready
Authentication is where things feel especially incomplete for real world use.
Most implementations today rely on static client secrets. That works for prototypes, but does not align with how larger organizations manage identity and access.
The roadmap calls out SSO integrated cross app access as a priority. That is exactly what is needed. Until it lands, teams are building their own auth layers on top.
The Hidden Cost: Rewrites Later
Put all of this together and a pattern emerges.
If you are building serious MCP infrastructure today, you are not just implementing the spec. You are filling in gaps around session management, async orchestration, discovery, and authentication.
Those gaps come with a cost. Once these features land in the official spec, a lot of today's custom infrastructure will need to be reworked or replaced. Some abstractions will survive. Many will not.
If you are designing systems now, it is worth being explicit about where you are deviating from the spec and how hard it will be to unwind later.
About Those "Production Ready" Claims
This also makes it hard to take production ready MCP gateway claims at face value in April 2026.
There are usually two possibilities. Either the deployment is small enough that these issues have not surfaced yet, or the vendor has built proprietary extensions on top of MCP.
Neither is inherently wrong, but both are very different from what the marketing suggests.
The Good News
None of this is a knock on MCP itself.
The shape of the protocol feels right. The direction is solid. The roadmap is transparent about what is missing, which is more than can be said for many standards at this stage.
But the reality is simple. Production grade tooling is still catching up.
Top comments (0)