DEV Community

Dr. Agentic
Dr. Agentic

Posted on

MCP Just Grew Up — What the 2026-07-28 Spec Actually Means

The news hook

On May 21, 2026, the team behind the Model Context Protocol (MCP) locked the release candidate for version 2026-07-28. The final version ships July 28. It is the largest change to MCP since Anthropic first published it in late 2024.

MCP is the open standard that lets AI agents talk to outside tools. When your assistant reads a file, sends an email, or queries a database through an AI agent, MCP is often the wiring underneath. It has grown fast. By mid-2026 there are about 97 million MCP SDK downloads a month, roughly 28% of the Fortune 500 run MCP-backed agents in production, and the contributor community on Discord has passed 2,900 people.

The update matters because MCP is leaving its "experimental Anthropic project" phase behind.


The reframe

MCP now lives under the Linux Foundation, the same vendor-neutral home that hosts Kubernetes and the Linux kernel. Decisions happen through public proposals (called SEPs) and biweekly votes by named maintainers. The current Lead Maintainers are David Soria Parra and Den Delimarsky.

What changes on July 28 is not a feature. It is the protocol becoming the kind of standard any company can build on, not just the kind one lab invented.


The four things that actually change

1. The protocol stops keeping secrets.

Until now, when an AI agent and a tool server connected, they exchanged a "session ID." Every follow-up message had to carry that ID, which meant every request had to land on the same server instance.

Starting July 28, the session ID is gone. Each request carries everything it needs. Any server in the cluster can handle it. The protocol no longer hides state in transport metadata. If a tool needs to remember something across calls, the server returns a normal ID (like basket_123) and the model passes it back on the next call. The state is visible to the model, not buried in the protocol.

The practical effect: a company can now run MCP servers behind a plain round-robin load balancer. No sticky sessions. No special gateway. No shared memory between servers.

2. New capabilities ship as extensions, not core changes.

This is the structural fix that should keep MCP from breaking every six months. A new Extensions framework gives new features their own homes, their own version numbers, and their own maintainers. They can stabilize there before (or if) they ever graduate into the core spec.

Two extensions ship as official in this release:

  • MCP Apps. Servers can now deliver interactive HTML interfaces (a chart, a form, a video player) that render inside the chat in a sandboxed iframe. The UI talks back to the host through the same plumbing MCP already uses, so every click and keystroke goes through the same audit trail as a normal tool call.
  • Tasks. Long-running work (think "run this analysis and come back in ten minutes") gets a proper lifecycle. The server decides when a call should run as a task, hands the client a handle, and the client polls, updates, or cancels it.

Both extensions were built collaboratively. MCP Apps was co-developed with the MCP-UI maintainers at OpenAI and Anthropic. That kind of cross-vendor agreement on UI transport is rare, and it is the reason the extension feels finished.

3. Authorization gets real-world hardening.

Six proposals in this release fix the parts of MCP's authentication that did not survive contact with actual enterprise identity systems. The headline change is small and important: clients must now check the iss (issuer) field on every authorization response, per RFC 9207. That single check closes a class of "mix-up" attack that is uniquely dangerous in MCP's pattern of one client talking to many servers.

The other five clean up registration, refresh tokens, scope escalation, and discovery. None are exciting on their own. Together they are the difference between MCP working in a demo and MCP working in a Fortune 500 procurement review.

4. Old features get a 12-month deprecation floor.

For the first time, MCP has a formal lifecycle policy. Once a feature is marked deprecated, it has to keep working for at least twelve months before it can be removed, and removing it requires its own public proposal.

Three features are deprecated in this release. Roots (a way to point the model at filesystem paths) is being folded into ordinary tool arguments. Sampling (letting servers ask the model to generate text) is being moved to direct integration with model providers. Logging is moving from a custom MCP mechanism to plain stderr for command-line tools and OpenTelemetry for structured observability.

The policy matters more than any individual deprecation. It is the rule that tells builders their code will not break under them between releases.


The punchline

Until now, MCP has been the protocol that worked, sort of, if you set up the right infrastructure. After July 28, MCP is the protocol that runs on the infrastructure you already have.

Stateless core. Ordinary load balancers. Observability through OpenTelemetry. Authentication through the same OAuth servers your enterprise already uses. UI extensions co-developed by the two biggest labs. Deprecation floors that respect implementers.

The MCP project's own framing is the right one. This was the foundational change that needed a clean break. Future revisions are not expected to require transport rewrites. They ship as extensions or as conformance-tested updates.

For the teams shipping agents, the next 23 days are not a "skip and migrate next quarter" window. They are the window in which your code picks the version it will live on for the next several years.


Sources


Filed in content/mcp-2026-07-28-article.md. The deep-dive research that grounded this article is in content/mcp-2026-07-28-explainer.md.

Top comments (0)