If you run remote MCP servers for coding agents, the boring part of the stack just got a real upgrade.
The Model Context Protocol project published a release candidate for the 2026-07-28 specification — the biggest revision since launch. Final ships July 28, 2026. Alongside it: a stable Enterprise-Managed Authorization extension and beta SDKs in Python, TypeScript, Go, and C#.
This is not a model-launch week post. It's infrastructure. And infrastructure is what decides whether agent demos survive contact with production.
If you've been watching the shift from chatbots to coding agents, this is the plumbing layer catching up.
Why this matters more than another "agent" launch
MCP is how hosts like Claude, Claude Code, Codex-style tools, Cursor-class IDEs, and custom harnesses talk to tools and data. When that protocol is stateful and awkward to scale, every remote tool server becomes a special snowflake:
- sticky sessions at the load balancer
- shared session stores
- gateway rules that parse JSON bodies just to route
- per-user OAuth consent for every server in the org
That is fine for a laptop demo. It is painful when you have fleets of agents calling fleets of tools. The RC is aimed at that pain.
The big change: protocol-level sessions are gone
Before (2025-11-25 style)
You initialize once, get an Mcp-Session-Id, and every later call has to hit the instance that owns that session. Horizontal scale means sticky routing or a shared session store.
After (2026-07-28 RC)
The initialize handshake and protocol session are removed. Each request is self-describing. Client info, protocol version, and capabilities travel in _meta. Any instance can answer any request.
The official RC post shows the shape of a tool call:
POST /mcp HTTP/1.1
MCP-Protocol-Version: 2026-07-28
Mcp-Method: tools/call
Mcp-Name: search
Content-Type: application/json
{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"search","arguments":{"q":"otters"},
"_meta":{"io.modelcontextprotocol/clientInfo":{"name":"my-app","version":"1.0"}}}}
Practical effect: round-robin load balancers become normal again. That is the sentence ops teams have been waiting for.
Stateless protocol does not mean stateless apps
MCP is explicit about this. If your tool needs multi-step state, mint a handle (basket_id, browser_id, workspace_id) and have the model pass it back as a normal argument. The state becomes visible to the agent instead of hidden in transport metadata — which is usually better for debugging and for multi-agent handoffs.
Same idea as the safety mindset in agent systems: make authority and state explicit, not ambient. That pairs with the production instincts in coding agents tripping EDR alarms — different layer, same rule: don't rely on hidden session magic.
Multi Round-Trip Requests: prompts without sticky SSE
Servers still need to ask the user something mid-tool-call (confirm delete, pick a branch, approve a spend). Holding an SSE stream open and pinning a session was the old answer.
The RC replaces that with Multi Round-Trip Requests:
- Server returns
InputRequiredResult+ opaquerequestState - Client collects answers
- Client re-issues the tool call with
inputResponses+ the samerequestState - Any instance can continue the work
No long-lived connection required for "are you sure?" That is a huge deal for serverless and multi-AZ fleets.
Headers that gateways can actually use
Streamable HTTP now expects routing-friendly headers:
Mcp-Method-
Mcp-Name(when a tool/resource/prompt is named)
Gateways and rate limiters can route without body inspection. Servers reject header/body mismatches.
Also useful in production:
-
ttlMs/cacheScopeon list/read results so clients can cachetools/list - W3C Trace Context names locked so OpenTelemetry traces can span host → client SDK → MCP server → downstream
If you care about reliability of agent systems (not just model quality), this is where real levers live. Tool discovery thrash and blind routing show up as ops pain as much as bad prompts do.
Enterprise auth finally matches how companies work
Per-user OAuth for every MCP server does not scale in a company:
- onboarding becomes a consent gauntlet
- security cannot enforce one policy
- personal vs corporate accounts blur
The Enterprise-Managed Authorization (EMA) extension is now stable. The org IdP becomes the decision plane. Users SSO once; admins grant server access by group/role; clients exchange an Identity Assertion JWT Authorization Grant (ID-JAG) for audience-restricted access tokens without per-server consent screens.
Early ecosystem signals from the official post:
- IdP: Okta first (Cross App Access / XAA)
- Clients: Anthropic's shared MCP layer (Claude, Claude Code, Cowork), VS Code preview support
- Servers: Asana, Atlassian, Canva, Figma, Granola, Linear, Supabase (with more in flight)
This is the enterprise companion to model/agent productization stories like ChatGPT Work: agents only become default work software when identity, audit, and policy are not duct-taped on later.
What is deprecated (and what is not on fire)
Under the new lifecycle policy, Roots, Sampling, and Logging are deprecated with replacements:
| Deprecated | Prefer |
|---|---|
| Roots | tool params, resource URIs, server config |
| Sampling | direct provider APIs |
| Logging | stderr (stdio) / OpenTelemetry |
These are annotation-style deprecations with at least 12 months before possible removal. Do not panic-delete code tonight. Do put them on a migration list.
Also note: missing resources now use standard JSON-RPC -32602 instead of MCP-custom -32002. If you match the literal error code, update clients.
SDK betas: what to install if you want to test
From the SDK beta announcement:
# Python (opt-in pre-release)
pip install "mcp[cli]==2.0.0b1"
# or: uv add "mcp[cli]==2.0.0b1"
# TypeScript v2 (new package names)
npm install @modelcontextprotocol/server@beta
npm install @modelcontextprotocol/client@beta
# Go
go get github.com/modelcontextprotocol/go-sdk@v1.7.0-pre.1
# C#
dotnet add package ModelContextProtocol --prerelease
Important compatibility notes from MCP:
- Stable SDK lines keep working; July 28 is a spec publish date, not a hard kill switch for old traffic
- v2 Python/TS are major versions you adopt on your schedule
- Many stacks keep accepting legacy
2025-11-25handshakes while serving the new revision - Pin exact beta versions; public APIs can still move before stable
If you maintain a library that depends on Python mcp, MCP suggests adding an upper bound now (example pattern: mcp>=1.27,<2) so a stable v2 drop does not surprise your users.
A practical 2-week plan for teams
If you already run remote MCP for agents, do this before July 28:
- Inventory session assumptions. Sticky sessions? Redis session tables? Long-lived SSE required for confirmations? Those are the migration hotspots.
- Stand up a beta branch. Hit real tools, not only hello-world. Especially multi-step tools that elicit user input.
-
Test behind your real gateway. Confirm round-robin works and that
Mcp-Method/Mcp-Nameare preserved end-to-end. - Map auth. Consumer OAuth stays default. If you are enterprise, evaluate EMA with your IdP and host (Claude / VS Code / custom).
-
Scan clients for
-32002. Fix error matching early. - Schedule Roots/Sampling/Logging migration inside the 12-month window. No heroics required this sprint.
- Keep local fallbacks honest. Local stdio servers and local models still matter for offline and sensitive workflows — the same reason OpenClaw + Ollama setups stay useful even as remote MCP matures.
What this is not
- Not a free upgrade to better model quality. Models still fail. Agents still need review.
- Not permission to skip sandboxing and least privilege. Stateless transport does not equal safe tool design.
- Not a reason to rewrite every server on day one. Dual-stack and deprecation windows exist for a reason.
It is a signal that MCP is being treated as infrastructure: deprecation policy, conformance suite gates, extension track, AAIF/Linux Foundation stewardship, and production transport design.
Bottom line
Agent demos sell the dream. Production needs boring HTTP properties: any-instance routing, cacheable discovery, auditable auth, and traceable calls.
The 2026-07-28 RC is MCP choosing boring on purpose. That is the right move.
If you build coding-agent workflows on Claude-class or multi-model stacks (Sonnet 5 era agents, OpenAI-side tool use, local OpenClaw setups), put this on your infra backlog now — while betas still accept feedback.
Sources
- MCP 2026-07-28 release candidate announcement
- MCP SDK betas for 2026-07-28
- Enterprise-Managed Authorization is stable
- Enterprise-Managed Authorization docs
- Draft specification
- Draft changelog vs 2025-11-25
- HackerNoon overview of the mid-2026 MCP updates
Discussion: Are you running remote MCP today with sticky sessions / shared session stores — or still mostly stdio on the developer laptop? What breaks first when you try the stateless path?
Top comments (0)