The biggest MCP spec update ships July 28: What changes for AI agent authentication
Blog post from WorkOS
The release candidate for the Model Context Protocol (MCP) 2026-07-28 introduces significant changes, described as the largest revision since the protocol's launch. Key updates include the removal of sessions, the elimination of the initialization handshake, the deprecation of three core features, and a shift to a stateless core, which allows any server instance to handle any request without the need for sticky routing or shared session stores. The authorization framework is strengthened to align with OAuth 2.1 and OpenID Connect, making it more enterprise-ready by requiring OAuth 2.0 Protected Resource Metadata and Resource Indicators. Extensions are now a formal part of the protocol, enabling features like MCP Apps and Tasks to evolve independently. Deprecated features such as Roots, Sampling, and Logging are documented and scheduled for phased removal. The migration deadline is July 28, 2026, and involves updating server and client implementations to accommodate these changes, which are anticipated to enhance the security model by ensuring token validation per request and facilitating standardized extensions for security-relevant capabilities.