MCP Goes Stateless: The 2026 Release Candidate Explained

The Model Context Protocol just dropped its biggest release candidate since launch — and if you’re running MCP servers in production, the clock is ticking. The 2026-07-28 RC removes the protocol-level session entirely. No more Mcp-Session-Id. No more initialize handshake. No sticky routing. Any MCP request can now hit any server instance. You have ten weeks before this becomes the final spec on July 28.

MCP Is Infrastructure Now

This isn’t a niche spec update. MCP’s TypeScript and Python SDKs hit 97 million monthly downloads in March 2026 — up from 2 million at launch. There are over 9,400 public servers in production today. More than 80% of Fortune 500 companies running AI agents in production connect those agents to tools via MCP. When this spec ships, it matters to a lot of people, and most of them have existing infrastructure that was built around sessions.

The Session Is Gone

Two specification enhancement proposals combine to make MCP genuinely stateless. SEP-2567 removes the Mcp-Session-Id header and the protocol-level session that came with it. SEP-2575 removes the initialize/initialized handshake — the connection setup that negotiated protocol version, client info, and capabilities at the start of every session. Those values now travel in _meta on every individual request. A new server/discover method covers the cases where clients still need to fetch server capabilities up front.

The practical result: you can run MCP behind a plain round-robin load balancer. No shared session store. No sticky routing. No deep packet inspection to maintain session affinity. It’s just HTTP.

One important clarification: stateless protocol does not mean stateless application. If your server needs to carry state across calls — a shopping cart, a browser session, a running deployment — you can mint an explicit handle and have the model pass it back as a regular tool argument. The protocol doesn’t manage that state anymore; your application does, the way every HTTP API has always done it.

New Headers Are Now Mandatory

Every Streamable HTTP request must now include Mcp-Method (e.g., tools/call) and Mcp-Name (the name of the tool or resource). This lets load balancers, API gateways, and rate limiters route on the operation without buffering and parsing the JSON-RPC body. L7 routing on a header is significantly cheaper than body inspection — your Cloudflare Workers and gateway configs will be simpler, not more complex.

Servers are required to reject requests where the headers and body disagree. That’s a useful integrity check, not a burden.

Three Features Are Being Deprecated

SEP-2577 marks Roots, Sampling, and Logging as deprecated under the new Feature Lifecycle Policy — which means Active, Deprecated, and Removed stages, with at least 12 months between each. These methods still work in the current release and won’t be removable for at least a year after that. But the direction is clear.

Roots gives way to explicit mechanisms: tool parameters, resource URIs, or server configuration. Fine.

Logging gives way to stderr for stdio transports and OpenTelemetry for structured observability. Also fine.

Sampling is the one that will generate friction. Sampling lets MCP server tools piggyback on the client’s LLM for completions — a lightweight way to add inference without calling a separate API. The spec maintainers want servers to make direct LLM provider API calls instead. The argument is cleaner separation of concerns. Developers who built lightweight inference flows using Sampling are now looking at refactoring work. The methods still work today, but plan the migration.

What You’re Getting in Return

The RC isn’t only taking things away. Client-side caching is now standardized: tools/list, resources/list, and resources/read responses carry ttlMs and cacheScope fields. Clients finally know how long a tool list is fresh and whether it’s safe to share across users. Redundant polling drops significantly.

The Tasks extension handles long-running operations — CI pipelines, batch processing, human-in-the-loop approvals. Instead of blocking, servers return a task handle and clients poll with tasks/get. MCP Apps landed in January and is now officially part of the extensions framework: tools can return interactive HTML interfaces that render in sandboxed iframes inside Claude, ChatGPT, VS Code, and Goose.

What to Do Before July 28

The spec ships in ten weeks. Here’s the short list:

1. Remove any infrastructure that depends on Mcp-Session-Id for routing.
2. Add Mcp-Method and Mcp-Name headers to all outgoing Streamable HTTP requests.
3. Test your server behind a standard round-robin load balancer — if it breaks, find where you’re relying on sticky sessions.
4. If you’re using Sampling or Roots, start your migration plan now. You have time, but not unlimited time.
5. Add ttlMs to your tools/list responses so clients can cache them appropriately.

The full 2026 roadmap outlines the four priority areas driving this release: transport scalability, agent communication, governance maturation, and enterprise readiness. The stateless core is the foundation everything else is built on. The ten-week window exists for SDK maintainers and implementers to validate against real workloads — use it.