Most of the changes in the July 28 MCP specification are additive. Existing servers and clients keep working. But two architectural shifts change how MCP runs in production, and three features are entering a 12-month deprecation clock. Worth knowing before the date hits.
The release candidate locked May 21, 2026. Beta SDKs for Python v2, TypeScript v2, Go v1.7.0, and C# v2.0 have been available since June 29, letting developers test against the new spec before it finalizes. The 10-week validation window ends with the July 28 release.
The protocol is going stateless
Right now, every MCP connection starts with an initialize handshake that creates a sticky session. The client and server agree on protocol version and capabilities up front, and then the server expects every subsequent request from that client to route to the same instance. If the server restarts or a load balancer sends a request to a different node, the session breaks.
After July 28, the handshake is gone. Each request carries protocol version and client info in _meta fields and is otherwise self-contained. A plain round-robin load balancer can distribute requests across instances without any special session logic. For anyone running MCP servers in production, that means simpler infrastructure, lower hosting cost, and fewer dropped connections when servers restart or scale.
The other piece is Multi Round-Trip Requests, which replace Server-Sent Event streams. When a tool needs to ask the user something mid-execution — "which project should I assign this to?" — the server previously held a long-lived SSE connection open. Now it returns a structured InputRequiredResult, the client handles the prompt, and the answer comes back as a new request. Easier to debug, easier to monitor.
The N+M integration math MCP solved in 2025 just got cheaper to run in production.
Enterprise auth finally has a standard
The MCP team shipped Enterprise-Managed Authorization as a stable extension on June 18, 2026. The early adopters tell you who this is for: Okta as the identity provider, Anthropic and Visual Studio Code as clients, and Figma, Linear, and Asana as MCP servers.
The problem it solves is friction. Every employee connecting to five different MCP servers authenticates to each one separately. Security teams have no central control and no unified audit trail. Enterprise-Managed Auth changes both.
Set it up once in your identity provider, and the AI tools you've pre-approved appear automatically when someone logs in. The technical mechanism is an Identity Assertion JWT Authorization Grant — users get tokens tied to their corporate identity, so personal accounts can't accidentally connect to company tools. Every access decision flows through the identity provider with a complete audit log.
One login. Every AI tool your team is authorized to use, connected automatically.
If your company already uses Okta, this is worth setting up now. It's stable and doesn't require waiting for the July 28 finalization.
Three features entering deprecation
Roots, Sampling, and Logging are marked deprecated in the new spec. They still work — the protocol's new lifecycle policy sets a minimum 12-month window before anything can be removed — so if you built integrations using these in 2024 or early 2025, nothing breaks on July 28 or for at least a year after.
The replacements: Roots gives way to standard tool parameters and resource URIs. Sampling — which let MCP servers request LLM completions directly — gives way to calling the LLM provider's API. Logging moves to stderr on stdio transports, or OpenTelemetry for structured output.
Plan the migration while nothing's broken, not after. Tell whoever built your MCP integrations so they're not surprised when the deprecation window eventually closes.
What to do before July 28
If you're using MCP tools through an app that updates itself — Claude Desktop, VS Code, Cursor — you don't need to do anything. SDK maintainers are inside the 10-week validation window and the major clients are already testing betas.
If you've built custom MCP servers or written code that calls MCP APIs directly: grab the beta SDK for your language and run your tests now. Two things to check specifically. First, if any code matches on error code -32002, update it to catch -32602 instead — that's the new standard JSON-RPC code for missing resources. Second, if you used the experimental Tasks extension, the lifecycle API was redesigned — the updated tasks/get, tasks/update, and tasks/cancel flow is in the RC post.
If you're on Okta and want centralized auth for your AI tools, Enterprise-Managed Authorization is stable today. No need to wait.
And if you're still figuring out whether MCP makes sense for your stack, the plain-English MCP explainer we wrote in June covers the basics, and the AI automation work we do includes MCP integration — we're happy to look at your current setup and tell you what's actually worth connecting.
Sources
- The 2026-07-28 MCP Specification Release Candidate — MCP Blog, May 21, 2026
- Beta SDKs for the 2026-07-28 MCP Spec Release Candidate Are Here — MCP Blog, June 29, 2026
- Enterprise-Managed Authorization: Zero-touch OAuth for MCP — MCP Blog, June 18, 2026
— Cole