The Model Context Protocol is about to get its most sweeping update since launch. The MCP team has published the release candidate for the 2026-07-28 specification, with the final version scheduled to ship on July 28 — and the changes reach deep into how AI agents connect to tools, data, and enterprise infrastructure. For the fast-growing ecosystem of agentic AI platforms built on MCP, this is the release that determines how the next generation of agent deployments will scale.
A Stateless Core Built for Real Infrastructure
The headline change is architectural. The new specification removes protocol-level sessions from the Streamable HTTP transport, retiring the Mcp-Session-Id header that forced remote MCP servers to maintain sticky sessions and shared session stores. Under the revised design, a remote server can sit behind an ordinary round-robin load balancer — the kind of plain HTTP infrastructure that enterprises already run at scale.
To make that work in practice, the transport now requires new Mcp-Method and Mcp-Name headers, defined in SEP-2243, so gateways, rate limiters, and load balancers can route requests based on the operation without inspecting message bodies. The release also brings HTTP-style caching to the protocol: list and resource read results can now carry ttlMs and cacheScope values modeled on Cache-Control, and W3C Trace Context propagation is formally documented for observability across agent call chains.
The release candidate was locked on May 21, giving SDK maintainers and client implementers a roughly ten-week validation window before the final specification lands. A new feature lifecycle policy adds predictability for teams building on the protocol: every feature now moves through Active, Deprecated, and Removed stages, with at least twelve months between deprecation and the earliest possible removal.
Extensions: Apps, Tasks, and Enterprise Auth
Beyond the core, the 2026-07-28 release delivers on the extensions promised in this year's roadmap. MCP Apps enables server-rendered user interfaces inside agent experiences, while the Tasks extension gives agents a standard way to manage long-running work — a persistent gap for agentic systems that operate over hours rather than seconds.
Authorization is the other major front. The specification aligns more closely with existing OAuth and OpenID Connect deployments, and earlier this month the MCP team promoted its Enterprise-Managed Authorization extension to stable status. As InfoQ reported, the extension gives organizations a centralized way to govern access to MCP servers through their identity provider, using an Identity Assertion JWT Authorization Grant that is exchanged for an access token. Anthropic, Microsoft, and Okta are among the early adopters, with Okta the first identity provider named in the launch.
Security Researchers See New Attack Surfaces
Not everyone is celebrating without reservation. Security analysts reviewing the new specification argue that while it enables enterprise-scale deployments, it also shifts critical security responsibilities from the protocol to developers and platform operators.
Analysis highlighted by SecurityWeek credits the revision with real wins — ending session hijacking as a threat class, blocking unsolicited server-initiated prompts, and strengthening authentication standards. But it also flags fresh risks: protocol confusion attacks that exploit desync between components, potential data leakage through the new routing headers, cross-site scripting exposure introduced by MCP Apps interfaces, and denial-of-service vectors opened up by long-running tasks.
The mood in the security community is notably cautious. RSA conference organizers reportedly found that fewer than 4 percent of MCP-related submissions framed the protocol primarily as an opportunity — the overwhelming majority focused on risk.
Why It Matters
MCP has become the de facto wiring standard for agentic AI, connecting models from every major lab to enterprise tools, data sources, and each other. A stateless, cacheable, identity-aware protocol removes the biggest operational objections enterprises had to running MCP servers in production — and the twelve-month deprecation window means legacy implementations will not break overnight.
- Platform teams gain a migration runway, but should review session assumptions and auth implementations now rather than waiting for the final release.
- Identity-provider integration makes agent access governable through the same systems enterprises already use for human employees.
- The new attack surfaces are manageable, but only for teams that treat the July 28 transition as a security project, not just a version bump.
The protocol's maintainers describe this release as MCP growing up. The more accurate framing may be that agentic AI itself is growing up — and its plumbing is finally being rebuilt to match the scale of what enterprises are asking agents to do. With the final specification days away, the window for implementers to test against the release candidate is closing fast, and the teams that validate early will be the ones shipping smoothly in August.
