The Model Context Protocol is preparing its largest revision since launch. The 2026-07-28 release candidate locked on May 21, 2026, and the final specification publishes on July 28, 2026. Akamai's security research published June 25 frames the shift clearly: MCP is moving from a local, single-user integration tool toward a stateless, cloud-native platform built for enterprise deployment. That transition removes several protocol-level risks but hands implementers new responsibilities around state, auth, and UI surfaces.
Stateless Core on Ordinary HTTP
The headline architectural change is removal of protocol-managed sessions. Earlier MCP versions kept session state on the server, which complicated horizontal scaling and created session hijacking surfaces when deployments grew beyond a single machine. The 2026-07-28 spec replaces persistent sessions with client-held tracking identifiers and state objects carried on each request.
Six Specification Enhancement Proposals work together to deliver multi-round-trip requests on commodity HTTP infrastructure without requiring sticky sessions or bespoke connection brokers. Standardized headers (including routing metadata like method and resource names) help gateways and proxies route MCP traffic predictably, which matters once MCP servers sit behind corporate API gateways rather than on a developer laptop.
If you operate a remote MCP server today, plan a migration branch before July 28. Transport, authorization, and tool schema handling all change in ways that break compatibility with the 2025-11-25 revision.
MCP Apps and Tasks as First-Class Extensions
Two extensions promoted in the release candidate change what agents can return beyond plain text:
- MCP Apps let a tool return interactive UI rendered in a sandboxed iframe inside the host application: forms, dashboards, document viewers, and configuration panels that agents can populate without the client inventing its own UI layer.
- Tasks model long-running work as a durable state machine the client drives with
tasks/get,tasks/update, andtasks/cancel, so agents can hand off work that outlasts a single chat turn.
Both extensions negotiate through a capabilities map of reverse-DNS-identified extensions. Clients and servers advertise support, and an extension runs only when both sides agree. That pattern lets Apps and Tasks ship on their own timeline without blocking the core protocol ratification.
Authorization Hardening and EMA
OAuth moves closer to a first-class requirement. Legacy password and implicit grants disappear; OAuth 2.1 with PKCE becomes the baseline for remote servers. That aligns MCP deployments with how enterprise IdPs already expect SaaS integrations to authenticate.
Enterprise-Managed Authorization (EMA), which reached stable status in June with early adopters including Okta, Claude, VS Code, and Figma, fits this revision as the org-controlled delegation path we covered in our EMA stable article. Silent SSO through the corporate IdP becomes the default enterprise story rather than per-developer OAuth consent screens.
Security: Old Risks Out, New Surfaces In
Akamai's June 25 analysis notes genuine protocol improvements: fewer unsolicited server-initiated prompts, stricter auth, and no server-side session table to hijack. The security question shifts to implementation quality.
Developers and platform operators must now treat client-supplied state and metadata as untrusted input, validate extension UI content to prevent cross-site scripting in MCP Apps panels, enforce resource quotas on long-running Tasks, and apply output encoding before agent-generated HTML reaches a browser surface. The protocol no longer enforces those boundaries automatically; your server and gateway do.
That connects directly to lessons from Microsoft's AutoJack demonstration, where localhost trust assumptions in agent frameworks chained into remote code execution. Stateless MCP does not remove local trust problems; it changes where state and auth decisions live.
Timeline and Deprecation
The release candidate is fixed. The ten-week validation window between May 21 and July 28 is for SDK maintainers and client implementers to test against production-shaped workloads. Tier 1 SDKs are expected to ship support within that window.
The final release includes breaking changes against 2025-11-25 and a formal 12-month deprecation window for selected legacy behavior, giving teams time to migrate servers, clients, and gateway policies without a single cutover weekend.
What MCP Directory Operators Should Do Now
- Audit servers in your MCP directory against transport and auth requirements in the RC draft spec.
- If you publish MCP servers, test stateless request flows and OAuth 2.1 flows in a staging environment before July 28.
- Plan gateway rules for MCP Apps and Tasks if your security team governs agent tool access at the network edge.
- Track the official changelog against 2025-11-25 when the final spec drops; method names and extension identifiers in the RC may still adjust during validation.
MCP's 2026-07-28 revision is the infrastructure story behind the agent tooling explosion of 2026. EMA stable, Figma's MCP connectors, and Copilot's MCP tool panel all assume a protocol that can scale past a developer's laptop. This spec is the blueprint for that scale, with the migration work attached.