SEP-2575: Make MCP Stateless by kurtisvg · Pull Request #2575 · modelcontextprotocol/modelcontextprotocol

kurtisvg · 2026-04-14T21:16:21Z

Summary

This PR introduces a SEP for making MCP stateless-by-default, migrated from the original issue discussion at #1442 into the PR-based SEP format per SEP-1850.

Motivation

The current MCP specification requires a mandatory initialization handshake that establishes persistent session state. This creates significant challenges for scalability (load balancing requires sticky sessions), resilience (server failure loses session state), and implementation complexity (both client and server must manage session lifecycles).

What This SEP Proposes

This SEP removes the initialization handshake and replaces it with discrete, stateless alternatives following a "pay as you go" model:

Per-request protocol version — via MCP-Protocol-Version HTTP header and _meta field, with version negotiation through UnsupportedVersionError responses
server/discover RPC — optional discovery endpoint for server capabilities, supported versions, and metadata, replacing the capability exchange from initialization
Per-request client capabilities — clients specify capabilities in _meta per-request instead of negotiating once at connection time
messages/listen RPC — dedicated endpoint for client-initiated streaming, replacing the existing GET endpoint behavior for Streamable HTTP

Relationship to Other SEPs

This SEP focuses on removing the initialization handshake and providing stateless alternatives. Session-related concerns are handled separately:

SEP-2322: Multi Round-Trip Requests — addresses transport-level session removal
SEP-2567: Sessionless MCP via Explicit State Handles — addresses application-level state via explicit state handles instead of sessions

The content of this SEP will be updated in subsequent commits to reflect these decisions and remove session-related material that is now covered by those SEPs.

Fixes #1442

pja-ant · 2026-04-15T11:05:20Z

+server **MUST** return a `Method not found` JSON-RPC error (`-32601`). For HTTP,
+the response status code MUST be `404 Not Found`.
+
+#### `server/discover` RPC


Should we add the ttl to this that @CaitieM20 is proposing in the other SEP?

One thought on my mind is that for older server/newer client compatibility, realistically the client will actually need to remember the server's older protocol version if it wants to avoid an error on every request trying to figure out the compatible version, so we need a way to cache that.

Agree it should be added somewhere. I wasn't sure which would get merged first.

FWIW, I was going to suggest the exact same thing. I'd prefer to err on the side of putting it in both places, to make sure it doesn't get missed. :)

dsp-ant · 2026-04-16T14:41:47Z

+export interface RequestMetaObject extends MetaObject {
+  progressToken?: ProgressToken;
+ /**
+  * The MCP Protocol Version being used for this request.
+  */
+ "io.modelcontextprotocol/protocolVersion": string;
+}


I wonder if we are overloading _meta here over time. Would we ever add any top level field anymore or shove everything into meta? For me the distinction might be more along the lines of what is a required field by the protocol vs what is an optional field or something provided by an extension. I can't fully point my finger at it, but it feels more right to me, to have a top protocolVersion field instead.

I think we started with a top-level field, and there was some feedback that we should use _meta instead because of this line in the spec:

Additionally, definitions in the schema may reserve particular names for purpose-specific metadata, as declared in those definitions.

Is protocolVersion the only field you think makes sense at the top level? Or should the others be as well?

mkouba · 2026-06-15T14:14:45Z

I'm sorry, but if I read the Subscriptions section in the current DRAFT, it's not stateless at all. As pointed out in #2575 (comment) - the subscriptions/listen reintroduces per-connection state.

So yes, I do understand that you don't need a session, but merely an HTTP connection (for Streamable HTTP transport), but what's the point? I mean, you won't be able to scale an application anyway because the subscription is bound to a specific server instance. Or am I missing something obvious?

Support [SEP-2575](modelcontextprotocol/modelcontextprotocol#2575) This PR also updates our custom auth error code since it contradicts with some new errors added in this SEP.: ``` // Custom auth error codes UNAUTHORIZED = -401 FORBIDDEN = -403 ``` For stdio transport: * If `_meta.io.modelcontextprotocol/protocolVersion` was provided, it will use the protocol version specified (take precedence over existing version). * Else, it will use the version during initialization method. * If no initialization method was called, it will default to `v2024-11-05` similar to Toolbox's HTTP transport. Toolbox had a custom transport on v2024-11-05 --> "regular" HTTP POST (without SSE), that does not enforce the initialize method For HTTP transport: * Use the version that was specified in header as protocol version. * If it specified the DRAFT version, it will check against `_meta.io.modelcontextprotocol/protocolVersion` to validate.

kurtisvg self-assigned this Apr 14, 2026

kurtisvg changed the title ~~SEP-XXXX: Make MCP Stateless~~ SEP-2575: Make MCP Stateless Apr 14, 2026

kurtisvg requested review from a team as code owners April 14, 2026 21:48

kurtisvg added SEP transport Related to MCP transports labels Apr 14, 2026

github-project-automation Bot added this to SEP Review Pipeline Apr 14, 2026

ggoodman reviewed Apr 15, 2026

View reviewed changes