MCP goes stateless: build your agent integrations on the standard
The July 28 MCP release candidate drops session pinning and the handshake. The agent-tool standard is stabilizing — build your integrations to own the layer.
The protocol that connects AI agents to your tools and data just had its biggest revision since launch — and the headline change is that it's getting simpler. The Model Context Protocol's 2026-07-28 release candidate makes MCP stateless at the protocol layer, which sounds like a plumbing detail and is actually a signal worth acting on: the standard your agent integrations will speak is stabilizing enough to build on.
What actually happened
Per the MCP spec blog, the release candidate was locked May 21 with the final spec landing July 28, 2026, after a ten-week window for SDK maintainers to test against real workloads. The big change: MCP drops the initialize/initialized handshake and the Mcp-Session-Id header that used to pin a client to one specific server instance. Servers that needed sticky sessions, a shared session store, and deep packet inspection at the gateway can now sit behind a plain round-robin load balancer. When an app genuinely needs state, tools return explicit handles that the model passes back as arguments — state becomes visible and intentional instead of hidden in the transport.
The rest of the release reads like a protocol growing up: authorization hardening (clients validate the iss parameter per RFC 9207), a formal extensions framework with the first two official extensions — MCP Apps (server-rendered UIs in sandboxed iframes) and Tasks — full JSON Schema 2020-12 for tool definitions, and header-based routing plus client-side caching of tool/resource lists. Older features like Roots, Sampling, and Logging are deprecated under a new lifecycle policy that guarantees at least twelve months before anything is removed.
Why it matters for your business
For most operators, MCP is invisible — it's how the AI you use reaches your calendar, your inventory, your customer records. But "invisible" is exactly why the standardizing matters. Two years ago, every AI-to-tool connection was a bespoke integration that broke when a vendor shipped an update. A stable, stateless standard means the connective tissue between your systems and whatever model you're using this quarter stops being a one-off you re-pay for every time you switch tools.
The stateless redesign is also a portability win you can feel in the bill: stateless servers are cheaper to run and far easier to scale, which is the difference between an integration you host yourself and one you rent from whoever locked you in. If you're commissioning custom AI work in 2026, the question to ask your builder is simple — are we building on MCP, or on some vendor's proprietary connector that only works until they change their mind? Build for the standard, and the plumbing you pay for once keeps working when the models underneath it don't.
Key takeaways
- The 2026-07-28 MCP release candidate is the protocol's largest revision since launch — it makes MCP stateless, dropping session pinning and the init handshake
- Stateless servers can run behind ordinary load balancers instead of sticky-session infrastructure — cheaper to host, easier to own and scale
- The release adds authz hardening (RFC 9207), a formal extensions framework, MCP Apps and Tasks, and full JSON Schema 2020-12 for tools
- The operator's lesson: a stabilizing open standard means your AI-to-tool integrations stop being disposable — build on MCP, not a proprietary connector
Wiring AI into the tools you already run? We build agent integrations on open standards like MCP — so the connection between your systems and your AI is portable, hostable by you, and doesn't evaporate when you switch models or vendors. See what we build or tell us what you're connecting.
Sources: Model Context Protocol — 2026-07-28 Release Candidate.
- #mcp
- #ai-agents
- #developer-tools
- #integration
- #standards
Tommy Rush — Founder, Rush Commerce
Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More
Get The Rush Report weekly — one email, zero fluff.
Keep reading
Ubiquiti UniFi CVSS 10: patch the box that runs your office
Ubiquiti's UniFi Connect flaw CVE-2026-50746 (CVSS 10.0) lets an unauthenticated attacker on your network run commands on the host. Patch to 3.4.20 now.
Read itJoomla page builders hit CVSS 10.0: patch your CMS now
Two Joomla page-builder extensions have unauthenticated CVSS 10.0 file-upload flaws that are already dropping web shells and hidden admin accounts. Your marketing site is attack surface.
Read it