TL;DR: MCP 2026-07-28 removes protocol sessions, drops the initialization handshake, and hardens authorization with OAuth 2.1, Resource Indicators, issuer verification, and new extension handling, according to WorkOS. The shift makes AI agent authentication more enterprise-ready, but it also exposes hidden session dependencies and confused-deputy risks that many MCP deployments were not built to absorb.
NHIMG editorial — based on content published by WorkOS: The biggest MCP spec update ships July 28 and what it changes for AI agent authentication
By the numbers:
- The final specification ships on July 28, 2026.
Questions worth separating out
Q: How should security teams migrate MCP servers away from session-based trust?
A: Security teams should replace protocol sessions with explicit application handles, request-scoped authorization, and server-side validation that does not depend on sticky routing.
Q: Why do Resource Indicators matter for MCP authorization?
A: Resource Indicators matter because they bind a token request to a specific MCP server, which reduces confused-deputy risk and token replay across different resources.
Q: What breaks when MCP clients and servers still assume sticky sessions?
A: Sticky-session assumptions break routing, scaling, and identity validation when the protocol no longer maintains connection-bound state.
Practitioner guidance
- Audit session dependencies now Map every place your MCP servers still rely on Mcp-Session-Id, sticky routing, or shared session storage, then replace them with explicit handles and request-scoped identity checks.
- Harden token audience and issuer checks Require Resource Indicators, validate issuer binding on every authorization response, and re-register clients when a resource migrates between authorization servers.
- Rework extension governance Treat MCP Apps and Tasks as negotiated capabilities that require approval, logging, and lifecycle review before they are enabled in production.
What's in the full article
WorkOS's full article covers the implementation detail this post intentionally leaves at the protocol and governance level:
- Step-by-step migration guidance for replacing session-dependent MCP code with explicit handles and request-scoped state.
- Concrete authorization implementation details for OAuth 2.1, Protected Resource Metadata, and Client ID Metadata Documents.
- Practical notes on updating MCP clients to send the new headers and validate issuers correctly.
- The specific extension lifecycle changes for Tasks and MCP Apps that implementers need before production rollout.
👉 Read WorkOS's analysis of the MCP 2026-07-28 authentication changes →
MCP 2026-07-28: what changes for AI agent authentication?
Explore further
Stateless protocol design is now an identity governance control, not just an architecture preference. MCP's removal of protocol sessions shifts trust from connection state to per-request identity, which makes authorization decisions more explicit and more inspectable. That helps governance, but it also means any implementation still depending on hidden session continuity is now carrying technical debt in the identity layer. Practitioners should treat protocol statelessness as a control boundary that must be validated, not assumed.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- Only 44% have implemented any policies to govern AI agents, even though 92% agree governing them is critical to enterprise security.
A question worth separating out:
Q: Who is accountable when an MCP extension changes approval or audit behaviour?
A: Accountability stays with the team operating the server, the client, and the authorization layer, because negotiated extensions still become part of the control environment. The extension model does not remove governance responsibility. If an extension alters consent, logging, or task flow, it must be treated as a security-relevant change.
👉 Read our full editorial: MCP 2026-07-28 rewrites AI agent authentication and sessions