On this page
MCP Architecture Explained
The July 2026 Model Context Protocol (MCP) stateless specification removes core session and handshake features, requiring unplanned migration work for most existing remote MCP deployments. While it simplifies horizontal scaling, it shifts security responsibilities to development teams and introduces new attack surfaces, with total migration and operational costs often matching or exceeding self-hosted expenses for mid-market teams.
MCP Architecture Explained: What the July 2026 Stateless Spec Actually Changes
110 million monthly SDK downloads, and the protocol just broke its own foundation. In April 2026, the Model Context Protocol (MCP) hit a download velocity that took React three years to match—yet the real story isn’t adoption. It’s the July 28, 2026 specification that deletes sessions entirely, strips out the initialize handshake, and forces every production MCP deployment to rewrite its core assumptions about state, security, and scaling. If you’re running remote MCP servers today, you’re not upgrading. You’re migrating.
This is what I call the Protocol-Ecosystem Gap: MCP’s rapid transition from local developer tooling to enterprise production infrastructure has created a systemic operational chasm. The protocol’s widespread standardization masks opaque pricing variance, ungoverned Shadow MCP sprawl running 3–10× above IT estimates, and now a mandatory breaking spec change that forces unplanned migration work before production-ready operational tooling is widely available. Let’s walk through what actually changed, what it costs, and whether the stateless “upgrade” is an improvement at all.
The Three Roles and Transport Modes Still Matter—But Differently
MCP architecture still consists of three roles: the host (the AI application the user interacts with), the client (which lives inside the host and manages connections to servers), and the server (which exposes tools and data to the AI). The MCP architecture consists of three roles—host, client, and server—and that hasn’t changed. What changed is how they communicate.
The protocol supports three transport modes, and your hosting decision follows directly from which you choose:
- stdio: Local subprocess communication with zero network surface and zero hosting cost. This is how Claude Desktop configs work—
command: "node",args: ["./my-server.js"], done. Great for personal tools, anything you don’t want exposed to the internet. - HTTP with Server-Sent Events (SSE): Requires a long-lived connection and is vulnerable to serverless platform timeouts of 10–60 seconds. This was the original networked transport, and it’s still what most public MCP servers use today.
- Streamable HTTP: A bidirectional endpoint that enables stateless mode and unlocks serverless and edge deployments. This is where the July 2026 spec does its work.
The MCP supports three transport modes—stdio, HTTP with SSE, and Streamable HTTP—and the July spec fundamentally rewrites the rules for the last two. If you’re on SSE, you’re in the crosshairs. If you’re on Streamable HTTP but still relying on session state, you’re about to discover your architecture is legacy.
What “Stateless” Actually Means in the July 28 Spec
The 2026-07-28 MCP specification makes the protocol stateless at the protocol layer by removing the initialize/initialized handshake (SEP-2575) and the Mcp-Session-Id header (SEP-2567). Protocol version, client info, and client capabilities now travel in the _meta field on every request. The server/discover method replaces the initialize handshake as the mechanism for clients to fetch server capabilities up front.
Practically, this means:
| Before (2025-11-25) | After (2026-07-28) |
|---|---|
Multi-step initialize handshake | Single self-contained request |
Mcp-Session-Id pins to server instance | No session ID; any instance handles any request |
| Sticky sessions required | Plain round-robin load balancing works |
| Gateway must inspect JSON body for routing | Streamable HTTP transport now requires Mcp-Method and Mcp-Name headers for routing without body inspection |
The stateless core change allows MCP to run behind plain round-robin load balancers without sticky sessions or shared session stores. This is genuinely simpler for horizontal scaling—if your servers were already stateless. If they weren’t, you have engineering work to do.
Here’s the contrarian take that gets lost in the marketing: the July 2026 spec’s widely touted stateless upgrade, framed as a scalability improvement, will impose unplanned near-term costs on the majority of existing remote MCP deployments. Teams are racing to rewrite session-dependent code and implement new security validations before the cutover. For many, 2026 is becoming the most expensive year for MCP operations despite the protocol’s open-source, “free” branding.
The Security Tradeoff Nobody’s Advertising
The 2026-07-28 spec mandates OAuth 2.1 with PKCE, removes legacy password and implicit grants, and includes a 12-month deprecation window for legacy protocol versions. On paper, this is stronger. In practice, security responsibility just shifted downward.
The old spec had protocol-managed sessions. Steal a session ID, you could impersonate a user. The new spec eliminates that vector—and introduces new ones. Without sessions, the protocol issues tracking identifiers and state objects that the server hands to the client, which passes them back to resume a workflow. The client now holds the keys to task state. If a server uses predictable tracking IDs or fails to validate returned state objects, an attacker can hijack another user’s active workflow, access data belonging to a different agent, or trigger unauthorized cross-tenant actions.
The spec warns developers to verify these objects but doesn’t standardize how. That’s implementation work for your team.
New MCP-specific HTTP headers—MCP-Method, MCP-Name, and others—introduce protocol confusion (Desync) attacks and data leakage via headers. If developers map sensitive inputs like API keys or tokens into these headers, those secrets become visible to every load balancer, proxy, and logging system along the path.
So which is it? Does the stateless spec improve or degrade security?
| Evidence for “improves” | Evidence for “degrades” |
|---|---|
| Eliminates session hijacking risks | Shifts state tracking to client-controlled objects |
| Removes unsolicited server-initiated prompts | Introduces new header-based attack surfaces (Desync, data leakage) |
| Enforces mandatory OAuth 2.1 with stricter issuer verification | Leaves security validation implementation to individual developers |
The answer depends entirely on your team’s security engineering depth. Large enterprises with dedicated security teams will implement this correctly. Mid-market teams without that specialization are taking on new attack surface they may not recognize.
Managed Services: The Cost Illusion
Major cloud providers (AWS, Google Cloud, and Databricks) offer managed MCP server services as of mid-2026. AWS’s offering is available at no additional charge beyond AWS resource usage. Google launched remote MCP servers for Gemini Enterprise with Cloud IAM integration. Databricks has managed MCP servers in public preview with Unity Catalog governance.
This looks like relief from self-hosting complexity. It isn’t necessarily relief from cost.
Managed services eliminate DevOps overhead—SSL certificates, uptime monitoring, infrastructure scaling. But they don’t reduce the largest total cost drivers: token spend, data residency surcharges, and spec migration work. These are either passed through or added as overages. For mid-sized teams, total cost of ownership ends up nearly identical to self-hosted.
Here’s a comparison of what we actually know:
| Provider | Pricing Model | What You Still Pay For | Best Fit |
|---|---|---|---|
| AWS MCP Server | No additional platform fee; pay for AWS resources used | Token spend, data transfer, compute, storage | Teams already deep in AWS with infrastructure staff |
| Databricks Managed MCP | Public preview; no published pricing | Unity Catalog, compute, token spend | Teams already on Databricks with governance requirements |
| Google Gemini Enterprise MCP | Included with Agent Platform API activation | Google Cloud resources, token spend, potential egress | Teams standardizing on Google Cloud AI stack |
| Self-hosted (VPS/Docker) | $5–published pricing per server per Fastio | All infrastructure, all DevOps, all security implementation | Teams with dedicated infrastructure staff and strict data residency needs |
The managed vs. self-hosted tension resolves differently based on team size and existing cloud commitments. If you’re already paying for Databricks or Google Cloud, the incremental platform fee may be zero. If you’re not, you’re buying into an ecosystem to solve a protocol problem.
The Real Cost Stack: What “MCP Server Pricing” Hides
MCP server pricing is the most opaque line item in the 2026 AI agent stack. Five different vendors price five different ways—per tool, per call, per seat, per workspace, or flat-rate with warehouse included—and the headline sticker rarely matches what you actually pay after token costs, EU-hosting premiums, and overage charges.
Peliqan offers a €150/month flat-rate annual plan. Pipedream uses credit-based pricing. Zapier’s multi-step workflows carry 5-10× cost overhang at 50,000 tasks/month.
But these platform fees are rounding errors against token spend. Mid-market teams running Sonnet across 12 connectors regularly burn €20,000–€80,000/year in Anthropic alone before platform costs even enter the equation. The “MCP server cost” keyword hides a measurement problem: you’re pricing the platform, connectors, tokens, storage, dev time, and maintenance as if they were a single number.
For EU teams specifically, my view is that mid-market organizations budgeting for MCP in 2026 should assume total annual costs of at least €150,000 when accounting for token spend, July 2026 spec migration work, and data residency surcharges. The low headline platform fees advertised by most vendors are a misleading signal that excludes the largest cost drivers.
The Shadow MCP Problem You Haven’t Audited Yet
MCP SDKs (Python and TypeScript) reached approximately 110 million monthly downloads by April 2026, and the protocol was donated to the Agentic AI Foundation under the Linux Foundation. That adoption curve is genuine. What’s also genuine is the governance gap.
Shadow MCP—unsanctioned MCP servers running on developer laptops, personal cloud accounts, or ungoverned SaaS—is running 3–10× above IT estimates in most organizations. Every local stdio server configured for Claude Desktop, every experimental remote server spun up on a developer’s personal AWS account, every “temporary” integration that became load-bearing: these bypass procurement, security review, and audit trails.
The July 2026 spec makes this worse before it makes it better. The migration window creates pressure to “just get it working,” which drives more shadow infrastructure. The stateless model’s simplified scaling makes it easier to deploy without governance. And the new MCP Apps and Tasks extensions expand what’s possible to build without expanding what’s monitored.
Cloudflare’s approach to this—using their gateway for Shadow MCP detection—is instructive. But most teams don’t have a Cloudflare-scale infrastructure team to build custom detection.
Decision Framework: Should You Migrate Before July 28?
Here’s how to think about it:
Migrate immediately if:
- You’re running remote HTTP servers with session-dependent code
- You have sticky session or shared session store dependencies
- Your load balancers currently route based on
Mcp-Session-Id
Can wait if:
- You’re stdio-only, local to the client
- Your SDK upgrade path absorbs the lifecycle change
- You have no remote HTTP exposure
Budget for unplanned work if:
- You’re mid-market with limited security engineering
- You have EU data residency requirements
- You’re currently on SSE transport (vulnerable to serverless timeouts, and superseded by Streamable HTTP)
The open standard eliminates N×M integration work, but imposes mandatory migration and re-engineering costs every time the spec is revised. For teams with low deployment volume, these recurring migration costs erode long-term savings. The July 2026 breaking change is the first major one. It won’t be the last.
The managed services pitch is real for some: they remove self-hosting DevOps overhead and improve reliability. But they fail to reduce the largest total cost drivers, which are passed through or added as overages. For mid-sized teams, TCO is nearly identical to self-hosted.
What’s Actually Worth Watching
The July 28 spec introduces two extensions beyond the stateless core: MCP Apps for server-rendered interactive HTML interfaces hosted in sandboxed iframes, and a Tasks extension that handles long-running work through server-to-client InputRequiredResult and requestState patterns. These are additive, not breaking, but they expand the protocol’s surface area in ways that will create new governance questions.
The 12-month deprecation window for legacy protocol versions means you have time, but also that you’ll be maintaining dual-path code for longer than you want. SDK v2 betas are available for Python and TypeScript, with Go and C# in beta. The TypeScript v2 packages are new package names with no stable release yet—installing them is itself the opt-in.
If you’re building new today, start with the stateless model. If you’re maintaining existing remote servers, the migration work is unavoidable and the timeline is now shorter than it looks.
The stateless spec is technically cleaner. Whether it’s operationally better depends on whether your organization has the engineering depth to absorb security responsibilities the protocol used to handle. For teams without dedicated MCP security expertise—a category that describes most mid-market adopters—the July 2026 change trades one set of problems for another, more subtle set. The load balancer gets simpler. The application code gets more complex. And the gap between protocol promise and production reality widens until you close it yourself.